The State of Cloud and AI Security 2025: Navigating Complexity in an Accelerated Digital Landscape

As organizations rapidly embrace hybrid cloud architectures and artificial intelligence technologies, a concerning security gap has emerged. The latest research from Tenable and the Cloud Security Alliance reveals that while businesses are enthusiastically adopting these transformative technologies, their security strategies are failing to keep pace with the evolving threat landscape.

Key Findings: A Perfect Storm of Risks

Hybrid and Multi-Cloud Dominate

The modern enterprise IT landscape has become fundamentally distributed and complex. Research findings show that 82% of organizations now operate hybrid environments that span both on-premises and cloud infrastructure. Additionally, 63% of organizations utilize multiple cloud service providers, managing an average of 2.7 different environments.

This shift toward multi-cloud and hybrid deployment models is driven by several strategic considerations. Organizations are seeking to avoid vendor lock-in, optimize costs by leveraging each provider's strengths, improve performance through geographic distribution, and meet varying regulatory requirements. However, this architectural complexity introduces significant security challenges.

The fragmented nature of these environments creates major blind spots for security teams. Each IT environment brings its own tools, policies, and shared responsibility models, resulting in disjointed visibility, inconsistent identity governance, and gaps in risk monitoring that attackers can exploit.

Identity Has Become the Cloud's Weakest (and Organizations' Most Watched) Link

Identity and access management has emerged as the most critical vulnerability in cloud environments. The research reveals that 59% of organizations identified insecure identities and permissions as their greatest cloud security risk. This concern is well-founded, as identity-related issues dominate the primary causes of cloud breaches:

• Excessive permissions (such as overprivileged accounts or roles) account for 31% of breach incidents

• Inconsistent access controls across cloud environments represent 27% of breaches

• Weak identity hygiene (including lack of multi-factor authentication) causes 27% of security incidents

The complexity of modern cloud environments exacerbates these identity challenges. As one expert notes, "Identity has become the cloud's weakest link, but it's being managed with inconsistent controls and dangerous permissions. This isn't just a technical oversight; it's a systemic governance failure".

Organizations struggle with fundamental questions about their cloud identity posture: where sensitive data resides, which identities can access it and how, and whether there are vulnerabilities in configurations and API infrastructure. The rise of machine and non-human identities, which now outnumber human actors, adds another layer of complexity to identity management.

The Expertise Gap Creates a Leadership Alignment Challenge

A significant skills shortage is hampering organizations' ability to secure their cloud environments effectively. 34% of surveyed organizations stated that a lack of expertise is the single largest challenge they face in managing cloud security. This expertise gap creates a cascade of additional problems:

• 39% report unclear security strategies due to insufficient knowledge

• 31% identify inadequate executive understanding of cloud security risks as a major issue

• 28% struggle with poor alignment between cloud and IAM teams

The expertise shortage extends beyond technical knowledge to strategic understanding. Many organizations lack the specialized skills needed to implement robust security policies and develop strong governance frameworks. This knowledge gap restricts access to budget and resources needed to adequately protect business operations, creating a vicious cycle of underfunding and underperformance.

Fighting Fires Instead of Preventing Them - Measuring Breaches, Not Prevention

Organizations remain trapped in a reactive security posture, responding to incidents rather than preventing them. Traditional security approaches focus on incident response, forensic analysis, and post-breach remediation rather than proactive threat prevention.

This reactive stance is particularly problematic in cloud environments where attackers can exploit vulnerabilities within 10 minutes or less of gaining initial access. The rapid exploitation timeline underscores the inadequacy of purely reactive strategies and highlights the need for proactive security measures.

Current security metrics often emphasize breach detection and response time rather than prevention effectiveness. Organizations tend to measure their security success by how quickly they can respond to incidents rather than how effectively they prevent them from occurring in the first place.

AI Adoption Accelerates While Security Targets the Wrong Risks

Artificial intelligence adoption is proceeding at breakneck speed, but security measures are not keeping pace with the associated risks. The research shows that 55% of organizations already use AI, while another 34% are actively testing AI implementations. However, this rapid adoption is creating new vulnerability categories:

AI workloads are significantly more vulnerable than traditional cloud workloads. Research reveals that 70% of cloud workloads with AI software installed contain at least one unremediated critical vulnerability, compared to 50% of non-AI workloads.

