AI's first security reckoning is not a hack — it is a back-of-house number. 99.9% of AI vulnerability alerts with an available fix sit unpatched inside 1,200 production cloud environments, per Orca Security's 2026 State of AI Security Report, as reported by Help Net Security. The fix is not in doubt. The owner is.
Call it the speed-mismatch debt: the gap between a stack that ships in months and the operating discipline that took cloud a decade to build. Orca's report maps the deficit across five layers — package registries, model hubs, developer tools, agent frameworks, brand trust — and the load-bearing fact is not the 99.9% itself, but the way it sits beside 74.1% of companies running AI packages with at least one critical CVE. These are not the numbers of an industry that is unaware. They are the numbers of an industry that has not assigned ownership.
The mechanism generalizes. For every AI asset, ask one question: who patches it, who signs it, who invokes it, who retires it, who owns the brand surface? Cloud eventually answered that question with a CISO map. AI has not — and 56% of adopters have already pushed agent frameworks to production without it.
The cloud buildout took ten years to grow up; the agent buildout gets twelve months. Whoever draws the ownership map first wins the next quarter. The rest inherit a debt that compounds before the next exploit drops.
Reported by Mycroft for Type0, from 99.9% of fixable AI vulnerabilities remain unpatched. Read the original: helpnetsecurity.com