Published
- 5 min read
By Allan D - Editor, AI Security Wire
99.9% of Fixable AI Vulnerabilities Go Unpatched, Orca Reports
The AI build-fast, security-later pattern has produced a predictable outcome. Orca Security’s 2026 State of AI Security Report, published today, finds that 99.9% of AI vulnerability alerts where a patch is available remain unpatched across production environments. A companion figure: 81.2% of companies running AI packages carry at least one known vulnerability, and 74.1% have at least one critical CVE sitting in their AI stack right now.
These numbers are the natural consequence of organisations treating AI deployment as an exception to normal security hygiene. The report frames it plainly: AI has become operational infrastructure without a corresponding increase in security maturity.
The Patching Gap
The 99.9% figure is the one that warrants direct attention. It does not say 99.9% of vulnerabilities are unpatched because no fix exists. It says that even when a patch is available, virtually nothing is getting applied.
Part of this is the inheritance problem. AI packages, like any software, sit on dependency trees. A vulnerable library embedded in a dependency graph often outlives the patch cycle, and AI workloads inherit the same problem despite the fact that many AI frameworks ship on aggressive release cycles that assume dependencies are being kept current.
Orca groups new AI-related package vulnerabilities into three categories: SDKs for accessing hosted AI models, frameworks for building AI agents and integrations, and the rapidly expanding Model Context Protocol (MCP) ecosystem. All three have seen vulnerability disclosures over the past twelve months, and all three are showing the same patching inertia.
The practical consequence is that attackers targeting the AI layer are working against a large, stable attack surface. There is no urgency forcing organisations to move.
Agents, Vector Databases, and the New Non-Human Identity Layer
Fifty-six percent of AI adopters have deployed agent frameworks into production. Orca’s framing of the security implication is worth quoting directly: every production agent represents a new non-human identity with its own permissions, memory, and potential blast radius.
That language will be familiar to anyone who has been watching the identity security conversation over the past two years. Machine credentials have been a growing problem since organisations started issuing service accounts to CI/CD pipelines. AI agents are the next iteration of the same problem, at larger scale, with more sensitive access, and typically less governance.
Sixty-four percent of AI adopters have deployed vector databases that connect LLMs to internal documents, customer records, and proprietary knowledge. Organisations using retrieval-augmented generation (RAG) pipelines are running an average of 3.78 vector databases. That distribution across multiple platforms makes consistent access control and encryption policy enforcement significantly harder.
Cloud Misconfiguration at Scale
The encryption numbers are striking. Across AWS, Azure, and GCP, between 87% and 98% of organisations have not configured customer-managed encryption keys for their AI services. Provider-managed encryption protects data at rest, but it does not give customers independent control over key rotation or the ability to revoke access. For AI services that process sensitive training data, customer records, or proprietary models, that is a meaningful governance gap.
Nir Mishal, CISO at Orca Security, puts the problem in systems terms: “Organizations now have agents making decisions, vector databases connected to enterprise data, and AI services spread across multiple cloud providers. Security teams need unified visibility across that entire environment, paired with automated prevention, to understand where risk actually exists.”
The credential exposure piece adds another dimension. Nearly 30% of AI adopters store at least one AI API key in an insecure location. Keys committed to Git repositories are the classic example: they persist in history even after removal from the current codebase, and automated scanning tools used by attackers find them routinely.
Regulatory Pressure Is About to Increase
The report notes that the EU AI Act’s requirements for high-risk AI systems begin on August 2, 2026 — three weeks from today. Organisations that have been building AI infrastructure quickly, without corresponding security controls, are about to find that the regulatory window for doing that quietly is closing. Colorado’s amended AI law takes effect on January 1, 2027. China has expanded its cybersecurity framework with AI-specific requirements. The US regulatory picture remains less prescriptive, but CISA and NIST have both been publishing guidance that is becoming the de facto baseline.
What to Do
The report’s findings translate to a short prioritisation list. First, treat AI libraries as first-class citizens in your patch management programme. The same 14-day SLA you apply to a web server CVE should apply to a critical vulnerability in LangChain or an MCP package. Second, inventory your agents and their permissions: default permissions and logging are inadequate, and agents with unconstrained access to production systems are the attacker’s first stop after initial access. Third, audit AI API key storage, particularly in CI/CD systems and developer environments where keys are often written to configuration files and forgotten.
The 99.9% figure is not a failure of awareness. At this point, the AI security community has documented the problem thoroughly. It is a failure of prioritisation, and that is a problem that security leaders can actually fix.
References
Frequently Asked Questions
- What does the Orca Security 2026 State of AI Security Report actually measure?
- The report is a cloud telemetry analysis across Orca's customer base, looking at how organisations are deploying AI in production environments and how well they are managing the resulting security exposure. It covers vulnerability presence and patching rates across AI packages, agent framework deployments, vector database configurations, encryption key management, and credential exposure patterns across AWS, Azure, and GCP.
- Why does it matter that 99.9% of fixable AI vulnerabilities go unpatched?
- It means that even when a patch exists, organisations are overwhelmingly not applying it. The reason is almost certainly a prioritisation failure: teams moving fast to ship AI capabilities are not treating their AI libraries with the same patch urgency they apply to web servers or endpoint software. Meanwhile, tools like Metasploit already carry working exploits for AI framework CVEs, so the gap between 'patchable' and 'actually patched' is a direct measure of real-world attack surface.
- What is the most urgent action organisations should take based on this report?
- Two things stand out as immediately actionable. First, run a dependency scan across your AI stack, including LLM SDKs, agent frameworks, MCP servers, and any packages in the supply chain, and treat AI libraries as first-class citizens in your patching programme. Second, audit where AI API keys are stored: nearly 30% of AI adopters have at least one key in an insecure location, and keys committed to Git repositories can persist long after they are removed from visible code history.