?2025CloudSecurityAlliance–AllRightsReserved.Youmaydownload,store,displayonyour

computer,view,print,andlinktotheCloudSecurityAllianceat

subjecttothefollowing:

(a)thedraftmaybeusedsolelyforyourpersonal,informational,non-

commercialuse;(b)thedraftmaynotbemodifiedoralteredinanyway;(c)thedraftmaynotbe

redistributed;and(d)thetrademark,copyrightorothernoticesmaynotberemoved.YoumayquoteportionsofthedraftaspermittedbytheFairUseprovisionsoftheUnitedStatesCopyrightAct,

providedthatyouattributetheportionstotheCloudSecurityAlliance.

?Copyright2025,CloudSecurityAlliance.Allrightsreserved.2

?Copyright2025,CloudSecurityAlliance.Allrightsreserved.3

Acknowledgments

LeadAuthor

HillaryBaron

Contributors

MarinaBregkou

JoshBuker

RyanGiffordAlexKaluzaJohnYeoh

GraphicDesign

ClaireLehnert

StephenLumpe

AbouttheSponsor

Tenable?istheexposuremanagementcompany,exposingandclosingthecybersecuritygapsthaterodebusinessvalue,reputation,andtrust.Thecompany’sAI-poweredexposuremanagement

platformradicallyunifiessecurityvisibility,insight,andactionacrosstheattacksurface,equippingmodernorganizationstoprotectagainstattacks,fromITinfrastructuretocloudenvironments

tocriticalinfrastructureandeverywhereinbetween.Byprotectingenterprisesfromsecurity

exposure,Tenablereducesbusinessriskforapproximately44,000customersaroundtheglobe.Learnmoreat.

?Copyright2025,CloudSecurityAlliance.Allrightsreserved.4

TableofContents

Acknowledgments 3

LeadAuthor 3

Contributors 3

GraphicDesign 3

AbouttheSponsor 3

ExecutiveSummary 5

KeyFindings 6

KeyFinding1:

HybridandMulti-CloudDominate 6

KeyFinding2:

IdentityHasBecometheCloud’sWeakest(andOrganizations’Most

Watched)Link 8

KeyFinding3:

TheExpertiseGapCreatesaLeadershipAlignmentChallenge 10

KeyFinding4:

FightingFiresInsteadofPreventingThem–MeasuringBreaches,NotPrevention12

KeyFinding5:

AIAdoptionAcceleratesWhileSecurityTargetstheWrongRisks 13

KeyFinding6:

TimeforaSecurityStrategyReset 16

Conclusion 17

FullSurveyResults 18

Demographics 26

SurveyMethodologyandCreation 27

GoalsoftheStudy 27

?Copyright2025,CloudSecurityAlliance.Allrightsreserved.5

ExecutiveSummary

Hybridandmulti-cloudarchitectureshavebecomethestandardformostorganizations,with82%

operatinghybridenvironmentsand63%usingmultiplecloudproviders.Atthesametime,AIadoptionisaccelerating,withoverhalfoforganizationsdeployingAIforbusinessneeds—and34%ofthosewithAIworkloadsalreadyexperiencingbreaches.Yetsecuritystrategieshavenotkeptpace,leavingteamsreactiveandfragmented.

Thissurveyrevealssixcriticalinsights:

1.HybridandMulti-CloudDominate:Flexibleinfrastructuredemandsunified

securityvisibilityandpolicyenforcement—stilllackingformost.

2.IdentityRisksLeadButRemainUnder-Managed:

Identityisnowthetopriskandbreachcause,butmanyorganizationsrelyonbasiccontrolsandmetrics,missingdeepergovernancegaps.

3.ExpertiseGapStallsProgress:

Limitedcloudsecurityexpertiseunderminesleadershipalignment,strategy,and

investment.

A、

Al

4.MeasuringBreaches,NotPrevention:KPIsremainreactive,focusedonincidents

insteadofriskreductionandresilience.

5.AIAdoptionOutpacesSecurityReadiness:

Organizationsprioritizecomplianceand

novelAIrisksoverprovencloudandidentitycontrols.

