Today, we’re releasing the 2026 State of AI Security Report, a comprehensive analysis of how artificial intelligence has moved from experimentation into the core of production cloud infrastructure, and the security posture of those environments today. This research is based on Q2 2026 telemetry from the Orca Cloud Security Platform across more than 1,200 production organizations, covering AI packages, services, agent deployments, model endpoints, and cloud infrastructure across AWS, Azure, and Google Cloud.

AI adoption has outpaced AI security in practically every dimension measured. More than half of organizations now have AI running in production. 81% of those deploying AI packages have at least one known vulnerability with the average severity across affected packages having climbed from CVSS 6.9 in our 2024 report to 8.79 today. And 99.9% of AI vulnerability alerts with an available fix remain unpatched.

This blog explores a few major organizational findings from our report and a practical roadmap to address the widening gap in security governance for one of the most important, disruptive, and emergent technologies.

REPORT

2026 State of AI Security

Top AI Security Findings for 2026

The Orca Research Pod’s 2026 analysis surfaced several critical findings across AI packages, infrastructure, credentials, and agent deployments:

  • 81% of organizations running AI packages have at least one known vulnerability, with an average CVSS of 8.79
  • 50.1% of AI vulnerability alerts now have a public exploit available, up from just 0.2% in our 2024 report, a 250x increase
  • 99.9% of AI vulnerability alerts with an available fix remain unpatched
  • 29.5% of AI adopters have at least one AI credential stored in an insecure location
  • 56% of AI adopters have deployed agent frameworks in production, most without formal safety controls
  • Between 87% and 98% of AI workloads across the three major cloud providers lack customer-managed encryption

Below, we explore what these findings mean and where organizations should focus first.

“AI has led to exponential growth in the employees shipping to production and security teams are not keeping up. When the way people build changes, the way security works has to change with it. This report measures that gap, and closing it starts with giving security teams the context to understand AI risk and act.”

Gil Geron, CEO and Co-founder of Orca Security

The Exploitability Surge: Why the “Low Risk” Justification Is Gone

For teams that deprioritized AI package patching in 2024, the justification was reasonable given most AI vulnerabilities had no public exploit available. That’s no longer true.

In our 2024 report, just 0.2% of AI vulnerability alerts had a public exploit. By 2026, that figure had exploded to 50.1%, a 250x increase in less than 2 years. Half of all AI vulnerability alerts now have a working exploit that any attacker can find and use. The average CVSS across vulnerable AI packages rose from 6.9 to 8.79 in the same period. The threat environment around AI packages has fundamentally changed and the patching response required has not yet risen to the task.

81% of organizations running AI packages have at least one known vulnerability. The highest-severity packages in our telemetry are also among the most widely deployed. Yet, despite this exposure, 99.9% of AI vulnerability alerts with an available fix remain unpatched. The existence of remediation paths only serves to highlight the alarmingly reluctant pace of urgency to address them.

AI Credentials and the LLMjacking Economy

A compromised AI API key is not a minor access incident. It grants immediate authenticated access to proprietary models, enterprise data flowing through RAG pipelines, and usage-based billing on GPU and inference resources. 

Nearly 3 in 10 AI adopters in our telemetry (29.5%) have at least one AI credential stored in an insecure location. Given the average AI adopter integrates with two providers concurrently, this means a single credential leak commonly exposes multiple model providers at once.

Agents in Production, Guardrails Are Not

56% of AI adopters have deployed agent frameworks in production. Across our dataset, we observed hundreds of Bedrock agents operating across monitored environments. These systems are running with real cloud permissions and accessing enterprise data through RAG pipelines. And the threat landscape has caught up to their deployment pace.

The ForcedLeak incident disclosed by Noma Security Labs last year demonstrates a core challenge with agentic AI: the attack surface now extends to anyone who can submit input that an agent might eventually process. RAG pipelines compound this. 64% of AI adopters have deployed vector databases connected to enterprise data. When an agent with cloud permissions queries a compromised data store, the blast radius can extend across systems.

