TL;DR: 84% of organizations now run AI workloads in the cloud and 62% already have vulnerable AI packages, underscoring how quickly AI-era exposure is colliding with alert overload and weak prioritization, according to Orca Security. The real issue is no longer finding more signals, but separating exploitable runtime risk from background noise.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- 84% of organizations now run AI workloads in the cloud.
- 62% already have vulnerable AI packages in their environments.
Questions worth separating out
Q: How should security teams govern AI usage in cloud environments?
A: Security teams should govern AI usage as a runtime identity and data-flow problem, not just a model inventory problem.
Q: Why does code reachability matter more than package presence?
A: Code reachability matters because a vulnerable library is only immediately relevant if production paths can invoke the flaw.
Q: What do security teams get wrong about alert fatigue in AI-era cloud estates?
A: Teams often treat alert fatigue as a volume problem when it is also a context problem.
Practitioner guidance
- Baseline AI activity in cloud runtime telemetry Inventory where AI models, MCP servers, and third-party AI tools are actually being touched by workloads and identities.
- Prioritise reachable vulnerabilities over inventory noise Use code reachability analysis to rank findings by whether the vulnerable path is invoked in production.
- Correlate identity and AI signals before triage Join identity events, workload telemetry, and AI tool usage into one investigation workflow.
What's in the full announcement
Orca Security's full post covers the operational detail this post intentionally leaves for the source:
- How the Threat Investigation Agent structures cloud findings into a remediation-ready workflow
- What the AppSec Triage Agent uses to distinguish false positives from real vulnerabilities
- How Runtime AI Threat Detection identifies interactions with MCP servers and third-party AI tools
- How Orca Missions groups related findings into measurable remediation initiatives
👉 Read Orca Security's update on AI-first cloud defense and runtime AI detection →
Runtime AI threat detection in cloud environments: are controls keeping up?
Explore further
AI-first cloud defense is now an identity and runtime governance problem, not just a detection problem. Once workloads, identities, and AI tools interact at runtime, the governance boundary moves from static inventory to live behaviour. That means teams must evaluate not only exposed secrets or vulnerable packages, but also whether AI usage creates new trust paths across cloud services. The implication is that identity security programmes need runtime context to remain credible.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- 23.7% of organisations share secrets through insecure methods such as email or messaging applications, according to Aembit.
A question worth separating out:
Q: Should organisations automate remediation for AI-related cloud findings?
A: Organisations should automate triage and workflow routing before they automate remediation. AI-guided investigation can compress decision time, but final containment still needs accountable owners and verification. Automation works best when it speeds the path to a human decision rather than hiding the evidence behind the decision.
👉 Read our full editorial: AI-first cloud defense shifts toward runtime AI threat detection