Cloud and AI security report: Rise in breaches, identity risks

A widening gap between rapid cloud and AI adoption and outdated security strategies is leaving enterprises exposed to preventable breaches. While 82% of organisations now operate hybrid infrastructures and 63% use multiple cloud providers, most lack unified visibility and consistent policy enforcement.

According to the recently released State of Cloud and AI Security 2025 report, this fragmentation has made identity failures the leading cause of cloud breaches, with 34% of organisations that run AI workloads already experiencing a breach. The report also reveals that weak governance and poor leadership alignment are stalling progress, creating systemic risks across the digital infrastructure that underpins modern economies.

The survey, commissioned by Tenable and developed in collaboration with the Cloud Security Alliance, which gathered responses from more than 1,000 IT and security professionals worldwide, including those in India, paints a stark picture of enterprises running critical operations on cloud and AI platforms without the necessary security maturity to protect them. The result is an expanding attack surface that undermines the resilience of the digital infrastructure powering modern economies.

Identity Failures Drive Most Breaches

The report highlights that identity-related risks have overtaken long-standing issues such as misconfigurations and insider threats as the primary weakness in cloud environments.

Nearly six in ten respondents (59%) identified insecure identities and risky permissions as their biggest concern. Breach data underscores the scale of the threat: three of the top four causes of cloud breaches were tied to identity governance failures—excessive permissions (31%), inconsistent access controls (27%), and weak identity hygiene (27%).

These figures point to systemic lapses rather than isolated errors, highlighting how identity management has not kept pace with the complexity of multi-cloud operations. Weak oversight of permissions, poor hygiene around credentials, and inconsistent enforcement across environments create vulnerabilities that adversaries can easily exploit.

“Identity has become the cloud’s weakest link, but it is being managed with inconsistent controls and dangerous permissions,” said Liat Hayun, VP of Product and Research at Tenable. “This is not just a technical oversight; it is a governance failure compounded by a persistent expertise gap that stalls progress from the server room to the boardroom.”

Skills Shortage and Leadership Blind Spots

The report connects these failures to a persistent shortage of cloud security expertise. More than a third of respondents (34%) cited lack of skills as their most significant challenge. The shortfall has a ripple effect across the organisation: 39% reported unclear security strategies, 35% pointed to insufficient budgets, and 31% said resources were diverted to other priorities.

“This misalignment,” the report highlights, “leaves organisations stuck in reactive mode.” Almost a third of participants said their executives lack sufficient understanding of cloud security risks, and one in five reported that leaders mistakenly believe provider-native controls are “good enough.” This disconnect leaves security teams struggling to secure complex environments without adequate direction or support.

The consequences are evident in how performance is measured. Most organisations continue to track reactive metrics such as incident frequency and severity, rather than forward-looking indicators. On average, organisations reported 2.17 cloud-related breaches in the past 18 months, yet few had developed benchmarks for resilience or risk reduction.

AI Adoption Accelerates, but Security Lags

As AI moves from pilot projects into business-critical workloads, security gaps are becoming more visible. The study found that 55% of organisations have already deployed AI for operations, and more than a third of those (34%) reported breaches involving AI systems.

Many of these incidents stemmed from familiar weaknesses: exploited software vulnerabilities (21%), insider threats (18%), and misconfigured cloud settings (16%). Yet security teams often appear more concerned with less frequent “AI-native” threats such as model manipulation (18%) or unauthorised AI use (15%).

This mismatch of priorities suggests that proven safeguards—such as identity governance, workload hardening, and data protection—are being neglected as AI becomes deeply embedded in enterprise operations.

The report also highlights that compliance has become the ceiling for many in such organisations. While 51% of organisations rely on frameworks such as the NIST AI Risk Management Framework or the EU AI Act, few apply deeper technical safeguards. Only 26% conduct AI-specific security testing, such as red teaming, 22% classify and encrypt AI data, and just 15% apply MLOps protections. This leaves AI workloads exposed even as they become central to business-critical processes.

It is Time for a Strategic Reset

To strengthen cloud and AI security programmes, organisations must shift from reactive responses to proactive, risk-informed strategies. That means unifying visibility and consistent policy enforcement across hybrid and multi-cloud environments, extending identity governance to both human and machine accounts, and adopting performance indicators that measure resilience rather than just incident counts.

The survey data show just how far practice lags behind these needs. Only 20% of organisations prioritise unified risk assessment across environments, and just 13% focus on consolidating toolsets—leaving teams to manage fragmented solutions that obscure visibility. Metrics remain skewed toward incident frequency, tracked by 43% of respondents, while fewer than a quarter measure downtime reduction or cost per workload.

In AI security, the gap is even starker. Few enterprises are going beyond compliance frameworks to apply safeguards such as testing, encryption, or MLOps security. With AI adoption accelerating, this failure risks embedding vulnerabilities at the very core of enterprise infrastructure.

Unless organisations move quickly to address these weaknesses, attackers will continue to exploit the blind spots created by identity governance failures, leadership misalignment, and underinvestment in resilience. “Without such a reset,” the report warns, “organisations risk embedding vulnerabilities into the very foundations of digital infrastructure.”