6.LeadershipMustResetStrategy:

Outdatedassumptionsandunderinvestmentleavesecurityteamswithoutthestructuralsupporttomature.

Toaddressthesegaps,organizationsshould:

?Buildintegratedvisibilityandcontrolsacrosshybridandmulti-cloudinfrastructures

?Matureidentitygovernanceforhumanandnon-humanidentities

?FocusKPIsonpreventionandresilience

?Improveleadership’sunderstandingofthetrueoperationalneeds

?TreatcomplianceasabaselineforAIsecurity,nottheendpoint

Securitymaturitydependsonstrategicalignmentandrisk-drivenplanning.OrganizationsthatmovebeyondpointsolutionsandreactiveoperationswillbebetterequippedtosecureevolvingcloudandAIenvironments.

?Copyright2025,CloudSecurityAlliance.Allrightsreserved.6

KeyFindings

CloudandAIarenolongeremergingtrends—they’reembeddedinthewayorganizationsoperate,withhybridandmulti-cloudarchitecturesprovidingflexibilityandAImovingquicklyfrompilot

projectstobusiness-criticalworkloads.Yetwhileadoptionhassurged,securitystrategieshave

struggledtokeepup.Thefindingsrevealacleargapbetweenawarenessandexecution:whilemostorganizationsrecognizewheretheirriskslie,manyremainreactive,fragmented,andmisaligned.

KeyFinding1:

HybridandMulti-CloudDominate

Hybridandmulti-cloudarchitecturesaren’temergingtrends—they’realreadythenormformost

organizations,andheretostay.Ratherthanmigratingeverythingtoasingleproviderorabandoning

Sixty-threepercentof

organizationsreportusingmorethanonecloud

provider,withmulti-cloudusersoperatinganaverageofbetween2and3cloudenvironments

63%

on-prementirely,organizationsaredeliberatelychoosinga

mixofenvironmentstomeettheiroperational,financial,

andregulatoryneeds.Thesemodelsoffertheflexibilitytorunworkloadswhere

theymakethemostsense—whetherthat’sinthecloud,acrossmultipleproviders,orstillon-premises.

Sixty-threepercentof

organizationsreportusing

morethanonecloud

provider,withmulti-cloud

usersoperatinganaverageofbetween2and3(2.7)cloud

environments.Atthesame

time,82%oforganizations

maintainhybridinfrastructureofsomekind,eithersplit

evenlybetweenon-premandcloudorleaningmoreheavilyononetypeofenvironment.

Whatbestdescribesyourorganization’sIT/cloudinfrastructure?

100%

50%

0%

82%

41%

7%20%21%

12%

Entirely

on-premises

Primarily

on-premises,

withsome

cloudusage

Primarily

cloud-based,

withsome

on-premises

infrastructure

Fully

cloud-based

Signi?cant

operationsboth

on-premises

andinthecloud

?Copyright2025,CloudSecurityAlliance.Allrightsreserved.7

Tosecurethisfragmentedinfrastructure,organizationsareleaningintotoolsdesignedtospan

cloudandon-prem.Unifiedsecuritymonitoringandriskprioritization(58%),cloudsecurity

posturemanagement(CSPM)(57%),andextendeddetectionandresponse(XDR)(54%)arethemostcommonlyusedcontrolsacrosshybridenvironments.Thissignalsashiftawayfromsiloedorprovider-nativetoolingtowardbroadervisibilityandcontrolmechanismsthatcankeeppacewiththecomplexityofhybridinfrastructure.

Whatsecuritymeasuresisyourorganizationtakingtounderstandandactonexposureandrelatedriskacrossyourhybridenvironments?

