Rapid growth of hybrid, multi‑cloud and AI systems has outpaced cloud security strategies, creating new layers of complexity and risk, according to a study.
Most businesses now operate hybrid IT, spanning on‑premises and cloud, and most use more than one cloud provider, managing an average of 2.7 environments. With each IT environment bringing its own tools, policies and shared responsibility models, the cloud and AI workload sprawl creates complex and fragmented systems that leave blind spots for security teams, according to Tenable’s State of Cloud and AI Security 2025 report. The result the cyber vendor says is disjointed visibility, inconsistent identity governance, and gaps in risk monitoring that attackers can exploit. As AI-driven workloads add more layers of complexity, identity has become one of the biggest sources of weakness in this environment, with inconsistent governance and excessive permissions regularly cited as drivers of cloud breaches.
This shift is driven by cost pressures, regulatory requirements, and performance needs and, in some cases, has led organisations to move their cloud-based workloads back on‑premises for greater control. Many tools still operate in silos, limiting their ability to unify risk control. Consequently, few organisations have the consistent policy enforcement, identity management, and risk monitoring needed to secure such a diverse IT landscape.
The study, commissioned by Tenable and developed with the Cloud Security Alliance, surveyed more than 1,000 IT and security people worldwide to understand how organisations are adapting their strategies to manage risk across increasingly complex cloud and AI‑driven infrastructures.
Liat Hayun, VP of Product and Research at Tenable said: “The report confirms what we’re seeing every day in the field. AI workloads are reshaping cloud environments, introducing new risks that traditional tools weren’t built to handle.”
And Jim Reavis, Co-founder and CEO, Cloud Security Alliance said: “We’re in the middle of the fastest evolution in cloud computing history. Unfortunately, as our research made clear, many security strategies are already behind the curve. The risks of standing still are growing by the day. Organisations need to rethink their approach and build adaptive, future-ready defences that are capable of evolving as fast as the technology they safeguard.”
Meanwhile a survey of nearly 550 CISOs and security people worldwide about supply chain cyber risks suggests that the way most are managing supply chain cyber risk isn’t keeping pace with expanding threats.
Ryan Sherstobitoff, Field Chief Threat Intelligence Officer at SecurityScorecard, said: “Supply chain cyberattacks are no longer isolated incidents; they’re a daily reality. Yet breaches persist because third-party risk management remains largely passive, focused on assessments and compliance checklists rather than action. This outdated approach fails to operationalise the insights it gathers. What’s needed is a shift to active defence: supply chain incident response capabilities that close the gap between third-party risk teams and security operations centres, turning continuous monitoring and threat intelligence into real-time action. Static checks won’t stop dynamic threats—only integrated detection and response will.”
Among the findings, nearly 40pc of respondents cite data overload and the inability to prioritise issues and threats as their biggest supply chain cyber challenge.
