News

AI Security Spend Surges, But Most Cloud Data Unencrypted, Thales Warns

• By David Ramel
• 07/08/2025

In a stark warning for cloud security teams, a new Thales report reveals that while enterprises are pouring resources into AI-specific protections, only 8% are encrypting the majority of their sensitive cloud data -- leaving critical assets exposed even as AI-driven threats escalate and traditional security budgets shrink.

The findings come from the newly released 2025 Thales Cloud Security Study, conducted by S&P Global Market Intelligence 451 Research and commissioned by global cybersecurity leader Thales. Published June 30, 2025, the report is based on survey responses from more than 3,100 IT and security professionals across 20 countries, representing a range of industries and organizational sizes. It offers an in-depth look at the evolving state of cloud security -- particularly as AI adoption accelerates and hybrid, multicloud infrastructures grow more complex.

"The accelerating shift to cloud and AI is forcing enterprises to rethink how they manage risk at scale," said Sebastien Cano, senior vice president, Cyber Security Products, at Thales. "With over half of cloud data now classified as sensitive, and yet only a small fraction fully encrypted, it's clear that security strategies haven't kept pace with adoption. To remain resilient and competitive, organizations must embed strong data protection into the core of their digital infrastructure."

Most Sensitive Cloud Data Still Left Unencrypted
Despite years of warnings and rising attack volumes, the study reveals that most organizations continue to leave sensitive data in the cloud exposed.

According to the report, only 8% of respondents encrypt 80% or more of their cloud data, even though 85% say at least 40% of their cloud data is sensitive. That's a sharp disconnect that represents, in Thales' words, "a manageable risk that organizations should address with urgency."

The study warns that encryption alone isn't enough, but without it, data remains vulnerable -- especially as attacks grow more access-focused. In fact, 68% of respondents cited credential and stolen secrets attacks as the fastest-growing tactic targeting cloud infrastructure, making encryption a last line of defense when access controls fail.

Cloud Data Encryption Coverage (2025)

In addition to low coverage, organizations also struggle with key management sprawl. The report notes that:

• 57% of respondents are using five or more key management systems (up from 53% last year)
• 48% still manage encryption keys through cloud provider consoles
• Only 28% use "bring your own key" (BYOK) approaches, making it the most common -- but still limited -- strategy

Thales urges better integration here, noting: "To manage keys effectively and reduce operational burden, a unified key management system is becoming essential."

And without encryption and authentication improvements working together, organizations are left exposed. As the report explains: "The combination of weak authentication and unencrypted sensitive data represents a critical risk for enterprises."

This echoes commentary from the executive summary, which notes that while encryption use is improving, "the figure remains far short of where it should be" in light of current threats.

AI Security Spending Comes at a Cost
While securing AI workloads has rapidly emerged as a top priority for enterprises, the new security study warns that this shift is coming at a price -- specifically, to traditional cybersecurity investments like cloud data protection and identity access management.

According to the report, 52% of respondents indicated that AI security spending is "eating into or taking over existing security budgets." This finding raises concerns about whether organizations are reallocating funds away from foundational security capabilities in favor of newer, high-profile AI protections.

As the report puts it: "More than half (52%) of respondents indicated that AI security spending was eating into existing security budgets. With large amounts of AI work being done in the cloud, this could impact cloud security spending."

This concern is especially significant given the interconnected nature of AI, cloud workloads, and sensitive data storage. Many AI initiatives rely on vast volumes of proprietary, regulated, or mission-critical data -- often residing in public or hybrid cloud environments. Underfunding the basic controls that protect that data could expose organizations to serious risk.

Top Security Technology Investment Areas (2025)

This realignment of priorities comes amid growing pressure to support AI across enterprise infrastructure. In Thales' words, the rush to deploy AI capabilities is "intensifying pressure on cloud security."

The executive summary frames this challenge clearly: "The rapid push to support AI initiatives, which are often heavily cloud-dependent, further intensifies the urgency, as effective and efficient data protections are required to deliver on the promise of AI."

However, Thales questions whether budget realignments are being made thoughtfully: "The source of funding may raise questions about strategic alignment and effective resource allocation."