58%

50%

51%

57%54%

48%

42%

29%

2%

0%

Exposure

CloudSecurity

Extended

Identity

ZeroTrust

Consistent

AutomatedOther

Management

Posture

Detectionand

federationand

securitymodel

complianceand

threat

Management

(CSPM)

Response

(XDR)

centralized

authentication

governance

frameworks

across

environments

intelligenceand

responseacross

environments

Themovetowardhybridandmulti-cloudislikelydrivenbyacombinationofcostoptimization,

regulatorydemands,andperformancerequirements.Insomecases,organizationsareeven

movingworkloadsbackon-premtobetter

manageexpensesorgainmoredirectcontrol

,as

notedina

previousCloudSecurityAlliance(CSA)surveyreport

.Regardlessofthemotivation,thismodeldemandssecuritystrategiescapableofprovidingconsistentpolicyenforcement,identitymanagement,andriskmonitoringacrossalandscapethatisanythingbutuniform.

?Copyright2025,CloudSecurityAlliance.Allrightsreserved.8

KeyFinding2:

IdentityHasBecometheCloud’sWeakest(andOrganizations’MostWatched)Link

Topsecurityrisktoorganization’scloudinfrastructure

Identity-relatedissuesnowtopthelistofcloudsecurity

breachimpact,andstrategicfocus.Whilethissignalsmeaningfulprogressinawareness,thereisacriticalgapbetween

understandingidentityasakeythreatandmeasurestakento

effectivelysecureit.Governance,measurement,andoperationalcoordinationalllagbehindreportedintent.

Fifty-ninepercentoforganizationsidentifiedinsecureidentitiesandriskypermissionsasthetopsecurityrisktotheircloud

concerns—outpacinglong-standingriskslikemisconfigurations,insiderthreats,andworkloadvulnerabilitiesinperception,

59%

Insecureidentitiesandriskypermissions

infrastructure.Thisconcernisborneoutinbreachdataaswell.Amongthosewhoexperiencedacloud-relatedbreach,three

ofthetopfourcauseswereidentity-related:excessivepermissions(31%),

inconsistentaccesscontrols(27%),andweakidentity

hygiene(27%).

Theseissuesare

interconnectedbutdistinct.Excessivepermissions—like

standingadminaccessor

broadroleassignments—

canescalateevenminor

compromisesintomajor

Whichofthefollowingfactorsdoyouthinkcontributed

themosttoyourorganization’sbreach?

Identity-Related

33%

27%27%

31%

Inconsistentaccesscontrols

acrosscloudenvironments

Weakidentity

hygiene(e.g.,noMFA,inactiveaccesskeys)

Miscon?guredcloudservicesorinfrastructure

Excessivepermissions

(e.g.,overprivileged

accountsorroles)

breaches.Inconsistentaccesscontrolsacrossenvironments

createunevenprotectionsandblindspotsthatattackerscanexploit.Weakidentityhygiene—definedaspoorprocessesforidentifyingandremediatingriskybehaviorslikeunrotatedkeys,unusedcredentials,ororphanedaccounts—leadstolong-livedvulnerabilitiesthatoftengo

undetecteduntilafteranincidentoccurs.

Together,thesepatternspointtoalayered,systemicproblem:it’snotjustafewmisconfigured

accountsbutafundamentalbreakdowninhowidentityisgovernedacrossteamsandsystems.Thesearenotmerelytechnicallapses,they’reoperationalchallengesrootedinalackofsharedownership,oversight,andaccountabilityacrosscloudandidentityaccessmanagement(IAM)functions.

?Copyright2025,CloudSecurityAlliance.Allrightsreserved.9

EvenasorganizationsreportthattheyrecognizetheserisksandareprioritizingZeroTrust,

securitymaturitystilllags.Whenaskedabout

topchallenges,28%ofrespondentscited

misalignmentbetweencloudandIAMteams,

and21%reporteddifficultyenforcingleast

privilege.Thisindicatesthatmanyorganizationsknowwheretheproblemis,butstilllackthe

structureorworkflowstoaddressitatscale.

