Wiz finds AI has moved from tool to infrastructure, broadening the attack surface

A new report out today from Google LLC-owned cloud security company Wiz Inc. finds that artificial intelligence has shifted from experimental tooling to default cloud infrastructure, with 81% of observed environments running managed AI services and 90% running self-hosted AI software.

The State of AI in the Cloud 2026 report used anonymized configuration metadata, AI asset discovery and hands-on investigations across hundreds of thousands of cloud environments throughout 2025. Wiz characterized its figures as lower-bound estimates rather than a measure of global adoption.

The headline finding in the report is that AI is no longer a discrete deployment decision. Some 63% of organizations were found to self-host AI models now, but 68% of those ingest models at least partly through third-party software and 18% rely exclusively on such transitive components. The result is an inherited attack surface that organizations did not explicitly choose and may not have inventoried.

Concentration risk was also found to be elevated. The report found that 42% of organizations depend on a single AI model, while fewer than 7% deploy more than 100. Only 21% operate 10 or more managed models.

Developer tooling showed similar saturation, with AI-integrated development environment extensions present in at least 80% of organizations and 71% having at least one AI copilot deployed. Wiz cites GitHub data indicating 80% of new developers adopt AI copilots within their first week, alongside a 25% year-over-year increase in total code pushes. Separate research from LogicStar AI AG and ETH Zürich found AI agents participate in up to 10% of public pull requests.

The intensified scale of usage detailed in the report matters because Wiz Research found in September 2025 that roughly one in five organizations using AI-powered vibe-coding platforms had applications affected by systemic security weaknesses.

The report cites issues at platforms including Base44 Ltd., where shared generation logic produced reproducible flaws allowing unauthorized access to private applications and Moltbook, where insufficient guardrails left sensitive data exposed. When AI-generated defaults replicate at scale, insecure patterns become systemic rather than isolated, the report said.

Orchestration infrastructure was also found to be expanding faster than security practice. At least 57% of organizations were found to have deployed self-hosted AI agent technologies and Model Context Protocol servers appear in at least 80% of cloud environments. Only 5% of environments have at least one MCP server exposed to the internet.

Wiz documents several incidents tied to the new layer.

The Probllama vulnerability, discovered by Wiz in 2024 and tracked as CVE-2024-37032, allowed remote code execution against Ollama instances, thousands of which were identified as publicly accessible. The singularity supply chain attack against the Nx build system abused command-line AI tools, including Anthropic PBC’s Claude, Alphabet Inc.’s Gemini and Amazon.com Inc.’s Amazon Q, to perform reconnaissance and harvest credentials on compromised hosts.

The report notably finds that the economics of exploitation are shifting in step with the changing layer and embrace of AI and agentic AI. Wiz argues AI is functioning as both target and accelerant, compressing exploit development timelines and lowering the skill floor rather than producing entirely new attack classes.

Added to the mix is that adoption of AI now spans regulated sectors including finance, energy and aerospace, meaning the inherited-AI exposure pattern is no longer confined to AI-forward industries.

The report concludes with the recommendation that organizations must treat AI as first-class cloud infrastructure rather than a separate discipline, subjecting AI systems to the same asset inventory, configuration review, identity governance and exposure management applied to any other workload.

Wiz’s researchers argue that governance can no longer sit with a single innovation team. It must be integrated across cloud security, application security and data governance functions to account for distributed ownership and transitive components.

Image: Wiz