AI appsec velocity and secrets exposure: are controls keeping up?

TL;DR: The 2026 State of Application Security Report says 78% of organisations are running production applications with critical vulnerabilities, nearly 50% still have Log4Shell-exposed systems, and 43% have exposed AI/ML credentials, according to Orca Security. The real problem is not AI itself but the speed gap between code flow and governance controls, which now leaves hygiene measures struggling to keep up.

NHIMG editorial — based on content published by Orca Security: the 2026 State of Application Security Report and webinar discussion

By the numbers:

• 78% of organizations are running production applications with critical vulnerabilities.
• Over 77% of organizations have unpatched high or critical vulnerabilities after 90 days of discovery.
• 43% of organizations have exposed AI/ML credentials like API keys and tokens for model hosting, inference APIs, and ML platforms.

Questions worth separating out

Q: How should security teams handle AI credentials in secrets management programmes?

A: Treat AI credentials as a separate high-risk secret class, not as a generic API key.

Q: Why do critical vulnerabilities remain open for so long in modern appsec programmes?

A: They stay open because remediation is harder than detection in modular environments.

Q: What breaks when supply-chain trust is based mainly on package popularity?

A: Popularity signals can be manipulated, and they do not prove package integrity or safe behaviour.

Practitioner guidance

• Enforce code review gates on production-bound changes Block direct paths from prompt to production by requiring review, branch protection, and approval for changes that can reach live environments.
• Separate AI credentials from standard secret classes Inventory API keys, tokens, and platform credentials used for model hosting and inference as a distinct category with tighter monitoring and access limits.
• Document remediation playbooks for modular application stacks Capture rollback steps, dependency owners, and service-impact checks so high-risk fixes do not get deferred because teams fear breaking something else.

What's in the full report

Orca Security's full report covers the operational detail this post intentionally leaves for the source:

• How the report breaks down vulnerable production applications by issue type and remediation posture.
• Additional context on why code review, branch protection, and CI/CD gates fail under high-velocity delivery.
• The report’s discussion of AI credential exposure and why existing secrets programmes miss it.
• The webinar conversation between the CISO and researcher on how teams separate exploitable risk from noise.

👉 Read Orca Security's 2026 State of Application Security Report →

AI appsec velocity and secrets exposure: are controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →