Cloud misconfiguration in AI startups: the S3 buckets and IAM mistakes that expose data
In-depth analyses of real-world cyber incidents and emerging threat trends, authored exclusively by our analysts.
Most security conversations with AI startups jump straight to the exotic risks, prompt injection, model manipulation, agent hijacking. All genuinely important. But a huge share of real breaches, including ones that hit AI companies specifically, come from something far more mundane. A storage bucket left public. An access key with far more permission than it needed. No sophisticated exploit required, just a setting left wrong.
This article covers what cloud misconfiguration actually looks like for an AI startup, why your AI infrastructure makes it worse rather than better, and the concrete steps that close the gap.
Why this matters more than it sounds like it should
Cloud misconfiguration is not an exotic risk. It is consistently one of the leading causes of cloud data breaches, ahead of sophisticated exploits and zero days. The pattern is remarkably consistent across incidents. Nobody has to hack anything. A storage bucket is set to public, or an access key has broader permissions than intended, and an attacker simply finds it and uses it. No exploit, no cleverness required, just automated tools that continuously scan the internet for exactly this kind of mistake.
There is now a well documented case that shows exactly how this plays out for an AI product specifically. In an incident reported in early 2026, an attacker gained initial access to an AWS environment through credentials found in a public S3 bucket. That bucket did not just contain generic files, it held retrieval augmented generation data for AI models, the kind of dataset that powers exactly the sort of AI product startups build every day. From there, the attacker used the stolen access to escalate privileges and move through the environment. Security researchers who investigated the incident noted that parts of the attacker's approach showed signs of having been generated with AI assistance, meaning the exploitation itself was faster and more automated than a typical manual attack. The lesson is direct. A basic storage misconfiguration, involving exactly the kind of AI data your product likely holds, was enough to open the door.
Why AI startups are especially exposed
Two things make this risk larger for an AI product than for typical software.
The first is what your storage actually holds. A conventional startup's cloud storage might hold user uploads or backups. An AI startup's storage frequently holds training data, RAG datasets, embeddings, model artifacts, and logs of user interactions with your AI, all of which can contain sensitive or personal information. A misconfigured bucket at an AI company often exposes more valuable, more sensitive data than the equivalent mistake at a traditional SaaS company, precisely because of what your product needs to store to function.
The second is the pace of AI development. AI teams move fast, spin up infrastructure quickly to test ideas, and often grant broad permissions during that exploratory phase with every intention of tightening them later. That intention frequently does not survive the rush to ship. A bucket created for a quick experiment, or an access key given broad permissions to unblock a demo, ends up carrying into production exactly as it was first configured. This is the same pattern that shows up repeatedly in real incidents, a setting that made sense for five minutes of convenience left in place indefinitely.
The two mistakes that matter most
Almost every cloud misconfiguration breach comes down to one of two things.
Public storage buckets. Cloud storage defaults to private, but a single setting left unchecked, or a bucket made public temporarily for a legitimate reason and never reverted, exposes everything inside it to anyone who finds the URL. Automated scanning tools search continuously for exactly this, and the window between a bucket becoming public and being discovered is often measured in minutes, not days. For an AI startup, what sits inside that bucket is frequently training data, RAG content, or model artifacts, exactly the kind of data an attacker most wants.
Overprivileged IAM roles and access keys. Identity and access management controls who and what can do which actions in your cloud environment. The safe approach is least privilege, giving every user, service, and function exactly the access it needs and nothing more. In practice, broad permissions get granted to avoid friction, particularly under time pressure, and are rarely reviewed or reduced afterwards. A single overprivileged access key, if stolen or exposed, can hand an attacker the ability to read data, escalate its own privileges, or take actions across your entire environment, not just the one task it was meant to perform.
These two mistakes are also often chained together in real attacks, exactly as they were in the incident described earlier. A public bucket exposes a credential, and that credential turns out to have far more permission than it should, letting the attacker move well beyond the original bucket.
What to actually check
This is genuinely one of the more mechanical, checkable parts of security, and you do not need deep cloud expertise to make real progress quickly.
- Enable account level public access blocking. Most cloud providers offer a setting that blocks public access to storage at the account level by default. Unless you are specifically hosting public website assets, there is almost no reason your data buckets should be publicly reachable, and this single setting closes off the most common mistake in one step.
- Audit every bucket, not just the ones you remember creating. Cloud accounts accumulate storage over time, and old buckets from early experiments are exactly where forgotten public access tends to survive. Use your cloud provider's built in tools to list every bucket and its access settings, rather than assuming you remember them all.
- Review IAM permissions and remove what is not needed. Go through your users, service accounts, and roles and check what each one can actually do against what it actually needs. Broad access granted for convenience during a rushed build is the pattern that shows up in nearly every real incident.
- Use temporary, scoped access instead of permanent broad access. Where you need to share data or grant access, prefer temporary, time limited links or narrowly scoped permissions over standing broad access that lingers indefinitely.
- Turn on continuous monitoring, not just a one off check. A manual review is a snapshot that goes stale the moment configurations change, and cloud environments change constantly. Continuous monitoring, whether through your cloud provider's native tools or a dedicated posture management tool, catches new misconfigurations as they appear rather than relying on someone remembering to check again.
- Pay particular attention to anything holding AI specific data. Buckets containing training data, RAG content, embeddings, or model artifacts deserve the tightest review of all, because that is precisely the data an AI focused attacker is looking for, as the real incident above demonstrates.
Why this connects directly to your enterprise deals
This is not just a technical hygiene issue. Cloud misconfiguration is exactly the kind of finding that shows up in a penetration test or a technical security review a serious enterprise buyer commissions before signing. It is also one of the more embarrassing findings to explain, because unlike a sophisticated attack, there is no good story for how it happened. It happened because a setting was left wrong.
Being able to say clearly that your storage is private by default, your permissions follow least privilege, and you monitor continuously for drift, is a small set of statements that carries real weight with a buyer's security team, because it demonstrates the same discipline they are ultimately trying to assess across your whole product.
The honest takeaway
Cloud misconfiguration is not a sophisticated threat, and that is exactly why it is so common and so damaging. For an AI startup, the stakes are higher than for typical software, because the data sitting in your cloud storage is often more sensitive, and the fast, exploratory pace of AI development makes over permissioning an easy habit to fall into. The documented incidents make clear this is not hypothetical, including cases where the exposed data was specifically the AI training and retrieval data that powers products like yours.
Block public access at the account level, audit your buckets and your permissions properly, and put continuous monitoring in place rather than relying on a one off check. None of this requires deep expertise or significant investment, and it closes off one of the most common and most preventable ways an AI startup's data ends up exposed.
Not sure what's publicly exposed in your cloud environment?
Book a free review and we'll check your storage and permissions for the mistakes attackers actually look for.
AI Security Insights
Cloud misconfiguration in AI startups: the S3 buckets and IAM mistakes that expose data
Most security conversations with AI startups jump straight to the exotic risks, prompt injection, model manipulation, a…
Read articleWhat is SSO and why enterprise buyers require it before they'll sign
Somewhere in your first serious enterprise deal, a question arrives that catches a lot of founders off guard. Do you su…
Read articleCyber insurance for AI startups: what it covers and what it doesn't
Most startups buy cyber insurance, tick the box, and assume they are covered if something goes wrong with their AI prod…
Read articleSecurity questions investors ask AI startups before they invest
Most conversations about AI security focus on enterprise buyers, and for good reason, since that is where security most…
Read articleMore insights, delivered monthly
Get the latest insights on AI security and compliance.

