Rajnish Gupta, Managing Director and Country Manager at Tenable India, joins CX Quest for a compelling conversation on the future of cloud AI security—a critical pillar of today’s digital experience.
As organisations increasingly adopt Software-as-a-Service (SaaS) platforms to scale operations, enhance collaboration, and accelerate AI and ML development, security concerns are becoming more pronounced. In a recent Onymos survey, an alarming 78% of tech leaders expressed worry about security threats within SaaS environments, with nearly half reporting cybersecurity incidents stemming from third-party solutions. The evolving digital ecosystem has created a tangled stack of cloud services—often dubbed the “Jenga® effect”—where inherited misconfigurations and excessive permissions leave gaping vulnerabilities across infrastructures.
AI workloads, in particular, demand careful scrutiny, especially when data and models are hosted in the cloud. The Tenable Cloud AI Risk Report 2025 found that 77% of organisations using Google Cloud’s Vertex AI Notebooks had at least one misconfigured instance, a lapse that could allow unauthorised access to sensitive workloads.
To address these growing concerns, cxquest.com brings you an exclusive interview with Rajnish Gupta, Managing Director and Country Manager, Tenable India. Rajnish offers expert insights into the hidden risks of cloud environments, the importance of proactive exposure management, and practical strategies SaaS providers and enterprises can adopt to secure their AI assets, improve identity protection, and close security gaps before they can be exploited.
Tenable Cloud AI Risk Report
Q1. Rajnish, the recent Tenable Cloud AI Risk Report 2025 highlights some critical misconfigurations. What are the most overlooked risks in cloud environments today?
RG: In cloud environments, some of the most overlooked risks include a convergence of critical vulnerabilities, publicly exposed workloads, and over-privileged identities. Each of these factors poses a security risk separately. Together, they create a scenario that warrants attention. Nearly 4 in 10 organizations globally have at least one critically exposed cloud workload with an element or combination of the toxic trilogy.
This trifecta is concerning because publicly exposed workloads in the cloud can function as beacons accessible from the Internet. Such exposure, even when unintentional, allows attackers to identify potential entry points with ease. Add unpatched vulnerabilities into the mix, and the risk is amplified. These gaps create a straightforward exploitation pathway.
The third factor which is over-privileged identities, further raises the stakes. When access permissions exceed what is necessary, attackers can move more freely across systems, accessing data and services with fewer barriers. This toxic cloud trilogy turns what might have been a limited security issue into a broader operational concern, allowing attackers to extend their reach if they gain access.
Jenga®-style Misconfiguration
Q2. The term “Jenga®-style misconfiguration” is striking. Could you explain this phenomenon and how it commonly manifests in SaaS ecosystems?
RG: The Jenga Concept introduced by Tenable Cloud Research, describes cloud providers’ tendencies to stack one service on top of another, with any single misconfigured service putting all the services built on top of it at risk.
In SaaS environments, this manifests when organizations stack multiple cloud-based applications such as Microsoft 365, CRM, ERP, etc., without fully securing their integrations or access controls. For instance, overly permissive default settings, such as broad API access or unmonitored third-party app integrations, expose sensitive data to attacks.
Data Poisoning
Q3. With AI services rapidly expanding on cloud platforms, how should businesses approach securing their AI training data from threats like data poisoning?
RG: Businesses should address the threat of data poisoning in AI training by implementing five key strategies. Firstly, they should automate the configuration of multi-cloud environments, using a Cloud Native Application Protection Platform (CNAPP) with Cloud Security Posture Management (CSPM) to centralize policies and monitor access control and encryption. Secondly, adopting a least privilege access model is crucial, requiring regular audits of cloud identities to ensure only necessary rights are granted. Thirdly, tackling supply chain vulnerabilities involves gaining visibility into the libraries used in AI applications, both in-house and third-party, and addressing any identified vulnerabilities. Fourthly, enriching log data from cloud service providers through a CNAPP solution allows for deeper insights into misconfigurations and potential threats. Lastly, businesses must address privacy risks by establishing clear policies on approved language models and monitoring their usage, as well as implementing policies for shadow AI to prevent data leakage.
These steps, coupled with eliminating the “toxic trilogy” of public exposure, unpatched vulnerabilities, and excessive privileges, provide a robust defense against data poisoning attacks.
Identity and Access Management
Q4. Identity and access management continues to be a pain point. How can organisations strengthen identity security in the cloud?