Topchallengessecuring

organization’scloudinfrastructure

28%

21%

LackofalignmentbetweencloudsecurityandIAMteams

Dif?cultyenforcingleastprivilege

Toclosethegap,organizationsareprioritizingZeroTrustarchitecturesandareimplementing

leastprivilegeforidentitieswasthemostselectedcloudsecuritypriorityforthenext12months(44%).Yetmeasurementpracticesremainearly-stage.Forty-twopercentoforganizationstrackmultifactorauthentication(MFA)orsinglesign-on(SSO)adoptionrates—themostcommon

IAMKPI—butthisonlyshowswhethercontrolsareinplace,notwhetherthey’reeffective.Few

organizationsmonitordeeperindicatorsofidentityrisklikeprivilegemisuse,accessanomalies,ornon-humanidentityabuse.

44%

Oforganizationsconsider

implementingleastprivilegeforidentitiesatoppriority

42%

Oforganizationstrack

multifactorauthentication

(MFA)orsinglesign-on(SSO)adoptionrates

Thedatapaintsapictureofidentityasbothawell-recognizedthreatandastill-maturingdisciplineinsecuremanagement.Organizationsaremovingintherightdirection,butmeaningfulprogress

willrequiremorethanpolicydeclarations.They’llneedtorestructureIAMprogramsandsupportingsystemssuchasidentityproviders,improvecoordinationwithcloudteams,andshiftfrom

binaryadoptionmetricstomoredynamicindicatorsofidentityriskandresilience.

?Copyright2025,CloudSecurityAlliance.Allrightsreserved.10

KeyFinding3:

TheExpertiseGapCreatesaLeadershipAlignmentChallenge

Thelackofcloudsecurityexpertiseisn’tjustastaffingor

Topchallengestosecuring

organization’scloudinfrastructure

34%

hands-onimplementationproblem,it’sastrategicobstaclethatshapeshoworganizationsplan,budget,andprioritizesecurityateverylevel.Assecurityteamsstruggletooperationalizecloudprotectionswithlimitedexpertise,thatgapbeginstoshape

decisionsaffectingleadershipalignment,resourceallocation,andorganizationalriskposture.

Thirty-fourpercentofrespondentsidentifiedlackofexpertise

asthetopchallengetosecuringcloudinfrastructure—morethan

Lackofexpertise

anyotherissue.Buttheimpactofthatgapdoesn’tstopatthe

hands-onlevel.Itcreatesarippleeffectthatunderminesplanning

andexecution.Whenaskedaboutbarrierstoimplementingnewcloud

securitycapabilities,respondentspointedtounclearstrategy(39%),insufficientbudget(35%),andresourcesbeingdivertedtootherpriorities(31%)—allsymptomsofleadershipstrugglingtosetdirection,assesstradeoffs,orfullygrasptherisksatstake.

Whatarethetop3barrierstoimplementingnewcloudsecuritycapabilitiesforyourorganization?

39%

35%

31%

Unclearstrategyorplanforcloudsecurity

Insuf?cientbudget

Resourcesdivertedtootherpriorities

30%Expertiseconstraints

29%

26%

Integrationwithlegacysystems

Lackofprocessesordocumentation

17%

16%

Vendorlock-inorinternalloyaltytovendors

Availabletoolsandsolutionsdonotmeetorganization’sneeds

23%

Lackofsupportfromseniormanagement

11%

FrictionwithDevOpsteam

20%

Timeconstraints

1%

Other

?Copyright2025,CloudSecurityAlliance.Allrightsreserved.11

Thisdisconnectisfurther

underscoredbyhow

leadershipviewscloud

security.Nearlyathirdof

respondents(31%)saidtheirexecutiveleadershiplackssufficientunderstandingofcloudsecurityrisks.Othersnotedthatleadersbelieve

built-incloudprovidertoolsare“goodenough”

(20%),orassumethatthe

cloudproviderisprimarilyresponsibleforsecuringtheenvironment(15%)—aclearmisunderstandingofthe

30%

Ifyourorganizationlackssupportfromseniormanagement,whatistheprimaryreasonfortheirlimitedsupportofnewcloudsecurityefforts?

