PORTLAND,
Ore. – [July 13, 2026] : Orca Security, a leader in cloud and AI
security, today released its 2026 State of AI Security Report,
offering a first-hand view into how AI is being deployed across more than 1,200
production cloud environments. The findings show AI is no longer limited to
isolated pilots or developer experiments. Organizations are embedding AI into
production applications, cloud services, and autonomous workflows faster than
security programs can adapt.
More than half (56%) of organizations have already deployed AI agents into production, while 51% use AI to build custom applications. At the same time, Orca found that 81% of organizations run vulnerable AI packages, and 99.9% of fixable AI vulnerabilities remain unpatched, highlighting how quickly AI has become operational infrastructure without corresponding security maturity.
The
report also reveals that AI environments are rapidly becoming more
interconnected and business critical. Among organizations adopting AI, 64% now
run vector databases, 55% operate four or more AI services simultaneously, and
between 87% and 98% of AI workloads across the three major cloud providers lack
customer-managed encryption. Together, these findings show that organizations
are no longer securing standalone AI tools. They are securing complex AI
ecosystems connected to enterprise data, cloud services, identities, and
production workflows.
"What
surprised us wasn't simply how fast AI adoption has grown. It was how deeply AI
is now woven into production cloud environments," said Gil Geron, CEO and
Co-Founder of Orca Security. "We aren't just seeing isolated models. We're
seeing AI agents connected to enterprise data, interacting with identities, calling
cloud services, and becoming part of business-critical workflows. AI is no
longer an experiment. It's production infrastructure. The number of builders
has increased exponentially and organizations need security that provides
complete visibility and the confidence to innovate at AI speed without
introducing unnecessary risk."
AI
Has Become Production Infrastructure Before Security Was Ready
The
report finds AI has evolved beyond standalone models into an interconnected
production ecosystem spanning cloud services, AI agents, vector databases,
development tools, and autonomous workflows. While this transformation enables
organizations to innovate faster, it also expands the attack surface in ways
traditional security programs were never designed to address.
Among
the report's key findings:
●
81% of organizations using AI packages have at
least one known vulnerability, up from 62% in Orca's 2024 report.
●
50% of AI package vulnerabilities now have a
publicly available exploit, a 250-fold increase over 2024.
●
99.9% of AI vulnerabilities with an available
fix remain unpatched.
"AI
has introduced an entirely new operational layer into cloud environments,"
said Nir Mashal, Chief Information Security Officer at Orca Security.
"Organizations now have agents making decisions, vector databases
connected to enterprise data, and AI services spread across multiple cloud
providers. Security teams need unified visibility across that entire
environment, paired with automated prevention, to understand where risk
actually exists and stop attackers before damage is done."
Progress
Is Measurable When Organizations Treat AI Like Production Infrastructure
Despite
persistent gaps, the research also highlights meaningful progress where
organizations have focused security investments. Since Orca's previous AI
report, the percentage of Amazon SageMaker environments running with root
access has declined from 98% to 76%, while insecure IMDSv2 configurations
dropped from 77% to 48%. These improvements demonstrate that applying
production-grade operational discipline to AI environments produces measurable
security gains.
The
report recommends organizations treat AI as production infrastructure by
extending existing security practices across the AI lifecycle, including
vulnerability management, credential protection, least-privilege access,
encryption, AI-specific monitoring, and governance. The urgency is increasing as
new regulations take effect, including the EU AI Act's high-risk obligations
beginning August 2, 2026, and Colorado's amended AI law taking effect January
1, 2027.
“The
organizations making the most progress are treating AI like every other
critical production system," added Geron. "That means applying
consistent visibility, governance, least-privilege access, and remediation
across the entire AI lifecycle. Security can't be something you add after
deployment. It has to be built into how teams develop and scale AI.”
The
2026 State of AI Security Report analyzes aggregated, anonymized telemetry from
more than 1,200 production organizations collected during Q2 2026. The research
examines AI cloud services, AI package vulnerabilities, identities and secrets,
AI agents, vector databases, encryption, and governance across AWS, Microsoft
Azure, and Google Cloud. The full report is available at: https://orca.security/lp/2026-state-of-ai-security-report/.
About
Orca Security
Orca
Security delivers security for the companies that build. As cloud,
applications, AI and app generation expand the attack surface, Orca transforms
security risk into the context teams need to act. The Orca Platform provides
complete visibility across cloud, AI, and application environments, correlates
risk across every layer, and prioritizes the exposures that matter most so
organizations can remediate faster and innovate with confidence. Trusted by
hundreds of organizations, including SAP, Autodesk, Gannett, Lemonade, and
Digital Turbine, Orca is backed by leading investors including Temasek,
CapitalG, ICONIQ Capital, and Redpoint Ventures. Learn more at orca.security.
Connect your first account in minutes: https://orca.security or
book a personalized demo.
