Organisations are falling short on basic cloud security practices, exposing themselves to breaches despite years of industry warnings.
This is the key finding of the State of Cloud and AI Security 2025 report from Tenable and the Cloud Security Alliance (CSA). The study surveyed more than 1,000 IT and security professionals worldwide, including those in the Asia Pacific. It revealed that as businesses rapidly adopt cloud and hybrid infrastructures, they struggle to manage identity threats and fill internal skills gaps.
The numbers show the scale of the challenge. Today, 82% of organisations run hybrid environments and 63% use multiple cloud providers. This trend demands unified visibility and consistent security policies. Yet many firms lack proper controls, creating blind spots that attackers exploit.
Identity management emerged as the most critical weakness. While 59% of organisations rank insecure identities and permissions as their top cloud risk, most fail to take action. Breach data confirms the danger. Excessive permissions (31%), inconsistent access controls (27%), and poor identity hygiene (27%) are leading causes of cloud breaches. These failures show a systemic governance issue, not just isolated mistakes.
Skills shortages deepen the problem. Thirty-four percent of organisations said lack of expertise is their top challenge. This gap undermines strategy, with 39% pointing to unclear security plans and 31% stating executives do not fully understand cloud security risks. The lack of alignment between leadership and IT further weakens defences.
“Identity has become the cloud’s weakest link, but it’s being managed with inconsistent controls and dangerous permissions,” said Liat Hayun, VP of Product and Research at Tenable. “Until organisations achieve unified visibility and enforce strong identity governance, they will continue to be outmanoeuvred by attackers.”
The report warns that unless organisations return to cloud security fundamentals, their adoption of advanced technologies like AI will only magnify existing vulnerabilities.
