AI isn’t creating new classes of vulnerabilities, according to research from Wiz – but it is expanding the range of where well-known risks can appear.
Analysis from the cloud security firm found eight-in-ten cloud breaches last year were caused by basic mistakes. Common vulnerabilities, misconfigurations, and exposed secrets all ranked among the leading causes of breaches, Wiz found.
While the company called for enterprises to shore up basic best practices, the situation is being exacerbated by rapid AI adoption, which is creating larger, more complex attack surfaces.
"What changed was not the existence of these risks, but the environments in which they appeared and the speed at which they could be exploited," the company said.
Tried and tested methods
Wiz noted that the most common entry points in 2025 weren’t novel cloud-specific exploits or advanced identity bypass techniques, but familiar weaknesses in exposure management, credential handling, configuration, and end-user security.
Wiz said this highlights that threat actors are still recording success by capitalizing on the basic fundamental mistakes made by enterprises.
Elsewhere, the majority (53%) of pre-access malicious actions were reconnaissance and discovery-related techniques, for example.
This showcases the increased investment among threat actors on mapping environments and testing trust boundaries, according to Wiz.
AI is expanding attack surfaces
More than 85% of organisations are now using some form of AI, according to Wiz, which is creating new attack surfaces for security teams to monitor and shore up.
Notably, researchers warned this is increasing the number of places where familiar issues – such as misconfigurations or exposed credentials - could appear.
Given these services are often tightly connected to sensitive data, privileged identities, and high-value compute resources, the implications for poor practices on this front are dire.
Attackers are using AI at scale
While AI is creating new threats for organisations, Wiz warned the technology is also being used by threat actors to accelerate attacks.
This has become a common recurring talking point in recent months, with a slew of studies warning about the increased use of the technology for nefarious purposes.
Hackers have been observed using AI to dissect threat intelligence reports and reverse engineer malware, for example, or to create more convincing phishing lures.
Wiz noted, however, that attackers haven’t replaced tried-and-tested techniques with AI. Instead, they’re using the technology to accelerate reconnaissance, automate actions, and scale workflows.
Researchers said threat actors are now incorporating AI tooling into operations in a variety of ways, including AI-assisted malware execution, abuse of AI-based CLI tools such as Claude, or Gemini, and for environment reconnaissance after gaining initial access.
What can defenders do?
Given the key initial access vectors highlighted by Wiz, researchers said enterprises should sharpen their focus on identifying which assets are externally reachable and which risks are exploitable from the outside.
Continuous visibility into exposure and potential attack paths can also help teams focus on risks that are realistically exploitable.
Wiz also urged enterprises to treat pre-compromise reconnaissance as a detection opportunity, providing they can react swiftly.
The early part of the operations require malicious actors to not only gain some level of privileged access to a network, but conduct internal reconnaissance to understand where they are and how to accomplish their goal,” the report notes.
“This creates an opportunity for defenders to identify malicious activity before they are able to accomplish their goals.”
The number and severity of incidents involving compromised packages, CI systems, SaaS integrations, and automation workflows showed how inherited trust can extend impact beyond a single environment.
Wiz added that defenders should maintain visibility into trusted relationships across development pipelines, third-party services, and identity federations, and correlate these relationships with exposure and identity risk to reduce downstream impact.
"Security teams that maintain visibility into exposure, identities, and how risk propagates across cloud, development, and AI systems are better positioned to detect and disrupt attacker activity before it escalates."
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
Refreshing your business laptop suite? Here’s why you should go with Dell Pro
How the explosion in machine identities is changing cyber defense
Cloud security teams are in turmoil as attack surfaces expand at an alarming rate
Cloud breaches are surging, but enterprises aren’t quick enough to react
Google is getting serious on cloud sovereignty
Enterprises are facing a ‘cloud security crisis’
The Wiz acquisition stakes Google's claim as the go-to hyperscaler for cloud security – now it’s up to AWS and industry vendors to react
US Cloud case studies: Healthcare
US Cloud case studies: Financial
The Microsoft Unified Support replacement