RG: A majority of organizations (84.2%) have longstanding access keys with critical or high severity excessive permissions which posesa major security gap. Dynamic, sprawling identities that are both human and non-human, amplify risks.
Prioritize visibility across all users and identities. Map their access rights to detect the overly privileged ones. Implement least-privilege principles to ensure only those who need to have access to business-critical systems. Just-in-time (JIT) access, a policy of granting temporary privileges for specific tasks, reduces the presence of overprivileged accounts, minimizing exposure.
Adopt a cloud security platform with CSPM and cloud workload protection to track identity activities and flag anomalies, such as unauthorized access attempts. A unified platform offers a centralized view of identities across multi-cloud environments, minimizing complexity.
Conduct regular audits of identity policies, and implement automated policy enforcement, preventing misconfigurations that attackers exploit. For instance, overly permissive service accounts, if compromised, can expose entire systems. Training employees on secure practices, like strong authentication, further bolsters defenses. By proactively assessing risks, automating remediation, and aligning with zero-trust principles, organizations can secure cloud identities effectively, reducing the likelihood of breaches.
Prioritize Proactive Security
Q5. In your view, what must SaaS providers do differently to prioritise proactive security over reactive damage control?
RG: Proactive cybersecurity begins with gaining total visibility into the entire attack surface, mapping all assets, identities, and configurations to understand critical risks. An exposure management platform like TenableOne significantly automates these tasks. It also aids in continuously assessing risks, so organizations can pinpoint misconfigurations, such as overly permissive APIs, Jenga®-style misconfigurations, or third-party integrations, which are common in SaaS environments.
Implement automated tools to monitor and remediate these exposures in real-time, ensuring misconfigured services or unpatched vulnerabilities that pose the greatest risk are remediated first. Adopt a zero-trust model, with least-privilege access or just-in-time access and continuous validation of identities to reduce the risk of unauthorized access. Leverage threat intelligence from exposure management platforms to predict attack paths and prioritize high-risk exposures, particularly when systems are highly interconnected and data resides in multiple clouds.
Conduct regular audits and secure development practices. By embedding exposure management into their workflows, SaaS providers can detect and deal with threats early on, protecting customer data and maintaining trust. This helps them avoid the costly fallout of reactive measures in today’s complex threat landscape.
Exposure Management
Q6. How does Tenable’s approach to exposure management offer a unique advantage to companies dealing with complex AI-driven workloads?
RG: TenableOne integrates comprehensive discovery of all cloud and hybrid assets, including specific AI services and models. Tenable ExposureAI™, the machine learning engine, analyzes data to uncover “toxic risk combinations” and hidden attack paths. It helps organizations to not just find vulnerabilities but truly understand how these vulnerabilities impact the business. For example, TenableOne can help understand how a misconfiguration in an AI cloud service combined with an open-source vulnerability creates a critical risk to highly sensitive data. Organizations can prioritize remediation with actionable insights from Tenable’s Vulnerability Priority Rating (VPR) so teams can focus on the most impactful risks. This is important because many AI workloads have unremediated vulnerabilities.
Tenable One now features a vast ecosystem of out-of-the-box Connectors, enabling integration with widely used third-party tools for endpoint detection and response (EDR), cloud security, vulnerability management, operational technology security, ticketing systems and more. Additionally, the unified risk dashboards eliminate time-consuming manual reporting, offering fully customizable views that align with specific business priorities. This is great in effectively communicating risk.
Partnering With CISOs
Q7. How can customer experience (CX) leaders partner with CISOs to ensure a secure yet seamless digital experience for their end-users?
RG: To ensure secure and seamless digital experiences, organizations should integrate CISOs early in product design for “security by design,” align CX and CISO teams on priorities and risk levels, and agree on metrics like secure login success to measure and enhance both security and customer experience.
Closing
In today’s cloud-first world, ensuring customer trust hinges as much on security as it does on innovation. As Rajnish Gupta aptly outlines, the growing complexity of cloud environments, layered SaaS tools, and AI workloads demand an equally sophisticated security approach—one that prevents misconfigurations before they cascade into breaches. For CX and digital leaders, security isn’t just an IT concern—it’s a cornerstone of customer experience.
With solutions that offer unified visibility, actionable insights, and end-to-end protection, Tenable is helping modern businesses rethink their exposure management strategies. The call to action is clear: to protect business value and customer trust, organisations must treat cloud security as a strategic, not reactive, function.
