The hidden supply chain risks of AI workloads in the cloud

This layered supply chain complexity isn’t just theoretical. In the shared responsibility model of cloud, providers secure the base infrastructure, but customers are responsible for secure configuration of what they build on top. The reality is that cloud providers’ default settings prioritize ease of use over security – often excessively permissive defaults left unchanged by users can introduce serious vulnerabilities. Every AI workload built on cloud services thus inherits not only the power of those services, but also any latent security flaws within them.

Inherited vulnerabilities in AI workloads

One striking finding is that cloud workloads running AI software are significantly more vulnerable than those that are not. Nearly 70% of analyzed cloud workloads with an AI package installed contained at least one unremediated critical vulnerability – a markedly higher rate than the 50% of non-AI cloud workloads. In other words, an AI workload is more likely than not to have a critical exposure lurking within. In other words, an AI workload is more likely than not to have a critical exposure lurking within.

Why? One reason is the software supply chain of AI itself: many AI workloads run on Linux-based platforms with numerous open-source libraries and frameworks, which often have reported vulnerabilities. If those libraries (for example, a widely used AI-related package or even a tool like cURL) aren’t patched, they can introduce critical flaws.

The impact of these inherited vulnerabilities is amplified by the nature of AI workloads. If an attacker exploits a critical flaw in an AI system, the consequences can go beyond server access – the attacker might manipulate AI models or tamper with sensitive training data, leading to corrupted AI outputs or leakage of proprietary insights.

And if that vulnerable AI workload is also left exposed to the internet, it creates a toxic combination that significantly increases the likelihood of compromise. The Tenable Cloud AI Risk Report bluntly notes that AI, for all its intelligence, is not risk-free and requires your attention.

Security teams must be especially vigilant with vulnerability management for AI. The high incidence of critical flaws in these workloads combined with the sensitive nature of AI data and models make patching and hardening an urgent priority.

Risky defaults and misconfigurations in Cloud AI services

Beyond software vulnerabilities, misconfigurations in cloud services are a major supply chain risk for AI. Cloud-based AI services often come with default configurations that, if left unchanged, can be dangerously over-privileged. For example, a managed AI notebook service from a leading cloud service provider, by default, gives users root access within the notebook instance – this is full administrator control. Alarmingly, the vast majority (about 91%) of organizations using the service have at least one notebook with this risky root-access default still enabled.

To make matters worse, cloud AI environments often deal with highly sensitive data, and misconfigurations here can lead to severe exposure. Consider a leading cloud service providers’s service for AI model hosting and training. It relies on cloud storage buckets for training data. Tenable’s research found that 14% of organizations using the service had at least one training data bucket with public access not blocked, and about 5% had at least one overly permissive bucket open to any authenticated user. In practice, this means a significant number of AI datasets – which could include proprietary training data or customer information – were one misstep away from being exposed to the world. Such exposure invites a host of risks: an attacker could steal the training data (revealing intellectual property or sensitive info) or even poison the data by injecting malicious samples, corrupting the model’s outputs.

Continuous exposure management for AI supply chains

Given the breadth of these risks – from unpatched vulnerabilities in open-source libraries to inherited cloud misconfigurations and exposed datasets – it’s clear that securing AI in the cloud requires continuous, proactive risk management. Traditional security checklists aren’t enough; organizations need an exposure management mindset tailored to AI’s unique attack surface. In practice, this means regularly assessing every layer of the AI supply chain for weaknesses and a continuous supply chain risk assessment for your cloud services.

What might this look like?

First, extend your vulnerability management program to cover AI frameworks and the underlying infrastructure they run on. If 70% of AI workloads carry critical CVEs then scanning and patching those systems (including AI libraries like TensorFlow, PyTorch, and even the base OS images and container layers) should be a top priority. Equally important is configuration auditing: do not trust default settings in managed AI services. When deploying cloud AI offerings – whether Amazon SageMaker, Google Vertex AI, Azure Cognitive Services, or others – scrutinize and harden the configurations at each layer. Ensure storage buckets for model data are not publicly accessible by default, and that service accounts or API keys adhere to the principle of least privilege. Cloud providers often publish security guidelines for their AI services; use them, but remain cautious, knowing that “default” often does not equate to “secure.”

Identity and access management is another linchpin. Apply strict identity and access controls to AI resources and data. Limit who and what services can access your models, notebooks, and data stores. This includes using unique service accounts with minimal scopes for AI services, rather than allowing broad reuse of admin-level accounts. Where possible, implement multi-layer access controls (for example, network restrictions in addition to identity permissions) to guard sensitive training data. The principle of least privilege should be enforced rigorously in AI environments – for both human users and machine identities. As Tenable’s analysts note, reducing excessive permissions and tightening cloud identities is key to preventing unauthorized access, especially to high-value AI data stores.

But securing AI doesn’t start at deployment — it starts in development. Vulnerabilities can be introduced early in the CI/CD pipeline, even before a model reaches production. That’s why it’s essential to adopt a shift-left approach: identifying and addressing security risks during code development, integration, and testing stages. Cloud-native application protection platforms (CNAPPs), including those from Tenable, help teams embed security earlier in the lifecycle, providing visibility and control across development and runtime environments. The earlier you act, the more resilient your AI systems become.

Finally, given the interconnected nature of cloud risks, organizations should consider Exposure Management platforms with robust Cloud Security capabilities that can provide a holistic view of risk across the cloud stack. An effective platform that is ready to tackle the risk of AI can correlate findings from vulnerabilities in workloads, misconfigurations in cloud resources, identities, and even data exposure, to paint a context-rich picture of your true risk. This helps in prioritizing remediation by impact and focusing on the toxic combinations that could lead to a breach.

Digging deeper

AI is driving innovation and competitive advantage, but it also introduces a high-stakes security puzzle. The hidden supply chain beneath every cloud AI service means security teams must look beyond the AI application itself and secure each dependency that makes it work. This requires vigilance, the right tools, and a proactive strategy. The encouraging news is that by embracing continuous exposure management and treating AI workloads as part of a broader cloud ecosystem, organizations can enable AI innovation securely.

Securing the AI revolution is about securing the layers beneath – from code libraries to cloud configurations and data pipelines.

To learn more, read Tenable’s latest research, Tenable Cloud AI Risk Report 2025 and the Tenable Cloud Security Risk Report 2025.