Most Fixable AI Vulnerabilities Go Unpatched: 99.9% Remain Exposed

0
9

Key Takeaways

  • Over half of organizations have moved AI agents and frameworks into production, yet most run with known vulnerabilities that remain unpatched.
  • API‑based AI gives models deep access to codebases, credentials, and infrastructure, creating expansive new attack surfaces.
  • AI agents act as non‑human identities with broad permissions; retrieval‑augmented generation (RAG) pipelines multiply the number of vector databases, complicating consistent security policies.
  • Most cloud‑based AI services still rely on provider‑managed encryption keys, leaving customers unable to rotate, revoke, or monitor keys independently.
  • Supply‑chain risks span package registries, model hubs, developer tools, agent frameworks, and the emerging Model Context Protocol (MCP) ecosystem, with > 80 % of AI packages harboring at least one known vulnerability.
  • Regulatory momentum is building worldwide (EU AI Act, U.S. federal and state laws, China’s AI‑specific cybersecurity rules), but security practices lag behind adoption.
  • Insecure storage of AI API keys—often in Git repositories or plain‑text files—exposes credentials that attackers can abuse to move laterally and exfiltrate data.
  • Achieving AI security requires unified visibility, automated prevention, strict least‑privilege controls, and a shift to customer‑managed encryption for AI data and models.

The Rapid Deployment of AI Without Adequate Security
Organizations are embracing AI at breakneck speed: 56 % of AI adopters have already deployed agent frameworks into production, and 51.5 % use AI to build custom applications. Despite this momentum, security hygiene lags. Orca Security’s 2026 State of AI Security Report shows that 81.2 % of companies running AI packages have at least one known vulnerability, and a staggering 99.9 % of AI vulnerability alerts with an available fix remain unpatched. These figures illustrate how AI has become operational infrastructure without a matching increase in security maturity, leaving gaps that attackers can exploit almost as soon as models go live.

API‑Based AI Expands the Attack Surface
Modern AI workflows embed APIs directly into development pipelines, granting models access to code repositories, terminal sessions, environment variables, and service credentials. This deep integration creates new attack surfaces that traditional security tools often overlook. When an API key or token is compromised, an adversary can manipulate model behavior, exfiltrate training data, or pivot to other cloud resources. The convenience of API‑driven AI therefore comes with a trade‑off: greater productivity paired with heightened exposure if credentials and permissions are not tightly controlled.

AI Agents as New Non‑Human Identities
Every production AI agent functions as a non‑human identity, complete with its own permission set, memory space, and potential blast radius. Organizations that deploy agent frameworks inevitably proliferate these identities, each representing a possible foothold for an attacker. Because many agents operate with default permissions, minimal logging, and no runtime separation from production systems, they can be weaponized to execute arbitrary commands, move laterally across the AI layer, and ultimately reach sensitive data stores. Treating agents as privileged service accounts—applying least‑privilege principles and continuous monitoring—is essential to curb this risk.

Retrieval‑Augmented Generation and Vector Databases
Retrieval‑augmented generation (RAG) allows large language models to query internal documents, customer records, and proprietary knowledge at inference time. Sixty‑four percent of AI adopters have deployed vector databases to support RAG, and the average organization using RAG maintains 3.78 distinct vector databases. This multiplicity hinders the enforcement of uniform security policies across platforms, deployment models, and access methods. Without centralized governance, inconsistencies in encryption, access controls, and audit logging can leave vector databases vulnerable to data poisoning, model inversion, or outright theft.

Complex Multi‑Cloud AI Ecosystems and Encryption Gaps
More than half of AI cloud service users operate four or more distinct AI service types, often spanning Amazon SageMaker, Azure OpenAI, Google Vertex AI, and other platforms. Yet, between 87 % and 98 % of organizations across the three major cloud providers have not configured customer‑managed encryption keys for their AI services. Relying solely on provider‑managed keys limits a customer’s ability to rotate keys, revoke access independently, or gain visibility into key usage. This dependence creates a single point of failure and reduces control over the confidentiality of training data, model weights, and sensitive inputs.

Unified Visibility and the Need for Automated Prevention
Nir Mishal, CISO at Orca Security, warns that “Organizations now have agents making decisions, vector databases connected to enterprise data, and AI services spread across multiple cloud providers. Security teams need unified visibility across that entire environment, paired with automated prevention, to understand where risk actually exists and stop attackers before damage is done.” The fragmented nature of AI deployments makes it difficult to correlate events, detect anomalous behavior, or enforce consistent policies. A centralized security posture—combining real‑time telemetry, policy‑as‑code, and automated remediation—is required to close this visibility gap.