Specific AI-related security risks include:

• 77% of organizations using Google's Vertex AI Workbench have at least one notebook instance configured with overprivileged default service accounts

• 14% of organizations using Amazon Bedrock do not explicitly block public access to at least one AI training bucket

• 91% of Amazon SageMaker users have at least one notebook that could grant unauthorized access if compromised

Organizations are making critical mistakes in AI security implementation, including inadequate governance, weak access controls, training on sensitive data without proper protection, and neglecting security during development phases. Many security teams are also targeting the wrong AI risks, focusing on hypothetical future threats rather than addressing current, exploitable vulnerabilities in AI infrastructure.

Time for a Security Strategy Reset

The research findings point to an urgent need for organizations to fundamentally rethink their cloud and AI security approaches. Current strategies are inadequate for the modern threat landscape, and incremental improvements are insufficient.

Key recommendations for a security strategy reset include:

Shift from Reactive to Proactive Security: Organizations must move beyond incident response to implement preventive security measures, continuous risk assessment, and security-by-design approaches. This includes implementing automated security testing in CI/CD pipelines and establishing admission controls that prevent insecure configurations rather than just detecting them.

1. Implement Unified Visibility and Risk Management: With environments spanning multiple clouds and on-premises infrastructure, organizations need unified security monitoring, consistent policy enforcement, and integrated risk management across all platforms. This requires breaking down silos between security tools and teams.

2. Mature Identity Governance: Organizations must restructure IAM programs and systems, improve coordination between cloud and IAM teams, and shift to more dynamic indicators of identity risk and resilience. This includes implementing zero-trust architecture, enforcing least-privilege access, and establishing proper governance for both human and non-human identities.

3. Integrate AI-Specific Security Measures: As AI adoption accelerates, organizations need to embed security earlier into AI development lifecycles, implement proper data governance for AI training datasets, and establish appropriate access controls for AI workloads.

Conclusion

The State of Cloud and AI Security 2025 research reveals a critical inflection point for organizational security. While cloud and AI technologies offer tremendous business value, the rapid pace of adoption has outstripped security capabilities, creating dangerous exposure gaps.

Organizations that fail to address these fundamental security challenges face increasing risks of data breaches, regulatory violations, and business disruption. The time for incremental security improvements has passed - what's needed is a comprehensive strategy reset that prioritizes prevention over reaction, unifies fragmented security approaches, and properly governs the complex identity landscape of modern cloud environments.

Success requires not just better tools, but fundamental changes in how organizations approach security governance, team alignment, and risk management. Those who make this transition will be better positioned to harness the full benefits of cloud and AI technologies while maintaining robust security postures.

Full Survey Results

The comprehensive research was conducted through a survey of more than 1,000 IT and security professionals worldwide, including respondents from Australia and other global markets. The study was commissioned by Tenable and developed in collaboration with the Cloud Security Alliance.

Demographics

The survey respondents represented a diverse cross-section of IT and security professionals across multiple industries and organization sizes. Participants included security administrators, cloud architects, IT managers, and executive leadership from organizations operating in various sectors, including healthcare, finance, retail, and technology.

Survey Methodology and Creation

The research methodology followed established survey research practices, utilizing online data collection techniques to reach IT and security professionals globally. The survey was designed to understand how organizations are adapting their security strategies to manage risk across increasingly complex cloud and AI-driven infrastructures.

The study employed structured questionnaires to assess current security practices, challenge identification, breach incident analysis, and strategic planning approaches. Data collection focused on quantifying security risks, measuring organizational preparedness, and identifying gaps between current practices and emerging threats.

FAQs

Q: How can organizations effectively manage security across multiple cloud providers?

A: Implement unified security monitoring tools that provide consistent visibility across all cloud environments, establish standardized security policies that can be enforced regardless of the cloud provider, and ensure proper identity governance that works seamlessly across platforms.

Q: What are the most critical first steps for improving cloud identity security?

A: Start by conducting a comprehensive audit of all identities (human and non-human) across your cloud environments, implement multi-factor authentication universally, establish least-privilege access principles, and create proper governance structures for identity lifecycle management.

Q: How should organizations approach AI security in their cloud environments?

A: Integrate security considerations into AI development lifecycles from the beginning, implement proper data governance for AI training datasets, establish appropriate access controls for AI workloads, and regularly audit AI systems for vulnerabilities and misconfigurations.

Q: What metrics should organizations use to measure cloud security effectiveness?

A: Move beyond reactive metrics (like breach response time) to include proactive measures such as vulnerability remediation rates, configuration compliance scores, identity hygiene metrics, and prevention effectiveness indicators.

Q: How can smaller organizations with limited security expertise address these challenges?

A: Consider leveraging cloud-native security tools that provide automated protection, invest in security training for existing staff, establish partnerships with managed security service providers, and focus on implementing security frameworks like NIST or CIS Critical Security Controls.