20%

13%

10%

4%

0%

31%

20%

16%15%

Leadership

lacks

understanding

ofcloud

securityrisks

Beliefthat

built-incloud

providertools

aresuf?cient

Other

technology

initiativestake

priority(e.g.,

AIprojects)

Perceptionthat

cloudproviders

areresponsible

forsecurity

Priorityis

placedon

speedand

innovation

oversecurity

Unclearor

unproven

returnon

investment

sharedresponsibilitymodel.Theseperceptionssuggestthatmanyexecutiveteamsstilloperateunderlegacysecurityassumptions,makingitdifficultforsecurityteamstogainsupportforthetools,staffing,ortimeneededtosecuretoday’scomplexhybridandmulti-cloudenvironments.

Ratherthantreatexpertisesolelyasahiringortrainingissue,organizationscanreframethe

problemasabroaderoperationalchallenge—onethatcanbeaddressedthroughacombinationofinternalenablement,externalpartnerships,andplatformchoicesthatreducecognitiveload.There’salsoaclearopportunitytousetheseplatformsandtoolsnotonlytoimprovesecurity

posturebuttohelpeducateleadershipalongtheway.Byaligningexecutiveunderstandingwithsecurityrealities,organizationscanshiftfromreactive,point-solutionthinkingtomorestrategic,integratedsecurityprograms.

?Copyright2025,CloudSecurityAlliance.Allrightsreserved.12

△!

KeyFinding4:

FightingFiresInsteadofPreventingThem-MeasuringBreaches,NotPrevention

Cloudsecurityremainscaughtinareactiveloop.Whilebreachesremainapersistentandsignificantchallenge,organizationsaremeasuringperformancebasedonwhat’salreadygonewrong,

ratherthanhoweffectivelyriskisbeingreducedorprevented.Theresultisametricsculturethatreinforcescrisisresponseoverlong-termresilience.

ThemostcommonlytrackedcloudsecurityKPIissecurityincidentfrequencyandseverity

(43%),ametricthatonlybecomesrelevantafteranincidentoccurs.InIAM,thetopmetricisMFA/SSOadoptionrates(42%),whichtrackswhetherbasiccontrolsareinplace,notwhetherthey’reeffectiveorbeingmisused.Together,thesefiguressuggestthatorganizationsremainfocusedonsurface-levelindicatorsratherthanmorestrategic,forward-lookingmeasuresofperformance.

Thisrearviewmirrormindsetisalsoreflectedinbreach

data.Organizationsreportedanaverageof2.17cloud-

relatedbreachesoverthe

past18months,yetonly8%categorizedanyofthoseas

“severe”.Whilesomeincidentsmaytrulybelow-impact,the

Onaverage,ratethelevelofseverityofthecloud-related

breach(es)yourorganizationhasexperienced.

8%34%24%34%

SevereModerateMildN/A-nobreaches

discrepancysuggestsmanyarebeingperceivedaslesssevere—potentiallybecausetheydidn’t

triggermandatoryreportingthresholds,significantmediacoverage,orobviousoperationalimpact.

Thedatarevealsadisconnectbetweenbreachfrequencyandhowincidentsareinternally

evaluated,onethatcomplicateseffortsto

measureandcommunicatetruesecurity

performance.Thatdisconnectbecomesevenmoretroublingwhenconsideredalongside

therootcausesofthesebreaches,manyofwhicharepreventable.Thirty-threepercentcitedmisconfiguredcloudservices,while

31%pointedtoexcessivepermissions,20%toinsiderthreats,and15%tocompromisedcredentials—issuesthatcouldbemitigatedthroughstrongerconfigurationmanagement,accessgovernance,andproactivedetection.

Whichofthefollowingfactorsdoyouthink

contributedthemosttoyourorganization’sbreach?

33%

31%

20%

15%

Miscon?guredcloud

servicesorinfrastructure

Excessivepermissions(e.g.,overprivilegedaccountsorroles)

Insiderthreat(intentionaloraccidental)

Compromisedcredentials

(e.g.,phishing,leakedsecrets)

?Copyright2025,CloudSecurityAlliance.Allrightsreserved.13

Allofthispointstoadangerousmeasurementblindspot.Breachratesremainhigh,yetfew

incidentsareclassifiedassevere,andtheKPIsmostorganizationstrackremainrootedinreactionratherthanprevention.Measurementremainstiedtopost-incidentresponseratherthanforward-lookingriskreduction.

