Tenable Research Reveals Growing AI Exposure Gap Fueled by Supply Chain Risks and Lack of Identity Controls

Rhea-AI Summary

Tenable (NASDAQ: TENB) released its Cloud and AI Security Risk Report 2026, finding widespread AI-related exposures across cloud, supply chain and identity. Key metrics: 86% host third-party packages with critical vulnerabilities, 70% use AI/MCP packages, and 65% expose unused cloud credentials.

The report warns of rising non-human identity risk, recommends least-privilege controls, secret rotation, unified visibility across code, VMs, identities and cloud to reduce an accelerating AI exposure gap.

Positive

• 86% of organizations identified hosting third-party code with critical CVEs
• 70% have integrated at least one AI or MCP third-party package
• 65% of organizations identified ghost cloud credentials, enabling targeted remediation focus

Negative

• 18% granted AI services administrative permissions that are rarely audited
• 52% of risk now resides in non-human identities versus 37% in human users
• 13% deployed packages with a known history of compromise

Key Figures

Critical-vuln third-party code: 86% Forgotten cloud credentials: 65% AI/MCP package adoption: 70% +5 more

8 metrics

Critical-vuln third-party code 86% Organizations hosting third-party packages with critical-severity vulnerabilities

Forgotten cloud credentials 65% Organizations exposing assets via "ghost" cloud secrets

AI/MCP package adoption 70% Organizations integrating at least one AI or MCP third-party package

History-of-compromise packages 13% Organizations deploying third-party packages with known past compromise

Admin AI permissions 18% Organizations granting AI services administrative permissions

Non-human identity risk 52% Risk share attributed to non-human identities like AI agents

Human user risk 37% Risk share attributed to human users

Dormant high-risk identities 49% Identities with critical excessive permissions that are dormant

Market Reality Check

Price: $21.99 Vol: Volume 2,037,266 vs 20-da...

low vol

$21.99 Last Close

Volume Volume 2,037,266 vs 20-day avg 3,183,543 (relative volume 0.64) shows subdued trading ahead of this AI report. low

Technical Shares at $21.99 are trading below the 200-day MA of $28.79 and sit 45.01% under the 52-week high.

Peers on Argus

TENB slipped 0.5% while key peers like RELY gained 3.42 and appeared in momentum...

1 Up

TENB slipped 0.5% while key peers like RELY gained 3.42 and appeared in momentum scans with a 20.13 up move, indicating stock-specific dynamics rather than a sector-wide software rotation.

Previous AI Reports

5 past events · Latest: Feb 12 (Positive)

Same Type Pattern 5 events

Date	Event	Sentiment	Move	Catalyst
Feb 12	AI recognition	Positive	-1.9%	Gartner named Tenable the company to beat for AI exposure assessment.
Jan 27	AI product launch	Positive	-1.6%	General availability of Tenable One AI Exposure for unified AI risk management.
Aug 06	AI platform expansion	Positive	+1.0%	Launch of Tenable AI Exposure to manage enterprise generative AI risks.
Jul 24	AI feature upgrade	Positive	-1.1%	AI-powered VPR enhancements to narrow high-risk vulnerabilities to 1.6%.
Jun 16	AI awards & M&A	Positive	+1.5%	AI security awards and Apex Security acquisition to bolster AI capabilities.

Pattern Detected

AI-related announcements have generally been positive in tone but often saw modest, mixed price reactions, with a slight tendency toward small negative moves following AI news.

Recent Company History

Over the past year, Tenable has repeatedly highlighted AI innovations and recognition. AI-focused releases on Jun 16, 2025, Jul 24, 2025, and Aug 6, 2025 showcased new AI capabilities and external awards, with modest single‑day moves between about -1% and +1.5%. More recent AI news on Jan 27, 2026 and Feb 12, 2026 emphasized extending exposure management to AI and Gartner validation, yet drew small negative reactions. Today’s AI risk report fits this ongoing AI-focused narrative.

Historical Comparison

-0.4% avg move · Recent AI-tagged headlines for TENB produced an average one-day move of -0.4%, suggesting historical...

AI

-0.4%

Average Historical Move AI

Recent AI-tagged headlines for TENB produced an average one-day move of -0.4%, suggesting historically modest, slightly negative reactions to AI-focused announcements.

AI news has evolved from awards and early AI exposure products in mid-2025 to broader platform expansion and Gartner leadership recognition, with today’s report adding thought-leadership around AI and cloud risk exposure.

Market Pulse Summary

This announcement highlights Tenable’s emphasis on AI and cloud exposure, quantifying risks like cri...

Analysis

This announcement highlights Tenable’s emphasis on AI and cloud exposure, quantifying risks like critical third-party vulnerabilities (86%) and "ghost" cloud secrets (65%). It extends a narrative seen in earlier AI launches and recognitions, positioning the company in AI-driven security visibility. Investors may watch how these insights translate into product adoption, revenue trends, and future AI-focused updates relative to prior AI-tagged news, which averaged a modest -0.4% move.

Key Terms

Model Context Protocol (MCP), Exposure Management

2 terms

Model Context Protocol (MCP) technical

"70% have integrated at least one AI or Model Context Protocol (MCP) third-party package"

The Model Context Protocol (MCP) is a system that helps financial models understand and share information about market conditions and data. It’s like a common language that ensures different tools and models work together smoothly, making predictions and decisions more accurate and consistent.

