AI moved to production before its security did: the 2026 posture gap
Orca's 2026 State of AI Security Report (July 2026, 1,200+ cloud environments) finds 56% run AI agents in production, 81% ship vulnerable AI packages, and 99.9% of fixable AI vulnerabilities stay unpatched.
What is this?
On July 9, 2026, Orca Security published its 2026 State of AI Security Report, based on aggregated, anonymized telemetry from more than 1,200 production cloud environments collected during Q2 2026 across AWS, Microsoft Azure, and Google Cloud. It is a posture study, not an attack write-up: it measures how organizations actually deploy AI and where they leave gaps. The headline number, widely reported on July 13 by outlets including Help Net Security and Intelligent CISO, is stark: 99.9% of AI vulnerabilities with an available fix remain unpatched.
The report’s framing matters more than any single figure. AI has stopped being a pilot and become production infrastructure — agents making decisions, vector databases wired into enterprise data, SDKs and Model Context Protocol servers embedded in developer workflows — while the security controls built for that infrastructure have not followed. This is a governance and hygiene finding, and it is the substrate on which the more exotic attacks this site covers actually land.
How it works
There is no exploit here; the mechanism is organizational. Orca describes an attack surface expanding across five layers of the AI stack: package registries, model hubs, developer tools, agent frameworks, and brand trust. Three data points define the exposure. First, 56% of AI adopters already run agent frameworks in production, and each production agent is a new non-human identity with its own permissions, memory, and blast radius. Second, 64% operate vector databases, with retrieval-augmented generation users running an average of 3.78 of them — meaning inconsistent policy across many stores of sensitive context. Third, the software itself is stale: 81% of organizations running AI packages carry at least one known vulnerability (up from 62% in Orca’s 2024 report), and 74% carry at least one critical CVE.
The exploitability side moved fastest. Orca reports that 50% of AI package vulnerabilities now have a publicly available exploit — a roughly 250-fold increase over 2024. Combined with the 99.9% unpatched rate, that closes the gap between “theoretically vulnerable” and “practically exploitable” for a large share of deployments. Credentials compound it: nearly 30% of AI adopters store at least one AI key in an insecure location, and keys committed to Git can remain reachable after they are deleted from the working tree.
Why it matters
An unpatched AI SDK or MCP server is not an abstract compliance ding — it is the reachable foothold that turns a research-grade technique into an incident. A vulnerable dependency plus an over-permissioned agent plus a network path is the same lethal trifecta pattern, only assembled from ordinary supply-chain neglect rather than a clever prompt. The MCP ecosystem, one of Orca’s three package-vulnerability categories, is exactly where backend flaws keep recurring, and it is growing faster than teams inventory it.
Encryption and identity gaps widen the blast radius. Between 87% and 98% of AI workloads across the three major clouds run without customer-managed encryption keys, leaving organizations unable to rotate keys, revoke access independently, or audit key usage on their most sensitive AI data. The report lands as regulation tightens: the EU AI Act’s high-risk obligations begin August 2, 2026, and Colorado’s amended AI law takes effect January 1, 2027.
Defenses
Orca’s own recommendation is deliberately unglamorous: treat AI as production infrastructure and extend the controls you already run.
- Inventory first. You cannot patch or scope what you cannot see. Build unified visibility across cloud AI services, agents, vector databases, SDKs, and MCP servers before layering new tooling on top.
- Fix the 99.9%. Bring AI packages into normal vulnerability management and SCA. Prioritize the 50% of AI-package vulnerabilities that now carry public exploits, and the 74% critical-CVE population, rather than treating AI dependencies as exempt from patch cadence — the same discipline as the open-source AI patch gap.
- Least privilege for non-human identities. Scope each agent’s permissions, isolate it from production at runtime, and log its actions. Assume every agent can be steered, and cap what a steered agent can reach — the instinct behind the Agents Rule of Two.
- Protect credentials. Move AI keys out of insecure stores and out of Git history, rotate exposed keys, and prefer short-lived scoped tokens over long-lived API keys.
- Turn on customer-managed encryption for AI data at rest so key rotation, revocation, and usage auditing are actually in your control.
- Close the governance gap ahead of the regulatory deadlines: consistent access controls, monitoring, and encryption applied across the full AI lifecycle, not bolted on after deployment.
The encouraging counter-signal is that discipline works where it is applied: Orca measured Amazon SageMaker environments running with root access falling from 98% to 76%, and insecure IMDSv2 configurations from 77% to 48%, since its prior report. The gap is closable — it is a matter of treating AI like every other critical production system.
Status
| Item | Reference | Date | Notes |
|---|---|---|---|
| 2026 State of AI Security Report | Orca Security | 2026-07-09 | 1,200+ production cloud environments, Q2 2026, AWS/Azure/GCP |
| 99.9% of fixable AI vulnerabilities unpatched | Orca via Help Net Security | 2026-07-13 | 81% run vulnerable AI packages; 74% carry a critical CVE |
| 50% of AI-package vulns have a public exploit | Orca press release | 2026-07-09 | ~250-fold increase vs. 2024 |
| Measured improvements | Orca press release | 2026-07-09 | SageMaker root access 98%→76%; insecure IMDSv2 77%→48% |
| Regulatory deadlines | EU AI Act / Colorado | 2026-08-02 / 2027-01-01 | High-risk obligations and state-law effective dates |
The honest read is that most AI incidents in 2026 will not require a novel jailbreak. They will require an unpatched package, an over-scoped agent, and a leaked key — three failures this report shows are already the norm. The fix is not new; it is applying the security maturity organizations already have to the infrastructure they just built.
Sources
- → https://www.businesswire.com/news/home/20260709482694/en/Orca-Security-Report-99.9-of-Fixable-AI-Vulnerabilities-Remain-Unpatched-as-AI-Moves-Into-Production
- → https://www.helpnetsecurity.com/2026/07/13/ai-infrastructure-security-risks-report/
- → https://www.intelligentciso.com/2026/07/13/orca-report-highlights-security-gaps-as-ai-moves-into-production/