News
Report: Security Initiatives Can't Keep Pace with Cloud, AI Boom
- By David Ramel
- September 17, 2025
The increasingly fast adoption of hybrid, multicloud, and AI systems is easily outgrowing existing security measures, according to a recent global survey titled the "State of Cloud and AI Security 2025" by the Cloud Security Alliance (CSA) and exposure management firm Tenable.
This means organizations are left exposed to breaches and identity-related risks that could otherwise be prevented. According to 1,025 survey responses from IT and security professionals globally, a big concern is the reactive, fragmented and misaligned nature of existing security programs, which leaves them ill-equipped to navigate an ever-changing, dynamic IT environment.
Roughly 82% of organizations operate within hybrid environments that span on-premises and cloud, while 63% use multiple cloud providers, averaging 2.7 environments. Given this sprawl, security teams are often unable to keep up. As Liat Hayun, VP of Product and Research at Tenable, said, "AI workloads are reshaping cloud environments, introducing new risks that traditional tools weren't built to handle."
Here are summarizations of the report's key findings:
| Key Finding |
Highlights |
| Hybrid and Multi-Cloud Dominate |
82% use hybrid setups and 63% use multiple cloud providers, creating fragmented infrastructures that outpace existing security models. |
| Identity Is the Weakest Link |
59% cite insecure identities and risky permissions as top risks; three of the four main breach causes are identity-related. |
| Skills Gap Stalls Progress |
34% report lack of expertise as the biggest challenge, leading to unclear strategies, limited budgets, and leadership blind spots. |
| Reactive Metrics Undermine Security |
Most track incident frequency (43%) rather than prevention or resilience, despite averaging over two cloud breaches in 18 months. |
| AI Adoption Outpaces Security |
55% are actively using AI, and 34% of those have had AI-related breaches, often caused by familiar risks like vulnerabilities and misconfigurations. |
| Need for a Strategy Reset |
Only 20% prioritize unified risk assessment and just 13% focus on tool consolidation, leaving teams reactive and fragmented. |
Hybrid and Multi-Cloud Complexity Driving Risk
Organizations are mixing environments for operational, performance and regulatory reasons, but the report found security controls are lagging behind. While many have adopted unified security monitoring (58%), Cloud Security Posture Management (57%) and Extended Detection and Response (54%), tools often still operate in silos. This fragmented approach limits visibility and consistent policy enforcement.
[Click on image for larger view.] Hybrid and Multi-Cloud Dominate (source: CSA/Tenable).
The report noted that this complexity creates "disjointed visibility, inconsistent identity governance, and gaps in risk monitoring that attackers can exploit."
Identity Emerges as Cloud's Weakest Link
The research identifies identity-related weaknesses as the top risk. Fifty-nine percent of respondents cited insecure identities and risky permissions as their greatest cloud security concern, and three of the top four reported causes of cloud breaches were identity-related: excessive permissions (31%), inconsistent access controls (27%), and weak identity hygiene (27%).
[Click on image for larger view.] Identity Has Become the Cloud's Weakest Link (source: CSA/Tenable).
Despite this awareness, many organizations struggle to act on it. Twenty-eight percent cited misalignment between cloud and IAM teams, and 21% reported difficulty enforcing least privilege. Most track only basic indicators like multifactor authentication or single sign-on adoption (42%), rather than more meaningful indicators such as privilege misuse or access anomalies.
Skills Gaps Undermine Strategy
A shortage of cloud security expertise was reported as the single top challenge, named by 34% of respondents. This gap ripples upward into planning and resource allocation: 39% cited unclear strategy, 35% insufficient budget, and 31% said resources are diverted to other priorities. Nearly a third (31%) said their executive leadership does not understand cloud security risks, and 20% said leaders believe built-in cloud provider tools are "good enough."
[Click on image for larger view.] Expertise Gap Creates Leadership Alignment Challenge (source: CSA/Tenable).
Reactive Metrics and Rising Breach Rates
Most organizations still use reactive metrics to assess security performance. The most commonly tracked cloud security KPI is incident frequency and severity (43%), which only becomes relevant after a breach. Organizations reported an average of 2.17 cloud-related breaches over the past 18 months, though just 8% were categorized as severe. The most common causes were misconfigured services or infrastructure (33%) and excessive permissions (31%).
[Click on image for larger view.] Fighting Fires Instead of Preventing Them (source: CSA/Tenable).
That focus reinforces crisis response instead of long-term resilience.
AI Adoption Outpaces Security Readiness
AI workloads are rapidly moving into production. While 34% of organizations describe their AI use as experimental, 55% are using AI for active business needs -- and 34% of those have already experienced an AI-related breach.
[Click on image for larger view.] AI Adoption Accelerates, Security Targets Wrong Risks (source: CSA/Tenable).
Reported breach causes include exploited software vulnerabilities (21%), AI model flaws (19%), insider threats (18%) and misconfigured cloud settings (16%). Yet security teams are more concerned about novel risks such as model manipulation (18%) and unauthorized AI models (15%) than about these more common root causes. More than half of organizations rely on compliance frameworks like the NIST AI RMF or the EU AI Act, but few have implemented technical safeguards such as AI-specific security testing (26%), classifying and encrypting AI data (22%), or MLOps security practices (15%).
Call for a Strategic Reset
The report concludes that security maturity has stalled and calls for a "security strategy reset." Despite the complexity of hybrid and AI-driven environments, only 20% of organizations prioritize unified risk assessment and just 13% are focused on tool consolidation. Jim Reavis, co-founder and CEO of the CSA, said, "We're in the middle of the fastest evolution in cloud computing history. Unfortunately, as our research made clear, many security strategies are already behind the curve. The risks of standing still are growing by the day. Organizations need to rethink their approach and build adaptive, future-ready defenses that are capable of evolving as fast as the technology they safeguard."
The "State of Cloud and AI Security 2025" report was commissioned by Tenable and developed by the CSA, which designed and conducted the online survey in May 2025, gathering 1,025 responses from IT and security professionals across a wide range of industries, regions, and organization sizes. Tenable collaborated with CSA analysts to develop the questionnaire, while CSA researchers performed the data analysis and interpretation. The study was designed to understand how organizations are adapting security strategies, prioritizing risk, and measuring progress as they adopt hybrid, multi-cloud and AI-driven environments.
The full State of Cloud and AI Security 2025 report is available from the CSA, and more information on Tenable Cloud Security can be found here.