Supply‑Chain Vulnerabilities Across the AI Stack
Attackers are increasingly targeting the AI supply chain, moving through five layers: package registries, model hubs, developer tools, agent frameworks, and brand trust. Technologies across these layers are widely deployed in production, meaning a single compromised component can cascade into broader risk. Eighty‑one percent of companies running AI packages have at least one known vulnerability, and 74.1 % harbor at least one critical CVE. AI packages inherit flaws disclosed over the past five years—including CVEs published within the last year—exposing production environments to both legacy and emerging threats.

Patch Management Failures and Persistent Vulnerabilities
Historically, organizations deprioritized patching AI packages because many vulnerabilities were deemed difficult to exploit. Today, that complacency persists: 99.9 % of AI vulnerability alerts with an available fix remain unpatched. Vulnerable libraries often outlive their patch cycles, and AI workloads inherit the same problem despite release cycles that assume dependencies stay current. This gap between vulnerability disclosure and remediation creates a persistent window of exposure that attackers can reliably exploit.

Categorization of AI‑Related Package Vulnerabilities
Orca groups newly identified AI‑related package vulnerabilities into three buckets: (1) SDKs used to access hosted AI models, (2) frameworks for building AI agents and integrations, and (3) the rapidly expanding Model Context Protocol (MCP) ecosystem. Each category presents distinct risk vectors—SDKs may leak credentials, agent frameworks can be abused for privilege escalation, and MCP components introduce novel messaging channels that may lack mature security controls. Understanding these categories helps security teams prioritize scanning, testing, and mitigation efforts.

Governance Gaps in Agent and RAG Deployments
Although governance frameworks are evolving, many AI agents continue to run with default permissions, minimal logging, and no runtime isolation from production systems. This lax posture gives attackers the opportunity to hijack agents, execute arbitrary code, and pivot laterally through the AI layer. Meanwhile, the proliferation of vector databases in RAG implementations—averaging nearly four per organization—makes it challenging to apply uniform encryption, access‑control, and audit‑logging standards. Without centralized governance, inconsistencies increase the likelihood of misconfigurations that threat actors can exploit.

Regulatory Landscape Emerging Worldwide
Governments are responding to AI’s risks with new rules. The EU AI Act will impose additional requirements for high‑risk AI systems beginning August 2, 2026. In the United States, federal AI legislation is still under development, while Colorado’s amended AI law takes effect on January 1, 2027. China has expanded its cybersecurity framework to include AI‑specific mandates and requires labeling of AI‑generated content. These regulations will compel organizations to adopt stronger risk assessments, transparency measures, and accountability mechanisms, but compliance will only be effective if underlying security practices keep pace.

Exposed Credentials and Insecure Key Storage
AI services introduce a new class of exposed credentials: API keys that unlock models, enterprise data, and downstream services. Nearly 30 % of AI adopters store at least one AI key in an insecure location—such as plain‑text configuration files, environment variables, or committed to Git repositories. Even after a key is removed from code, traces can remain in repository histories, leaving it accessible to attackers who scan public or internal repos. Robust secret‑management solutions, regular key rotation, and automated detection of hard‑coded credentials are vital to mitigate this threat.

Infrastructure Misconfigurations Exploited by Attackers
Attackers frequently target AI infrastructure by exploiting excessive permissions, publicly exposed endpoints, weak authentication, and predictable configurations. Common missteps across platforms include missing encryption at rest or in transit, overly broad IAM roles, and services unintentionally left internet‑facing. These flaws simplify lateral movement and data exfiltration, turning a compromised AI component into a gateway to broader cloud assets. Continuous configuration scanning, enforcement of least‑privilege principles, and disabling unnecessary public access are baseline defenses.

Strengthening AI Encryption
Relying on provider‑managed encryption keys offers limited control: data at rest is encrypted, but customers cannot independently rotate keys, revoke access, or audit key usage. Customer‑managed encryption keys, by contrast, empower organizations to protect training data, sensitive inputs, and AI models with full lifecycle control. Despite this advantage, most organizations have not enabled customer‑managed keys for their AI services, leaving a significant protection gap. Adopting bring‑your‑own‑key (BYOK) or hold‑your‑own‑key (HYOK) models should be a priority for any firm handling regulated or proprietary information through AI.

Conclusion: Toward Maturity in AI Security
The Orca Security findings make clear that AI’s operational benefits are being outpaced by security shortcomings. From vulnerable supply‑chain components and over‑privileged agents to misconfigured cloud services and exposed API keys, the risk surface is broad and growing. Closing the gap demands a holistic approach: unified visibility across models, agents, data stores, and cloud services; automated prevention and remediation; strict least‑privilege and segmentation controls; robust secret management; and a shift to customer‑managed encryption. Coupled with emerging global regulations, these measures can help organizations move from rapid AI adoption to resilient, trustworthy AI operations.

SignUpSignUp form

LEAVE A REPLY

Please enter your comment!
Please enter your name here