Most security reports tell you what organizations are worried about. SentinelOne's 2026 AI and Cloud Verified Exploit Paths report tells you what attackers are actually doing — drawn from real telemetry across more than 11,000 customer environments, verified through an offensive security engine that simulates actual attack methods rather than cataloguing theoretical vulnerabilities. That distinction matters more than it might look like on the surface.
The report's primary finding is one organizations have been creating without realizing it. As AI tools have been embedded into customer support systems, internal tooling, financial platforms, and product infrastructure at speed, the credentials required to run those tools — OpenAI API keys, Azure OpenAI API keys, and a growing range of AI-service tokens — have been generated, hardcoded, and exposed at a pace that security teams have not kept up with. AI-related secrets grew approximately 140% in a single year. That growth has created a new category of credential exposure sitting in code repositories and cloud environments right now, largely unaudited and frequently ungoverned.
The shadow AI dimension of this compounds the problem. Organizations know they have a shadow AI problem — GAIG's coverage of the Delinea and RSM surveys earlier this month documented that 53% of organizations regularly encounter unsanctioned AI tools accessing their systems. What SentinelOne adds is the specific security consequence: shadow AI does not just create policy exposure. It creates credential exposure. Every unsanctioned deployment generates its own secrets, under its own access model, outside the visibility of the teams responsible for securing the environment. And when those secrets expire or get rotated in the official environment, the shadow deployment's credentials often stay active indefinitely.
Key Findings
AI-related secrets grew 140% in one year. OpenAI API keys, Azure OpenAI API keys, and other AI service credentials are being generated faster than they are being governed. The growth correlates directly with the pace of AI embedding into production systems across customer support, internal tooling, financial platforms, and product infrastructure.
Shadow AI is generating credential exposure at scale. The unsanctioned use of AI tools inside enterprise environments without formal IT approval or security oversight — what the report calls shadow AI — has created a pattern of widespread credential exposure that security teams cannot see because the deployments themselves are not visible to them.
Attackers are not using sophisticated exploit chains. The telemetry from Verified Exploit Paths shows that threat actors consistently exploit recurring entry points — misconfigured external services and widely abused CVEs — rather than complex, novel attack chains. Simplicity is the strategy because the simple paths are the ones that stay open the longest.
Legacy CVEs remain the dominant initial access vector. Despite being public, well-documented, and years old in many cases, legacy CVEs continue to serve as reliable entry points because they persist in production environments long after patches are available. Attackers have proven tooling for these CVEs and reach for them first.
Misconfigured external services are the primary cloud attack vector. Across the verified exploit paths in the report, misconfigured external services appear as the most consistent exploitable pathway. These are configurations that organizations created themselves and that have been sitting exposed — often for months or years — without being flagged as operational risks.
AI infrastructure is creating a new secrets management problem. The proliferation of AI-related credentials is outpacing the secrets management practices most organizations have in place. Credentials hardcoded in repositories, tokens generated for ad-hoc deployments, and API keys created during rapid prototyping cycles are accumulating faster than rotation policies can clear them.
The AI security posture management gap is real and measurable. Organizations deploying AI infrastructure need visibility into AI pipelines and modules, AI service misconfigurations, and the shadow MCP servers and unsanctioned agent deployments that bypass traditional security tooling. Most do not have it.
What is Covered In the Report
The AI Secrets Explosion And What 140% Growth Actually Means
The opening section of the report establishes the scale of the AI credential problem through production telemetry rather than survey data. The 140% growth in AI-related secrets is measured from real environments over a twelve-month period. What makes this finding significant is what drives it: the organizational pattern of embedding AI technologies into production systems quickly, under business pressure, without completing the credential governance work that should accompany any new service integration.
An AI feature in a customer support system requires an API key. An internal tool built on a foundation model requires a token. A financial platform integrating AI-powered analysis requires authentication credentials. Each of those integrations generates at least one secret. At the pace AI is being embedded across enterprise systems in 2025 and 2026, those secrets are accumulating faster than any rotation policy or vault governance practice can track them. SentinelOne's secrets scanning identified more than 750 types of secrets across code repositories — the AI-specific credentials are a growing subset of a much larger unmanaged secrets problem, but they are the fastest-growing subset by a significant margin.
Shadow AI and the Credential Exposure Nobody Is Tracking
The shadow AI section of the report moves the credential problem from a scale question to a visibility question. An organization that knows it has 10,000 AI-related secrets can build a governance program around those 10,000 secrets. An organization that has 10,000 known secrets and an unknown number of shadow deployment credentials has a different problem entirely — because the unknown credentials are precisely the ones most likely to be misconfigured, over-permissioned, and never rotated.
SentinelOne identifies shadow AI in this context as the unsanctioned use of AI tools within enterprise environments without formal IT approval or security oversight. This definition has evolved as the shadow AI problem has evolved. Early shadow AI was employees using consumer AI tools for productivity tasks — the data leakage risk GAIG covered in the Delinea report analysis. The 2026 version of shadow AI includes employees deploying autonomous agents under their own credentials, building internal tools on top of AI APIs without security review, and embedding AI capabilities into workflows that were never disclosed to IT or security teams. Each of those deployments generates credentials.
Verified Exploit Paths What Attackers Are Actually Doing
Most threat reports describe attack categories — privilege escalation, lateral movement, credential stuffing — without distinguishing between theoretically possible attacks and attacks that have been confirmed as exploitable in real environments. SentinelOne's Offensive Security Engine changes that. It simulates actual attack methods against customer environments, confirms exploitability, and presents evidence of what it found rather than cataloguing what could happen in theory.
The finding from applying this methodology across 11,000 environments is significant precisely because of what it does not show. It does not show organizations being compromised through elaborate, novel zero-day exploit chains. It shows organizations being compromised through the same entry points that have been documented for years: misconfigured external services and legacy CVEs that were never patched and have proven tooling available to any threat actor who wants to use them.
"Attackers generally do not rely on highly complex, theoretical attack chains. Threat actors consistently exploit recurring entry points, specifically targeting misconfigured external services and widely abused CVEs."
SentinelOne 2026 AI and Cloud Verified Exploit Paths Report
Legacy CVEs and the Persistence Problem
When a new AI service is deployed quickly, under business pressure, the security team responsible for patch management may not have visibility into that deployment. The service might be running on infrastructure that carries vulnerabilities from two or three versions back. The team that deployed it moved on to the next project. The CVE that a threat actor will use to gain initial access was disclosed months or years ago, has a working exploit available on public repositories, and is sitting unpatched in a service that nobody on the security team knows exists.
AI Security Posture Management
Organizations have built cloud security posture management capabilities for their cloud infrastructure. They have application security tooling for their applications. The AI layer — the models, the pipelines, the agents, the API integrations, the shadow deployments — sits largely outside the visibility of both.
AI-SPM as a capability category addresses this by providing discovery and classification of AI infrastructure, detection of AI-specific misconfigurations, and inventory of AI assets alongside traditional cloud assets. SentinelOne's implementation includes AI pipeline discovery, AI service configuration checks, and Verified Exploit Paths for AI services specifically — extending the same offensive security engine methodology to the AI infrastructure layer rather than treating AI as just another cloud workload.
The governance implication is that AI-SPM is not a nice-to-have security enhancement. For organizations with significant AI deployment, it is the prerequisite capability for everything else in the security stack. You cannot govern what you cannot see, you cannot protect what you have not inventoried, and you cannot detect anomalies in behavior you have not baselined. AI-SPM is the visibility layer that makes all of those downstream capabilities possible. Most organizations do not have it yet — and the 140% growth in AI-related secrets is partly a consequence of building AI infrastructure before building the tools to govern it.
Prompt Security — The Application and Agent Layer
The final section of the report addresses Prompt injection, jailbreaks, and data leakage through AI applications represent a distinct threat category from credential exposure and legacy CVE exploitation
The AI code assistant security dimension is worth noting in particular. SentinelOne's Prompt Security for code assistants covers GitHub Copilot, Cursor, and similar tools — scanning for secret leakage, enforcing policy, and reducing exposure to prompt-based attacks in the development workflow specifically. This matters because the development workflow is where AI-related secrets are most commonly created in the first place. A developer using an AI code assistant to build an AI-powered feature is generating the exact category of credential that SentinelOne found growing 140% in one year. The policy enforcement at the assistant layer is one of the few points in that workflow where the credential governance problem can be caught before it becomes a production exposure.
Our Take
AI Security Take
SentinelOne's report is valuable to GAIG's audience for a specific reason that goes beyond the headline statistics. It translates the AI security problem from vendor claims about sophisticated threats into production telemetry about how organizations are actually being compromised. The answer is unglamorous and urgent: organizations are creating AI credential exposure at a pace their security programs were not built to manage, and attackers are exploiting that exposure through the same CVEs and misconfigurations that have been in security advisories for years.
The 140% growth in AI-related secrets is the number that should land hardest with CISOs and security teams reviewing their AI security posture. That number represents twelve months of credential accumulation in environments where secrets management practices were designed for a pre-AI deployment pace. Every AI integration generates at least one credential. Many generate several. Most organizations do not have rotation policies, vault governance, or visibility tooling that was designed to handle this rate of growth. The result is a widening gap between the credentials that exist in the environment and the credentials that security teams can account for.
The legacy CVE finding reinforces what GAIG has been documenting across governance, compliance, and monitoring coverage this week: the most dangerous risk is the one nobody is looking at because everyone assumes someone else has it covered. Legacy CVEs are public knowledge with available patches and proven exploits. They persist in production AI environments because the velocity of AI deployment outpaced the security review process that would have caught them. Closing that gap requires the same thing every other governance gap requires — named ownership, documented review cadence, and verification that the review actually happened rather than documentation that it was required.
For organizations evaluating their AI security posture, SentinelOne's Verified Exploit Paths methodology offers something most security assessments cannot: confirmation of what is actually exploitable rather than inventory of what is theoretically possible. The distinction between those two things is where security budgets should be focused — and where the telemetry from 11,000 environments points most clearly at the work that remains to be done