Key Risks of Budget Reallocation

• Less investment in encryption and key management despite rising cloud data sensitivity
• Potential underfunding of identity and access controls (e.g., multifactor authentication adoption still hovers at 65%)
• Greater complexity for already-overburdened security teams navigating tool sprawl and compliance demands
• Loss of focus on securing existing infrastructure in favor of experimental or less mature AI services

As Eric Hanselman, chief snalyst at S&P Global Market Intelligence 451 Research, emphasized in a news release: "A rising number of respondents report challenges in securing their cloud assets, an issue that is further amplified by the demands of AI projects that often operate in the cloud and require access to large volumes of sensitive data."

This year's findings suggest that as AI rises, so does the need for balance -- ensuring innovation doesn't come at the cost of fundamental cloud security hygiene.

Other Key Findings from the Thales Report
Beyond encryption gaps and AI budget tradeoffs, the 2025 Thales Cloud Security Study highlights a broad set of challenges organizations face as they secure increasingly hybrid, multicloud, and AI-driven environments. The survey paints a picture of mounting complexity, rising attack vectors, and ongoing struggles with human error and operational fragmentation.

• Human error remains a leading cause of cloud breaches: 68% of respondents identified attacks involving credentials and stolen secrets as the fastest-growing tactic targeting cloud infrastructure.
• Cloud environments are harder to secure than on-prem: 55% of respondents said securing the cloud is more complex than securing traditional infrastructure, up from 51% last year.
• Security tool sprawl is creating operational risks: 57% of organizations use five or more key management systems, and 61% use five or more tools for data discovery, monitoring, or classification.
• Multicloud complexity continues to grow: Enterprises now use an average of 2.1 public cloud providers, and 85 SaaS applications -- a 6% increase from last year.
• MFA adoption still lags behind risk exposure: Only 65% of organizations report using multifactor authentication to secure cloud access, despite high sensitivity of data and rise in credential-based attacks.
• Digital sovereignty is a growing priority: 42% of respondents believe encryption and key management are sufficient to meet sovereignty goals, and 33% cite portability of workloads and data as their top driver for sovereignty initiatives.
• Secrets management is the top DevSecOps concern: It was ranked the leading challenge in securing cloud-native application development pipelines -- yet only 16% of respondents view DevSecOps secrets management tools as among the most effective for data protection.

Overall, the report underscores that while cloud adoption and AI integration are accelerating, many enterprises remain outpaced by the security demands of these changes. Organizations face rising pressure to consolidate tools, streamline operations, and close long-standing security gaps before attackers exploit them.

2025 vs. 2024: From Human Error to Strategic Overload
Last year's Thales Cloud Security Study centered squarely on human error as the primary weak point in cloud security (see "Cloud Security: Despite All the Tech, It's Still a People Problem"). Nearly half of organizations had suffered a cloud data breach, and 31% cited misconfiguration or user mistakes as the root cause. The 2024 report painted a familiar picture: technical controls were improving, but the "problem between keyboard and chair" continued to undercut progress.

The 2025 edition retains that thread -- human error remains a key contributor -- but broadens the lens to reveal a more strategic breakdown. Now, the pressure of AI initiatives is not only introducing new attack surfaces, but also reshaping how security programs are funded and prioritized. According to this year's data, 52% of organizations say their AI security investments are cutting into existing security budgets. The report frames this shift as a potentially risky tradeoff, especially given how many foundational gaps remain.

Encryption, for instance, emerges as a far more urgent concern than it was a year ago. In 2025, only 8% of respondents encrypt 80% or more of their cloud data -- even though 85% say at least 40% of their cloud data is sensitive. That's a substantial disconnect, and a noticeable tonal shift from 2024's emphasis on identity and access controls as the main defense.

The focus has also widened in terms of scale. Whereas last year's report zeroed in on individual control failures -- like MFA underuse or secrets mismanagement -- the 2025 study casts cloud security as an architecture-level challenge. Tool sprawl, cloud provider sprawl, and SaaS complexity now form a tangled backdrop to nearly every risk area. Enterprises are juggling an average of 2.1 public cloud providers and 85 SaaS applications, with 57% managing five or more separate key systems. Security teams aren't just underfunded -- they're increasingly overwhelmed.

What hasn't changed is the report's tone of urgency. But while the 2024 study focused on the role of human error and configuration missteps, the 2025 edition points to a deeper strategic disconnect. Organizations are moving fast to adopt AI and multicloud architectures, but many haven't addressed longstanding gaps in encryption, access control, and unified key management. As the Thales report makes clear, cloud security today isn't just about technical fixes -- it's about aligning priorities before complexity and velocity outpace control.