Logo
FrontierNews.ai

Why AI in the Cloud Is Becoming a Visibility Nightmare for Security Teams

Most organizations have lost sight of where their AI is actually running. According to new research from cloud security firm Wiz, 68 percent of AI usage in cloud environments occurs indirectly through third-party software and outside of organizations' direct visibility and control. This hidden AI adoption is creating a fundamental challenge for security and IT leaders: they can no longer assume they know what AI systems are active in their infrastructure.

How Is AI Becoming Invisible in Enterprise Cloud Environments?

The problem starts with how organizations are adopting AI. While 81 percent of enterprises now use managed AI services and 90 percent run AI software on-premises, the real complexity emerges when AI arrives through the back door. Developers are adding AI tools to their workflows without waiting for formal approval. Security teams are inheriting AI risks from software vendors they've already purchased. And third-party integrations are quietly pulling in AI capabilities that nobody explicitly chose.

The Wiz research, which analyzed hundreds of thousands of real-world cloud environments across leading providers, found that this fragmentation is happening at every layer of the cloud stack. AI is no longer a standalone tool that organizations consciously implement. Instead, it has become a fundamental layer embedded in development tools, automation platforms, and enterprise software itself.

Consider the development environment. At least 80 percent of organizations now use AI add-ons for integrated development environments (IDEs), and 71 percent have one or more AI-based code assistants active in their development workflows. But here's the catch: this adoption is often fragmented and bottom-up, with individual developers adding tools outside of central governance processes. This creates what Wiz calls "shadow AI" in development environments, where multiple AI systems are generating code without consistent policies, review processes, or even basic telemetry data that security teams can access.

What Are the Security Risks of Invisible AI Adoption?

The visibility problem becomes a security problem quickly. When organizations use AI models indirectly through third-party software, they can inadvertently inherit model risks and vulnerabilities in the supply chain without consciously implementing those systems or subjecting them to any central governance. This is particularly concerning because AI-generated code can scale up insecure patterns as effectively as it increases productivity.

According to the Wiz research, about one in five organizations using AI-powered code generation platforms have had to deal with applications affected by systematic security issues. The risk doesn't lie in the existence of code assistants themselves, but in the fact that they can amplify insecure coding patterns across an entire codebase before anyone notices.

The situation becomes even more complex when organizations implement AI agents and Model Context Protocol (MCP) servers to orchestrate AI interactions with systems and data. Well over half of organizations, 57 percent, have now implemented at least one self-hosted AI agent technology. These agents are designed to act autonomously, connecting AI systems to external tools and coordinating workflows across multiple services. However, the adoption of agent frameworks is highly fragmented, with no single dominant framework having established itself. This diversity means security teams must manage multiple different agent implementations, each with its own integration patterns and potential vulnerabilities.

MCP servers are gaining traction even faster. According to Wiz, MCP servers are now present in 80 percent of cloud environments. While this represents strong adoption of a technology that was largely absent just a year ago, it also introduces new risks. The research found that five percent of environments have at least one MCP server accessible via the internet, indicating an early but significant risk when orchestration infrastructure is put into production without proper security controls.

Steps to Establish Visibility and Control Over Cloud AI Systems

  • Map AI Assets Across All Layers: Organizations need to identify where AI is running, not just in intentional deployments but across development tools, third-party software, and cloud services. This requires analyzing cloud configurations and mapping AI-related assets across the entire infrastructure.
  • Establish Central Governance for AI Tools: Rather than allowing developers to add AI tools independently, organizations should create approval processes and policies for AI tool adoption. This includes setting standards for which code assistants, agent frameworks, and API services are permitted.
  • Monitor AI-Generated Code Quality: Implement review processes and telemetry for AI-generated code to catch systematic security issues before they propagate. This means treating AI-generated code with the same scrutiny as human-written code.
  • Secure Agent and MCP Implementations: When deploying AI agents and MCP servers, ensure they are not exposed to the internet without proper authentication and access controls. Treat these orchestration systems as critical infrastructure.
  • Integrate AI Security Into Cloud Security Strategy: Rather than treating AI security as a separate discipline, organizations should view it as an extension of their existing cloud security practices and governance frameworks.

"AI is already embedded in development workflows, orchestration layers, and production infrastructure. The challenge for security leaders is to maintain visibility and control over how AI is being used and how the technology is reshaping cloud environments," said Jesper Rellme, Manager Solutions Engineering at Wiz.

Jesper Rellme, Manager Solutions Engineering at Wiz

Why Does This Matter Now?

The timing is critical because AI adoption is accelerating faster than governance practices can keep up. Organizations are not choosing between AI and no AI anymore. The question is whether they will have visibility and control over the AI systems already running in their infrastructure. The Wiz research shows that most organizations are currently losing that race.

The fragmentation of AI across cloud environments reflects a broader challenge in enterprise technology: when powerful tools become easy to use and widely available, adoption often outpaces governance. Developers want to move faster. Business units want to capture AI benefits. Vendors are embedding AI into products to justify price increases. But security teams are left trying to manage systems they didn't know existed.

Rellme emphasized the broader implication: "Successful organizations are those that view AI security as an extension of cloud security, rather than a separate discipline. Understanding where AI is running, how it connects to data, identities and automation, and how these connections can be leveraged is now critical to managing cloud risk, as AI continues to transform the cloud operating model."

Rellme

For IT leaders, the message is clear. The era of AI as an experimental technology is over. AI is now a fundamental part of cloud infrastructure, and the organizations that will succeed are those that establish visibility and governance over their AI systems before invisible adoption becomes a security crisis.