Thisapproachfailsintwocriticalways:itdoesn’tdemonstratethevalueofproactiveinvestmenttoleadership,anditobscuresthefullscopeofriskbyassumingincidentsarealwaysvisible,reportable,andcorrectlyclassified.Inenvironmentswithlimiteddetectioncapabilities—orwhereperformanceisjudgedbytheabsenceof“severe”incidents—criticaleventscouldbemissedorminimized.

Breakingthatcyclerequiresmorethannewmeasurementsortools—itdemandsaredefinitionofsuccess,onecenteredonriskreductionratherthandamagecontrol.

Al

KeyFinding5:

AIAdoptionAcceleratesWhileSecurityTargetstheWrongRisks

AIadoptionisoutpacing

thereadinessofmany

securityteams.While34%

oforganizationsdescribe

theirAIuseas“experimental”,evenmorehavealready

movedbeyondthatstage.A

combined55%areusingAIforactivebusinessneeds—25%

forspecificworkloads,23%activelyintegratingacrossmultiplesystems,and7%fullyintegratedacross

theorganization.These

arenottheoreticalpilots;theyrepresentoperational

TowhatextentisyourorganizationdevelopingAIapplicationsinthecloud?

50%

40%

30%

20%

10%

0%

60%55%

34%

25%

23%

11%7%

1%

Usingfor

speci?c

Experimental

(e.g.,pilot

projects)

Actively

integrating

acrossmultiple

workloads

Other

N/A-WeIrenotusingAI

Fullyintegratedacrossthe

organization

workloadsbut

notbroadly

deploymentswithrealbusinessimpact.YetasAImovesintoproduction,securityeffortsaren’talwayskeepingpace.Theresult:morethana

thirdoforganizationswithAIworkloads(34%)havealreadyexperiencedanAI-relatedbreach,raisingurgentquestionsaboutAIsecurity

readinessandriskmanagement.

TheoccurrenceofAI-relatedbreachespointstoadeeperissue:whileAIisbeingoperationalized,securitypracticeshaven’tfullycaughtup.

Didanyoftheclouddatabreachesyourorganization

experiencedinvolveanAIworkload?

34%Yes

34%

52%No

14%Unsure

?Copyright2025,CloudSecurityAlliance.Allrightsreserved.14

Organizationsaremoving

fasttodeployAI,buttheir

understandingofwheretheriskslie—andhowtomitigatethem—stillappearsimmature.Thatdisconnectbecomes

evenmoreapparentwhen

WhatwastheprimarycauseofthedatabreachinvolvinganAIworkload?

21%

20%

10%

19%

18%

16%15%

comparingwhat’sactuallycausingbreachestowhat

securityteamsaremost

concernedabout.Themost0%

Insiderthreat(maliciousoraccidental)

AImodelsecurity

?awor

manipulation

Miscon?gured

cloudsecurity

settings

Compromised

credentialsorweak

authentication

Exploited

software

vulnerabilities

commoncausesofAI-relatedbreachesincludefamiliar

threats:exploitedsoftware

vulnerabilities(21%),AImodelflaws(19%),insiderthreats(18%),andmisconfiguredcloud

settings(16%).Yetwhenaskedwhichbreachtypesthey’remostconcernedabout,organizationsgravitatedtowardunfamiliaror“AI-native”risks—suchasmodelmanipulation(18%)andtheuseofunauthorizedAImodels(15%)—whileconcernsaboutinsiderthreats(9%)andcompromisedcredentials(7%)rankedmuchlower.ThismisalignmentsuggeststhatmanysecurityprogramsarestilltreatingAIasfundamentallynovel,ratherthanapplyingprovencloudandidentitysecurity

principlestothesenewsystems.

WhichtypeofclouddatabreachesinvolvingAIworkloads

isyourorganizationmostconcernedabout?

