Cached AWS Keys, AI Identities Open Paths to 98% of Cloud

Recent security investigations and industry reports from 2025–2026 show that a cached Windows AWS access key on a single machine and proliferating AI-linked non-human identities created potential attack paths to as much as 98% of an organization’s cloud entities. The cached key appeared after a user logged into a Windows endpoint and an AWS access key was stored automatically; analysts found no policy violation or misconfiguration. The exposure was detected and remediated before exploitation.

Responders describe these incidents as chains that link endpoints, Active Directory groups, cloud roles and service accounts. One investigation identified an unreviewed Active Directory group membership on a retail endpoint that provided a route into the corporate domain. Another found a developer single-sign-on role provisioned during a cloud migration that retained elevated permissions and created a multi-step route from developer access to production admin.

Security teams report that AI agents and machine identities have expanded the attack surface. In some environments, development teams grant broad permissions to management and control plane servers so agents can operate across systems. Agents inherit those server privileges; if tooling or an agent contains a vulnerability, attackers can capture the agent identity and use its permissions to access cloud resources, databases and production infrastructure.

Industry data quantifies the prevalence of identity-related weaknesses. Palo Alto Networks’ 2025 incident response data shows identity issues in nearly 90% of engagements. IBM X-Force’s 2026 threat index reports that stolen or misused credentials accounted for 32% of incidents. SpyCloud’s 2026 Identity Exposure Report found that roughly one-third of recovered non-human credentials were tied to AI tools.

Analysts and incident responders note that many identity-based breaches involve multiple exposures that no single security product flagged as a connected path. Identity governance and administration platforms handle provisioning and access reviews, and privileged access management solutions store and monitor credentials, but these tools often operate without mapping how exposures chain across endpoints, directories and cloud environments.

Incident response data indicates that clearer visibility into linked identities, permissions and environmental context would have identified the traversable paths that enabled many of the breaches under review.