News

Cloud Security Falls Behind Amid Hybrid and AI Expansion: CSA/Tenable Report

• By David Ramel
• 09/11/2025

A new global survey finds that rapid adoption of hybrid, multi-cloud and AI systems is outpacing the security measures meant to protect them, leaving organizations exposed to preventable breaches and identity-related risks. The research, based on responses from 1,025 IT and security professionals worldwide, warns that many security programs remain reactive, fragmented and misaligned with today's complex environments.

According to the "State of Cloud and AI Security 2025" report published this week by the Cloud Security Alliance (CSA) and Tenable, 82% of organizations operate hybrid environments spanning on-premises and cloud infrastructure, and 63% use more than one cloud provider, averaging 2.7 environments. The study warns that security strategies have not kept pace with this sprawl, leaving teams reactive and fragmented. Liat Hayun, VP of Product and Research at Tenable, said, "AI workloads are reshaping cloud environments, introducing new risks that traditional tools weren't built to handle." The company specializes in exposure management.

Here are summarizations of the report's key findings:

Hybrid and Multi-Cloud Complexity Driving Risk
Organizations are mixing environments for operational, performance and regulatory reasons, but the report found security controls are lagging behind. While many have adopted unified security monitoring (58%), Cloud Security Posture Management (57%) and Extended Detection and Response (54%), tools often still operate in silos. This fragmented approach limits visibility and consistent policy enforcement.

The report noted that this complexity creates "disjointed visibility, inconsistent identity governance, and gaps in risk monitoring that attackers can exploit."

Identity Emerges as Cloud's Weakest Link
The research identifies identity-related weaknesses as the top risk. Fifty-nine percent of respondents cited insecure identities and risky permissions as their greatest cloud security concern, and three of the top four reported causes of cloud breaches were identity-related: excessive permissions (31%), inconsistent access controls (27%), and weak identity hygiene (27%).

Despite this awareness, many organizations struggle to act on it. Twenty-eight percent cited misalignment between cloud and IAM teams, and 21% reported difficulty enforcing least privilege. Most track only basic indicators like multifactor authentication or single sign-on adoption (42%), rather than more meaningful indicators such as privilege misuse or access anomalies.

Skills Gaps Undermine Strategy
A shortage of cloud security expertise was reported as the single top challenge, named by 34% of respondents. This gap ripples upward into planning and resource allocation: 39% cited unclear strategy, 35% insufficient budget, and 31% said resources are diverted to other priorities. Nearly a third (31%) said their executive leadership does not understand cloud security risks, and 20% said leaders believe built-in cloud provider tools are "good enough."

Reactive Metrics and Rising Breach Rates
Most organizations still use reactive metrics to assess security performance. The most commonly tracked cloud security KPI is incident frequency and severity (43%), which only becomes relevant after a breach. Organizations reported an average of 2.17 cloud-related breaches over the past 18 months, though just 8% were categorized as severe. The most common causes were misconfigured services or infrastructure (33%) and excessive permissions (31%).

That focus reinforces crisis response instead of long-term resilience.

AI Adoption Outpaces Security Readiness
AI workloads are rapidly moving into production. While 34% of organizations describe their AI use as experimental, 55% are using AI for active business needs -- and 34% of those have already experienced an AI-related breach.

Reported breach causes include exploited software vulnerabilities (21%), AI model flaws (19%), insider threats (18%) and misconfigured cloud settings (16%). Yet security teams are more concerned about novel risks such as model manipulation (18%) and unauthorized AI models (15%) than about these more common root causes. More than half of organizations rely on compliance frameworks like the NIST AI RMF or the EU AI Act, but few have implemented technical safeguards such as AI-specific security testing (26%), classifying and encrypting AI data (22%), or MLOps security practices (15%).

Call for a Strategic Reset
The report concludes that security maturity has stalled and calls for a "security strategy reset." Despite the complexity of hybrid and AI-driven environments, only 20% of organizations prioritize unified risk assessment and just 13% are focused on tool consolidation. Jim Reavis, co-founder and CEO of the CSA, said, "We're in the middle of the fastest evolution in cloud computing history. Unfortunately, as our research made clear, many security strategies are already behind the curve. The risks of standing still are growing by the day. Organizations need to rethink their approach and build adaptive, future-ready defenses that are capable of evolving as fast as the technology they safeguard."

The "State of Cloud and AI Security 2025" report was commissioned by Tenable and developed by the CSA, which designed and conducted the online survey in May 2025, gathering 1,025 responses from IT and security professionals across a wide range of industries, regions, and organization sizes. Tenable collaborated with CSA analysts to develop the questionnaire, while CSA researchers performed the data analysis and interpretation. The study was designed to understand how organizations are adapting security strategies, prioritizing risk, and measuring progress as they adopt hybrid, multi-cloud and AI-driven environments.

The full State of Cloud and AI Security 2025 report is available from the CSA, and more information on Tenable Cloud Security can be found here.