Authored by Satnam Narang, Sr. Staff Research Engineer, Tenable
Cloud platforms have turned artificial intelligence into a utility. A single click on AWS SageMaker, Azure Cognitive Services or Google’s Vertex AI spins up compute, attaches storage and connects a pre-trained model. That convenience is why IDC expects AI investments in India to expand 2.2× faster than overall digital-tech outlays, creating US$ $115 billion in economic impact by 2027.
Yet, the same agility is exposing hard-to-see security gaps. Tenable found that 77% of companies running Vertex AI Notebooks leave the notebook’s default Compute Engine service account untouched, a credential that can read or write almost anything in a project. Seventy percent of workloads running AI software also harbour at least one critical, unpatched CVE. Put those two findings together, and you have perfect conditions for an attacker to launch a data-poisoning campaign that silently degrades model accuracy or implants hidden backdoors.
Why data poisoning is eclipsing prompt-injection
Hype around prompt-injection peaked last year after researchers coerced ChatGPT-style bots into spilling proprietary code. Prompt-injection remains a serious concern, but it is noisy: defenders often spot a strange request in access logs or see the model’s output veer off script. Data poisoning, by contrast, is subtle. Adversaries alter just a slice of the training set—enough to introduce bias or embed a “trigger” that forces the model to misclassify only when a specific token appears. In cloud AI pipelines, where terabytes of data flow through S3 buckets or Azure Blob containers, a poisoned file can look indistinguishable from the daily shuffle of feature-store updates.
Privilege sprawl magnifies that risk. An attacker or a disgruntled insider needs only a single overly permissive service account that orchestrates data ingestion, model training, and deployment to swap out a clean CSV for a tainted one. Once the poisoned model is blessed and pushed to production, detection grows exponentially harder; business stakeholders may chalk up anomalies to market noise or user error, not sabotage.
The three “toxic trilogy” driving today’s cloud AI breaches Most cloud-AI breaches hinge on a “toxic trilogy”—public exposure, unpatched vulnerabilities, and excessive privileges. First, attackers seek misconfigured storage buckets, overly permissive APIs, or hard-coded secrets in repositories that leave sensitive resources openly reachable. Second, they look for unpatched vulnerabilities that provide reliable footholds once the perimeter is reached.
Finally, they exploit excessive privilege, default cloud roles that confer blanket admin rights, long-lived tokens baked into CI/CD pipelines, and service accounts able to launch compute across multiple regions. When these three conditions overlap, a single compromise can swiftly escalate into a full-blown breach of data, models, and underlying infrastructure.
Tenable’s Cloud Risk Report found that 38% Indian organisations had at least one workload where all three conditions overlapped. That “toxic trilogy” creates a straight‐line attack path: breach the public interface, exploit the unpatched CVE, pivot with the overprivileged identity, and tamper with data or models undetected.
Why defending AI requires more than point products
Traditional security stacks were not designed to watch a fast-changing graph of notebooks, feature stores, vector databases and serverless functions. They see assets in silos, overlooking the cross-service permissions that make cloud AI pipelines uniquely fragile. Point solutions also drown teams in alerts that lack business context: a critical CVE on a forgotten staging VM appears as urgent as one on the production GPU cluster serving real customers.
Five steps to protect the cloud and avoid data poisoning
Automate configuration of multi-cloud environments: Each cloud provider has their own configuration settings and shared responsibility model. A CNAPP platform with a strong Cloud Security Posture Management (CSPM) component can centralize configurations for a multi-cloud environment by consistently and continuously monitoring and enforcing security policies in areas such as access control and data encryption.
CSPM continuously scans all your cloud assets and resources and procures an unobstructed view of all detected misconfigurations. This helps prioritize remediation in compliance reports for leaders, auditors and regulators.
Least privilege access: Human and non-human identities in the cloud with excessive privileges pose a major risk because during a breach, attackers can leverage those permissions to move laterally. A holistic CNAPP solution allows auditing of multi-cloud identities to ensure they have the minimum access rights and capabilities they need. Organizations must discover all human and machine identities, understand their scope of cloud-resource access and permissions, assess identities’ level of risk, and make necessary least-privilege adjustments
Tackle supply chain vulnerabilities: Two major risks associated with AI and LLM applications are supply-chain vulnerabilities and the inherent privacy risks. Both of these should be top of mind for applications developed in-house and for third-party applications, such as those from software vendors and from open-source projects. Fortunately, these risks are much better understood and can be incorporated into existing vulnerability management programs without significant complexity. When developing applications, it is critical that teams have visibility on the libraries being used as well as on the vulnerabilities in those libraries.
Enrich log data from cloud service providers: Organizations often overlook the importance of monitoring and analyzing the event and activity logs from their cloud environments collected by their cloud service providers. These logs are critical for configuration management as they help derive granular insights into the causes and impacts of cloud misconfigurations. Running this data through a CNAPP solution enriches the logging data from CSPs, enabling organizations to continuously analyze risk. This enriched log data offers context and actionable insights to maintain consistent and secure configurations that reduce risk.
Address privacy risks: Privacy risks in AI models can be mitigated to some degree with strong policies on the language models that engineering teams are permitted to use when building in-house applications and monitoring to ensure that only those language models are used. This is especially important for any language models that are hosted by a third party. Inventory all LLM-powered applications that employees are using, as these can become uncontrollable channels for data leakage.
Adopt strong policies for shadow AI usage because many employees may choose to install these types of tools without fully understanding the security and privacy implications, nor how any data they input may end up being passed to a third party or added to an LLM training dataset. Organizations should establish approved applications and tools, as well as establish policies prohibiting the use of any extensions that have not been evaluated and approved for use.
A call to action Critics sometimes argue that organizations should wait for the perfect AI-security standards before acting. That luxury doesn’t exist. Attackers are already chaining CVEs, prompt-injection and data-poisoning techniques to monetise access or sabotage competitors. The solution is not another blinking dashboard but a preventive, context-rich approach that embeds security controls directly into workflows.
Securing cloud AI will never be a one-and-done exercise. Pipelines evolve, models drift, and attackers innovate. But by eliminating the toxic trilogy, enforcing least privilege and coupling AI-centric posture management with the speed of DevOps, organisations can give their teams the freedom to experiment without handing adversaries an open invitation to poison the very intelligence that fuels tomorrow’s business.
𝐒𝐭𝐚𝐲 𝐢𝐧𝐟𝐨𝐫𝐦𝐞𝐝 𝐰𝐢𝐭𝐡 𝐨𝐮𝐫 𝐥𝐚𝐭𝐞𝐬𝐭 𝐮𝐩𝐝𝐚𝐭𝐞𝐬 𝐛𝐲 𝐣𝐨𝐢𝐧𝐢𝐧𝐠 𝐭𝐡𝐞 WhatsApp Channel now! 👈📲
𝑭𝒐𝒍𝒍𝒐𝒘 𝑶𝒖𝒓 𝑺𝒐𝒄𝒊𝒂𝒍 𝑴𝒆𝒅𝒊𝒂 𝑷𝒂𝒈𝒆𝐬 👉 Facebook, LinkedIn, Twitter, Instagram
