Nearly Every Fixable AI Security Vulnerability Is Being Left Open. New Data Shows Why

Awais Khalid

July 13, 2026

Orca Security 2026 AI Security Report

Every enterprise security team knows the drill: a vulnerability report arrives, priorities are assessed, tickets are filed, and most of the tickets are never resolved before the next report lands. Apply that dynamic to AI infrastructure specifically, and Orca Security’s 2026 State of AI Security Report has quantified exactly how severe the gap has become: 99.9 percent of AI vulnerabilities that have a ready-made fix available are not being patched. This is not a rounding error. It means that organisations collectively leave essentially every fixable vulnerability in their AI stack open, indefinitely, while simultaneously running more AI agents with broader permissions than at any previous point in enterprise computing history.

The report, published July 13, draws on aggregated and anonymised telemetry from more than 1,200 production cloud environments across AWS, Microsoft Azure, and Google Cloud, collected during Q2 2026. It is the most comprehensive direct-measurement view of how AI is actually deployed and secured at the enterprise level rather than how organisations describe their security practices when surveyed.

KEY DEVELOPMENTS

  • Orca Security’s 2026 State of AI Security Report, published July 13 and based on telemetry from more than 1,200 production cloud environments collected during Q2 2026, finds 81% of organisations run AI packages with at least one known vulnerability.
  • 99.9% of AI vulnerabilities that have a readily available fix remain unpatched, a finding that reflects a fundamental gap between the speed of AI deployment and the pace of security operations in enterprises globally.
  • 56% of organisations have deployed agentic AI frameworks into live production environments. These AI agents run with broad permissions, calling cloud services and interacting with enterprise data, while operating outside the non-human identity governance most organisations have in place.
  • Meaningful progress exists: Amazon SageMaker environments running with root access fell from 98% to 76% year-on-year. Insecure IMDSv2 configurations dropped from 77% to 48%, showing that deliberate security investment produces measurable results.

What the Report Found

The headline figure of 99.9 percent unpatched fixable vulnerabilities is the most striking, but it sits inside a broader picture that is consistently alarming. Orca found that 81 percent of organisations running AI packages have at least one known vulnerability in their AI dependencies — effectively saying that the AI infrastructure of four in five enterprise cloud environments is currently operating with a documented, recognised security flaw. That figure is not a projection or a modelled risk estimate; it is a direct measurement of production cloud environments, captured by Orca’s agentless scanning technology from the real-time configuration of live systems. As published via the official Orca Security press release via Business Wire, the full report is available for download at orca.security. CEO and Co-Founder Gil Geron framed the core finding plainly: “We aren’t just seeing isolated models. We’re seeing AI agents connected to enterprise data, interacting with identities, calling cloud services, and becoming part of business-critical workflows. AI is no longer an experiment. It’s production infrastructure.”

The agentic AI finding amplifies every other vulnerability in the report. Fifty-six percent of organisations have already deployed agentic AI frameworks — autonomous AI systems capable of taking actions across connected systems without human approval at each step — into live production environments. Those agents operate with identities, credentials, and permissions attached to them. When those environments also contain unpatched AI vulnerabilities and improperly secured credentials, the attack surface is not a theoretical future risk. It is a current operational reality in more than half of the production cloud environments Orca measured.

The Mechanism: Why AI Vulnerabilities Stay Unpatched

The Speed Gap

The 99.9 percent unpatched rate is not primarily a consequence of organisations choosing not to patch. It is a consequence of the speed at which AI infrastructure has been deployed relative to the maturity of the security operations processes designed to manage it. In a conventional enterprise software stack, a vulnerability in a critical production dependency triggers a change management process: the affected component is identified, the patch is tested in a staging environment, a deployment window is scheduled, the fix is applied, and the change is documented. That process typically takes days to weeks for critical vulnerabilities. Applied to an AI package ecosystem that may include hundreds of Python dependencies, model libraries, framework components, and API clients — each of which is independently versioned and independently subject to vulnerability disclosures — the queue of waiting patches accumulates faster than any standard patching cadence can clear it.

The Non-Human Identity Problem

The agentic AI deployment finding creates a second, distinct security problem that conventional vulnerability patching does not address. AI agents require permissions to do useful work: read access to databases, write access to cloud storage, call access to external APIs, the ability to create and modify files. Those permissions are typically granted through service accounts or API credentials associated with the agent’s runtime identity. When those identities are not governed under the same least-privilege, rotation, and audit frameworks that apply to human user identities, they create a category of credential risk that sits entirely outside most enterprise identity access management programmes. The same attack surface exposed by agentjacking vulnerabilities in AI coding environments applies here at production scale: an attacker who can compromise the runtime environment of a deployed AI agent inherits all the permissions that agent was granted, including permissions to enterprise data, cloud services, and business-critical workflows.

