As more and more enterprises catapult into an AI-powered future, cloud security is more critical than ever to success and, perhaps even, survival. The velocity of AI adoption is fundamentally changing how cloud environments are managed and expanding the attack surface at a speed that outpaces traditional security models and teams’ ability to protect modern deployments, writes Vincent Hwang of cyber firm Fortinet.
The 2026 State of Cloud Security Report, sponsored by Fortinet and produced by Cybersecurity Insiders and based upon a survey of 1,163 senior cybersecurity leaders and professionals worldwide, reveals a burgeoning cloud complexity gap in the structural mismatch between the velocity of this modern environment and security teams’ ability to maintain consistent visibility, detection, and response in real time.
The growing chasm between cloud complexity and resilience is not due to a lack of investment. Our survey of these experts indicates that while cybersecurity spend is increasing, the maturity and effectiveness of cyber defenses are not keeping pace with the many new use cases that today often include an AI element. Our analysis of the survey data suggests that three reinforcing factors have created the complexity gap. These factors are:
#1: Fragmented defenses
Security solutions are expanding as cloud adoption continues to grow, but frequently without coordination. This results in disconnected tools, inconsistent controls, and limited end-to-end visibility. Cybersecurity teams are forced to manually correlate alerts from multiple systems that were not designed to work together, even though almost 70% of organizations say tool sprawl and visibility gaps are the top hindrances to an effective cloud security solution.
#2: Stretched-thin teams
On top of systems that don’t work well together, organizations are struggling with a skills gap and the inability to hire enough competent cybersecurity professionals. This gap-within-the-gap leaves cybersecurity teams worldwide stretched thin, leading to slow responses and missed alerts or important signals. Seventy-four percent of those surveyed report an active shortage of qualified cybersecurity professionals, while 59% remain in the early stages of cloud security maturity.
#3: Threats operating at machine speed
Threat actors are employing automation and AI to uncover misconfigurations, map permission paths, and identify exposed data faster than human-led defenses can respond. As the time between vulnerability and attack narrows, 66pc of cybersecurity experts surveyed say they lack strong confidence in their ability to detect and respond to cloud threats in real time.
Hybrid, Multi-Cloud Model
Cloud environments are inherently complex—even when built on a single provider—due to distributed architectures, dynamic identities, rapidly expanding services, and complex data flows. For many enterprises, this complexity is compounded by hybrid and multi-cloud deployments that include multiple public clouds, on-premises infrastructure, Software-as-a-Service (SaaS) applications, and distributed users and devices.
Our survey shows that 88%pc of organizations now operate in hybrid or multi-cloud environments, up from 82pc last year. Among them, 81pc rely on two or more cloud providers to run critical workloads (up from 78pc last year), and 29pc report using more than three.
Attack surface
As new providers, services, and users create new configurations, permissions, and data paths, a well-designed cloud infrastructure automatically scales with these additions. However, at the same time, the infrastructure becomes increasingly more complex and more difficult to understand and manage. Thus, the monumental challenge for cybersecurity teams is to secure a constantly evolving environment for visibility, resilience, and operational efficiency.
Ecosystems
To address the security challenges associated with dynamic cloud environments, organizations are reassessing their security strategies. Survey data indicates a clear shift away from function-specific point tools managed in isolation toward unified security ecosystems.
If they were starting from scratch now, 64pc of respondents said they would design their cybersecurity strategy with a single-vendor platform that unites network, cloud, and application security. Why? Security teams are overwhelmed by all the integration required for tools from multiple different vendors. They want fewer platforms and ones that can be integrated with shared data models and coordinated enforcement. More than just a tool reduction effort, this consolidation reduces operational friction while strengthening protection by improving overall visibility, accelerating detection and response, and enabling more proactive threat exposure management.
Reshaping operation
The data in this report paint a clear picture: For organizations to have the most effective cloud security, they must focus on addressing key current issues, including hyper-growth, fragmentation, a limited number of employees with cybersecurity expertise, and AI-driven threats. For organizations pursuing AI strategies, this becomes even more important to ensure a secure foundation and operational practice on which their AI futures should be built.