Exposure Signals Start from Infrastructure

AI infrastructure exposure is one of the clearest places where the “ships insecure by default” problem plays out at scale. The most widely adopted AI cloud services ship with a default configuration, creating a handful of compounding security gaps.

The majority of SageMaker organizations (80%) run with all five insecure defaults enabled at once: root access, no IMDSv2, direct internet exposure, no custom VPC, and no KMS encryption. And while Individual settings have improved since 2024, those improvements alone haven’t translated into comprehensive hardening across organizations.

Azure OpenAI adoption has grown significantly, now present in over half of Azure organizations, up from 39% in 2024. Vertex AI adoption across GCP organizations grew from 24% to 32%. As adoption expands across providers, so does the attack surface.

The Encryption Gap Across Every Cloud

Encryption protects training data, model weights, inference inputs, and outputs from unauthorized access. Without customer-managed encryption, organizations lose control over who can access that data at rest and cannot meet the requirements of most data sovereignty frameworks.

The numbers here are consistent across all three major clouds, and raise significant red flags. Between 87% and 98% of AI workloads lack customer-managed encryption. These numbers have improved marginally from 2024 but remain well above any defensible metric.

The pattern across AI infrastructure is the same one we see in AI packages and credentials: organizations consistently adopt services faster than they secure them.

A Practical Roadmap for Closing the Gap

The report maps recommendations to urgency and to specific findings. Immediate actions address the most exploitable gaps in current posture.

Immediate Actions (Days 0–30)

  1. Patch high-severity AI packages with available fixes.
  2. Rotate exposed AI credentials immediately and move to short-lived or managed identities where possible.
  3. Audit SageMaker configurations. Disable root access, enable IMDSv2, and rename any buckets using the default patterns.

Short-Term Initiatives (Days 30–90)

  1. Enable customer-managed encryption for AI workloads across SageMaker, Vertex AI, and Azure OpenAI deployments.
  2. Inventory all agent frameworks in production and document what cloud permissions each agent holds and what data it can access.
  3. Implement input validation and output controls on all production agent deployments.

Strategic Improvements (90+ Days)

  1. Establish a continuous AI package vulnerability management program with automated alerting tied to exploit availability, not just CVSS score.
  2. Build a complete AI footprint inventory. The average AI-adopting organization runs four or more distinct AI service categories simultaneously. You can’t secure what you can’t see.
  3. Integrate AI security checks into deployment pipelines so misconfigurations are caught before they reach production.

AI Is Now the Core of Your Attack Surface

Two years ago, AI security was a forward-looking concern. The question was whether AI risk would materialize in ways that required dedicated security investment. In 2026, it already has.

AI is embedded at the operational layer. It runs in development environments via AI IDEs adopted by a third of AI-using organizations. It runs in production through agent frameworks deployed by more than half. It connects directly to enterprise data through 64% of AI adopters’ vector databases. And it sits at the center of a supply chain that attackers now specifically target.

The gap between adoption and security is measurable. It widened between our 2024 and 2026 reports on nearly every metric. And it will not close without deliberate action. Organizations that succeed in AI security will be the ones that apply the same rigor to their AI footprint that they apply to the rest of their cloud infrastructure. Same visibility requirements. Same patching cadence. Same identity discipline. Security for the companies that build means building securely from the start.

Securing AI with the Orca Platform

The findings in the 2026 State of AI Security Report are based on data from the Orca Platform, which gives organizations complete visibility into their AI footprint across cloud, PaaS, runtime, and agent environments. 

By unifying AI security posture with CNAPP, vulnerability management, DSPM, and cloud detection and response, Orca helps security teams focus on the AI risks that are actually exploitable, with the remediation context to act on them quickly. Orca’s AI Security Dashboards give teams a single view of their AI footprint, including running models, managed AI services, and risk posture across every cloud environment.

Read the full 2026 State of AI Security Report to explore the complete dataset, year-over-year comparisons, and the detailed recommendations for every AI risk category covered in this analysis.