The Progress Data: Where Security Investment Works

The report is not uniformly negative. Orca tracked year-on-year improvements in two specific metrics that illustrate what happens when security teams apply deliberate, focused effort to AI infrastructure: the percentage of Amazon SageMaker environments running with root access fell from 98 percent in the previous year to 76 percent. Insecure IMDSv2 configurations — a specific cloud metadata service configuration that exposes credentials to server-side request forgery attacks — dropped from 77 percent to 48 percent. Both improvements are meaningful. Neither is sufficient. A SageMaker environment running with root access is an environment where any compromised process or agent can modify any other resource in the system without restriction. Moving from 98 percent to 76 percent means three quarters of environments still have this configuration, just fewer than before.

The improvement pattern suggests a workable hypothesis for why the overall patching rate is so low: when security teams specifically target a named, understood problem with a direct remediation, they make progress. The 99.9 percent unpatched rate reflects the inverse: when the problem is not specifically named and targeted, it does not get addressed. Most AI vulnerability patching is not failing because it is technically difficult. It is failing because it is not being prioritised, scheduled, or tracked as a distinct security activity separate from the general software dependency management backlog that most security teams are already struggling to clear.

Backstory: The Regulatory Pressure Arriving Alongside This Data

The Orca report lands in a week when two AI security regulatory timelines are directly relevant. The EU AI Act’s general-purpose AI model obligations take effect August 2, 2026 — twenty days from the report’s publication. Colorado’s amended AI law takes effect January 1, 2027. Both frameworks include obligations around AI risk assessment, security, and ongoing monitoring that organisations running AI infrastructure in those jurisdictions must now begin treating as compliance requirements rather than best practices. The EU context is particularly relevant alongside the European Commission’s AI Cybersecurity Action Plan, which separately from the AI Act establishes a programme of AI model evaluation and structured access requirements that will require organisations to demonstrate security governance over their AI deployments. Orca’s data documents the gap between where enterprise AI security is today and where those regulatory frameworks are setting the bar. The 99.9 percent unpatched rate, read in that context, is not just a security finding. It is a compliance exposure assessment for every organisation subject to those frameworks. Further context on how AI-enabled cyber threats are reshaping the regulatory landscape is available in our reporting on agentjacking attacks against AI coding agents — the specific attack class that the growth of agentic AI in production environments makes more prevalent and more consequential.

What Orca Recommends

The report’s recommendations are deliberately framed around treating AI as production infrastructure rather than a special category that sits outside normal security programmes. Specifically: extend vulnerability management practices to AI packages and dependencies with the same priority tiers applied to conventional software; implement credential protection and rotation for AI-associated service accounts and API keys; apply least-privilege access controls to AI agent identities with the same rigour as human user identities; establish AI-specific monitoring and logging sufficient to detect anomalous agent behaviour; and implement governance frameworks before agents are deployed, not after. Each recommendation addresses a finding in the report, which gives the guidance a directness that broad cybersecurity frameworks often lack. The most operationally urgent: identifying and patching the critical and high-severity vulnerabilities within the 99.9 percent backlog, particularly in AI packages that are internet-facing or that AI agents operate within.

What Happens Next

The report’s data will be used by enterprise security teams, cloud providers, and regulators in the coming months as a baseline against which AI security posture can be measured. Orca has indicated it plans to update the benchmark annually, which means the 2027 edition will be the first direct measurement of whether the regulatory pressure from the EU AI Act and Colorado’s law produced measurable improvements in patching rates and agentic identity governance. The trajectory implied by the SageMaker and IMDSv2 improvements is cautiously optimistic: targeted effort produces measurable results. Whether targeted effort arrives in time, at scale, and with the right prioritisation to close a 99.9 percent unpatched rate before the first major AI infrastructure breach exploits it is the open question the 2027 edition will answer.

Why It Matters

The 2026 State of AI Security Report matters because it closes the gap between how enterprises talk about AI security and what their production environments actually look like when measured directly. Most enterprise AI security surveys capture intent and reported practice. Orca’s telemetry captures ground truth. The ground truth is that AI infrastructure is now genuinely production-critical for the majority of the organisations running it, while the security maturity applied to that infrastructure is still catching up from where it started, which was essentially zero for most organisations two years ago. The 99.9 percent unpatched rate is the most quotable figure in the report, but the more important number may be 56 percent: the share of organisations that have already put autonomous AI agents into production with live cloud permissions, before the governance frameworks needed to oversee those agents exist. That is the security problem that has not yet produced a catastrophic incident but that the combination of growing agent permissions and persistent unpatched vulnerabilities is steadily building the conditions for.

Sources

Orca Security 2026 State of AI Security Report, Business Wire, July 13, 2026. Report available at orca.security/lp/2026-state-of-ai-security-report/. Telemetry from more than 1,200 production cloud environments across AWS, Microsoft Azure, and Google Cloud, Q2 2026.

Stay Ahead of AI

Get the latest AI news delivered to your inbox.

We don’t spam! Read our privacy policy for more info.