18%

AImodelsecurity

?awormanipulation

10%

Unclearorunknowncause

5%

Exploitedsoftwarevulnerabilities

15%

UseofunauthorizedAImodelsindevelopment

9%

Insiderthreat

(maliciousoraccidental)

2%

Ineffectivedecommissioningofpre-productionAIassets

13%

Miscon?guredcloudsecuritysettings

8%

Third-partyvendororsupplychainattack

11%

Prefernottodisclose

7%

Compromisedcredentialsorweakauthentication

Securitycontrolsfurtherillustratethisimbalance.Morethanhalfoforganizations(51%)relyoncomplianceframeworkslikeNISTAIRMFortheEUAIActtoguidetheirAIsecurityefforts.

Regulatoryalignmentisessentialandoffersanecessaryfoundation,butframeworksalonearen’tbuilttokeeppacewiththespeedandcomplexityofAIadoption.

?Copyright2025,CloudSecurityAlliance.Allrightsreserved.15

Astrongsecurityprogram

Whatmeasuresisyourorganizationtakingtosecureyourcloud-basedAIsystems,workloads,anddata?

shouldproactivelyaddress

theorganization’sspecific

riskprofile.Yetthelow

adoptionofcoretechnical

26%

22%

15%

safeguardssuggeststhat

manyorganizationsstop

atcompliance.Only26%

conductAI-specificsecurity

testingsuchasredteaming,

AIsecuritytesting

ClassifyingandencryptingAIdata

just22%classifyandencryptAIdata,andonly15%have

MLOpssecurity

implementedMLOpssecuritypractices.Thiscompliance-

heavybuttechnicallyshallowposturecanleaveAIworkloadsexposed.

Withoutdeepertechnicalinvestmentandrisk-informedstrategies,organizationsareindanger

ofoverlookingfoundationalsecuritypracticesthatalreadyexistinotherdomains,likeidentity

governance,workloadhardening,anddataprotection.Andthisaccountsonlyforsanctioneduse;

withshadowAIontherise

,theunmonitoredportionoftheAIlandscapemayposeevengreaterrisk.

?Copyright2025,CloudSecurityAlliance.Allrightsreserved.16

KeyFinding6:

TimeforaSecurityStrategyReset

Manysecurityteamsknowwhatneedstobedone,buttheirleadershipisstilloperatingunder

outdatedassumptions.AscloudandAIdeploymentsexpandacrosshybridandmulti-cloud

environments,securitycomplexityisincreasing.Yetattheexecutivelevel,misconceptionsaboutresponsibilityandriskarestallingprogressandpreventingorganizationsfromscalingtheirsecuritystrategieseffectively.

Asnotedpreviously,manyexecutivesstill

overestimatethesecuritycoverageprovided

bycloudprovidersorbuilt-intools,andthis

misunderstandingshapeshowsuccessis

measured.Althoughcloudproviderscontinuetoenhancetheirnativesecurityofferings,thesearetypicallylimitedtotheirownplatforms

anddonotextendtomulti-cloudorhybrid

scenarios,leavinggapsinvisibilityandcontrol.MostorganizationsstillrelyonreactiveKPIs

likeincidentfrequencyandseverity(43%),

whilefewtrackmoreproactivemetricslike

downtimereduction(21%)orsecuritycostperworkload(15%).Compoundingthischallenge,therearestillrelativelyfewsolutionsthat

unifyvisibilityandriskassessmentacross

HowdoyoudemonstratetheKPIsofyourcloudsecuritytechnologyinvestments?

Securityincidentfrequencyandseverity

43%

Downtimereduction

21%

Securitycostperworkload/user

15%

hybridenvironments,makingitevenharderforteamstomeasureandmanageriskholistically.Theresultisapersistentstrategicblindspot.Withoutclearunderstandingormeaningfulperformanceindicators,securityteamslackthedirectionandresourcestoprioritizelong-termmaturity.

Theimplicationsaresignificant.Organizations

havecomplexenvironments—82%of

Topchallengessecuring

organization’scloudinfrastructure

28%

27%

23%

Lackofvisibility

Complexityofthecloudenvironment

Lackofcontextualinsightintorisks

organizationsoperatehybridenv