Exposure Management technical

"Exposure Management is the practice of identifying, evaluating, and prioritizing the risks"

Exposure management is the ongoing process a business or investor uses to find, measure, and control the ways losses could happen from market moves, counterparty problems, cash shortages or operational failures. It matters because it reduces the chance that an unexpected event wipes out value—like steering a ship to avoid storms—so investors can better predict potential losses, protect returns, and align risk with their goals and rules.

AI-generated analysis. Not financial advice.

Report finds 86% of organizations have installed third-party code packages with critical-severity vulnerabilities; 65% expose high-value assets through forgotten cloud credentials

COLUMBIA, Md., Feb. 19, 2026 (GLOBE NEWSWIRE) -- Tenable^® (NASDAQ: TENB), the exposure management company, today released its Cloud and AI Security Risk Report 2026. The research reveals organizations face a zero‑margin AI exposure gap as they inherit cyber risks faster than they can address them. Engineering velocity — driven by AI adoption, third-party code and cloud scale — has outpaced the human-led ability to assess, prioritize and remediate risks before threat actors exploit them.

The AI Exposure Gap is a largely invisible form of exposure that emerges across applications, infrastructure, identities, agents and data, and that most security teams are not equipped to manage. Tenable’s analysis of cloud environments identifies severe risks across four key security areas: AI security posture, supply chain attack vectors, least privilege implementation and cloud workload exposure — all of which demand immediate attention. The report includes actionable guidance for security and business leaders to reduce risk across cloud and AI environments.

Key findings from the Cloud and AI Security Risk Report 2026 include:

• 70% have integrated at least one AI or Model Context Protocol (MCP) third-party package, embedding AI deep into applications and infrastructure, often without central security oversight.
• 86% host third-party code packages with critical-severity vulnerabilities, making the software supply chain a primary and persistent source of cloud exposure. Furthermore, nearly 1 in 8 (13%) have deployed packages with a known history of compromise, such as the s1ngularity or Shai-Hulud worms.
• 18% of organizations have granted AI services administrative permissions that are rarely audited, creating a "pre-packaged" catalog of privileges for attackers to claim.
• Non‑human identities such as AI agents and service accounts now represent higher risk (52%) than human users (37%), forming “toxic combinations” of permissions and access that fragmented tools fail to connect.
• 65% possess "ghost" secrets—unused or unrotated cloud credentials—with 17% of these tied specifically to critical administrative privileges.
• 49% of identities with critical-severity excessive permissions are dormant.
  
  

“AI systems embedded in infrastructure pose a critical risk that CISOs and defenders must address, in addition to anticipating emerging threats from both AI and cloud technologies. Lack of visibility and governance means teams are at the mercy of new exposures, including over-privileged identities in the cloud,” said Liat Hayun, Senior Vice President of Product Management and Research at Tenable. “By focusing on the unified exposure path, organizations can stop managing ‘security debt’ and start managing actual business risk.”

To manage emerging risks, organizations must secure the AI integration process through comprehensive visibility and identity-centric controls. This includes enforcing least privilege for AI roles, neutralizing "ghost" identity risk and eliminating static secret exposure. Third-party code and external accounts are now extensions of organizations' infrastructure; steps to reduce extended supply chain exposure include unifying visibility across code packages, virtual machines, identity access and cloud environments.

The 2026 Cloud & AI Security Risk Report presents findings from the Tenable Research team, analyzing anonymized telemetry from diverse public cloud and enterprise environments collected from April to October 2025 (AI findings extended through December 2025).

Exposure Management is the practice of identifying, evaluating, and prioritizing the risks posed by all entry points an attacker could exploit. This includes not just software vulnerabilities (CVEs), but also misconfigurations, excessive user privileges (identity risk), cloud security gaps, and the "shadow" assets created by AI and third-party supply chains.

Download the report here.

Read today’s blog post here.

About Tenable
Tenable^® is the exposure management company, exposing and closing the cybersecurity gaps that erode business value, reputation and trust. The company’s AI-powered exposure management platform radically unifies security visibility, insight and action across the attack surface, equipping modern organizations to protect against attacks from IT infrastructure to cloud environments to critical infrastructure and everywhere in between. By protecting enterprises from security exposure, Tenable reduces business risk for over 40,000 customers around the globe. Learn more at tenable.com. 

Media Contact:
Tenable
tenablepr@tenable.com

FAQ

What did Tenable (TENB) report about third-party code vulnerabilities in the 2026 Cloud and AI Security Risk Report?

Most organizations have critical third-party package issues. According to the company, 86% of organizations host third-party code packages with critical-severity vulnerabilities, making supply-chain exposure a top cloud risk.

How prevalent are unused cloud credentials in Tenable's (TENB) 2026 findings and why does that matter?

Unused cloud credentials are common and risky. According to the company, 65% of firms possess 'ghost' secrets, with 17% tied to critical admin privileges, increasing attack surface and remediation priority.

What does Tenable (TENB) say about AI and identity risk in cloud environments for 2026?

AI-related identities now represent higher exposure than humans. According to the company, non-human identities account for 52% of identity risk versus 37% for human users, creating toxic permission combinations.

Which immediate controls does Tenable (TENB) recommend to reduce AI exposure gaps in 2026?

Prioritize visibility and identity-centric controls immediately. According to the company, organizations should enforce least privilege for AI roles, neutralize ghost identities, rotate secrets, and unify visibility across code, VMs and cloud.

How common is administrative privilege granted to AI services according to Tenable (TENB) 2026 report?

Admin privileges for AI services are significant. According to the company, 18% of organizations granted AI services administrative permissions that are rarely audited, creating reusable privilege catalogs for attackers.