Organizations fail to master cloud security fundamentals, creating significant cyber exposure gaps. As they adopt complex cloud and hybrid environments, they fail to manage identity-based threats and bridge the internal expertise gap, dangerously exposing themselves to breaches. The State of Cloud and AI Security 2025 report, commissioned by Tenable and developed in collaboration with the Cloud Security Alliance, surveyed over 1,000 IT and security professionals worldwide to understand how organizations adapt their strategies to manage risk across increasingly multi-layered cloud and AI-driven infrastructures.
The modern IT landscape has become a complex infrastructure web, with 82% of organisations now operating hybrid environments and 63% using multiple cloud providers. This shift demands unified security visibility and consistent policy enforcement, yet most organisations lack the controls to manage this fragmentation, creating blind spots that attackers can exploit.
This fragmented landscape has made identity the primary battleground for cloud security. While most organisations (59%) correctly identify insecure identities and permissions as their top cloud risk, their actions fail to address the threat. This is proven by breach data, where the leading causes are directly tied to identity failures like excessive permissions (31%), inconsistent access controls (27%), and weak identity hygiene (27%). These points are not isolated technical errors, but a systemic breakdown in how identity is governed across the enterprise.
Progress is stalled by a persistent and critical lack of expertise, which 34% of organisations cite as their most significant challenge. This skills gap creates a ripple effect that undermines security from the ground up, leading to unclear strategies (39%) and a dangerous disconnect with leadership. In fact, nearly a third of respondents (31%) believe their own executives lack a sufficient understanding of cloud security risks, hindering the alignment, budget, and resources needed to protect the business.
“Identity has become the cloud’s weakest link, but it’s being managed with inconsistent controls and dangerous permissions,” said Liat Hayun, VP of Product and Research at Tenable. “This isn’t just a technical oversight; it’s a systemic governance failure, compounded by a persistent expertise gap that stalls progress from the server room to the boardroom. Until organisations get back to basics, achieving unified visibility and enforcing rigorous identity governance, they will continue to be outmanoeuvred by attackers.”
More information on Tenable Cloud Security is available at: https://www.tenable.com/cloud security.
