AI Cloud Adoption Is Rife With Cyber Mistakes

by Elizabeth Montalbano

Research finds that organizations are granting root access by default and making other big missteps, including a Jenga-like building concept, in deploying and configuring AI services in cloud deployments.

A high percentage of organizations are deploying artificial intelligence (AI) services in the cloud that grant root access by default, one of the many misconfigurations that organizations are committing in their early use of AI within cloud environments. The result is the exposure of many of these services to excessive security risk, new research has found.

In fact, the deployment of AI services in cloud environments is tracking along the same lines as how those service-based environments were initially deployed, with organizations making similar and common security mistakes. These issues should be remedied sooner rather than later to create more secure environments and reap the benefits of AI in the enterprise, according to the “Tenable Cloud AI Risk Report 2025,” published today.

These issues come most often in the form of misconfigurations, public exposure, and excessive permissiveness, which are making cloud AI services vulnerable to cyber threats and thus run counter to the goals of using AI to its full potential.

“Increased use of AI creates vastly higher volumes of data for an organization, making the cloud — excellent at handling dynamic data stores — a natural AI growth platform,” according to the report. “But cloud-based AI has its security pitfalls … and AI components in the cloud often contain sensitive data, including intellectual property, proprietary algorithms, and the AI models themselves, making them an attractive target for misuse and exploitation, and causing greater risk if not effectively secured.”

Overly Permissive AI in the Cloud

Tenable’s findings come from telemetry gathered from workloads across diverse public cloud and enterprise landscapes over a nearly two-year period, between December 2022 and November 2024.

The data collected found that one common mistake that enterprises are making is granting more permissions to users of AI services than is necessary. For instance, 91% of organizations analyzed had configured Amazon SageMaker, an AI data analytics platform, to have root access enabled, a default configuration for the service. However, this opens the door for bad actors who take over corporate accounts with access to that service to run rampant across the cloud environment, according to Tenable.

“Users with root access have administrative permissions, allowing them to edit all files on the notebook instance,” Shelly Raban, senior cloud security research engineer at Tenable, tells Dark Reading. “If an identity with such access is compromised, a threat actor could exploit these elevated privileges to tamper with the instance, modify critical system files, or install malicious software.”

Moreover, the overly permissive nature of services like this correlates with broader misconfigurations that commonly occur when building cloud environments, demonstrating a lack of security foresight during deployment that administrators need to address.

“Many organizations rely on default settings during infrastructure provisioning, often overlooking critical security features and guardrails,” she says. “These defaults, which are sometimes difficult to spot in the cloud provider’s console or when deploying infrastructure through infrastructure-as-code, can expose environments to unnecessary risks.”

AI Misconfigs: A Dangerous Game of Jenga

The permissions issue is just one of a number of risks that Tenable found that ultimately stem from what it’s calling the Jenga concept of building AI services into a cloud environment. Like the game of the same name, the concept is similar to how organizations developed their cloud environments: by “building one service on top of the other, with ‘behind the scenes’ building blocks inheriting risky defaults from one layer to the next,” according to the report.

“If one service is compromised, the other services built on top of it inherit the risk and vulnerability,” Raban says. “This reality opens the door for attackers to discover novel privilege escalations and vulnerabilities, introducing hidden risks for defenders. AI services are no different and are similarly affected by this layered service architecture.”

The challenge this creates for those using these services and environments is that the provider may create other services and resources behind the scenes, introducing additional risks that users may not be aware of, she adds.

To combat the risks associated with this Jenga-like approach, Tenable recommends maintaining an inventory of cloud resources — including AI resource identification and monitoring for risky configurations — and speedy remediation of them once detected, especially when affecting public or sensitive resources, Raban says.

Eyeing a Cyber-Secure AI Cloud Future

This inventory as well as other best practices will help position organizations better to combat the types of AI and GenAI-targeted attacks that Tenable expects them to face in 2025. These threats include both incidents involving the hijacking of victim infrastructure to take control of large language model (LLM) applications — a technique known as “LLMjacking” — as well as the leaking of access keys that grant access to AI services, Raban says.

Other ways early AI cloud adopters can help prepare is to take a holistic, exposure-management approach to mitigate AI cloud risk by widening visibility and providing critical context to help teams assess the accessibility, exploitability, and criticality of digital assets across all systems, applications, devices, resources and identities, she says.

“Unified visibility and prioritized actions across the attack surface enable teams to manage risk as environments change and AI threats evolve,” Raban says.

Finally, as in cloud environments, organizations also should practice the oft-recommended but rarely achieved model of “least privilege” in access to AI services, she adds, as well as strict identity management to prevent unauthorized or overprivileged access to cloud-based AI models/data stores.