The promise of the cloud has always been scale, speed, and flexibility. Yet the rapid adoption of hybrid and multi-cloud strategies has brought with it a new set of burdens, fragmented visibility, fragile identity controls, and a chronic shortage of skilled defenders and often leaves organizations more vulnerable.
The latest State of Cloud and AI Security 2025 report from Tenable and the Cloud Security Alliance captures this paradox clearly (Tenable, 2025). The cloud enables transformation, but it also exposes the cracks in how organizations govern, secure, and staff their environments.
"We’re in the middle of the fastest evolution in cloud computing history,” according to Jim Reavis, the Co-founder and CEO of Cloud Security Alliance. “Unfortunately, as our research made clear, many security strategies are already behind the curve.”
The vast majority organizations (82 percent) operate hybrid environments, while 63 percent spread workloads across multiple providers. On paper, this looks like resilience: diverse environments, redundant systems, and flexibility to avoid lock-in. In reality, every additional cloud introduces its own dashboards, security models, and quirks. Policies shift from one platform to another, visibility fragments, and blind spots multiply. Complexity does not just challenge defenders; it empowers attackers who exploit gaps between environments.
Identity is the foundation of cloud governance, yet it remains the weakest pillar of governance. 59 percent of organizations rank insecure identities and permissions as their top cloud risk. Breach data reveals the cost of this weakness: 31 percent of incidents link back to excessive permissions, 27 percent to inconsistent access controls, and 27 percent to poor identity hygiene. These are not minor missteps. They point to a systemic governance issue where identity is treated as a technical detail rather than a business-critical foundation.
Behind these gaps, there is a persistent human issue. 34 percent of professionals in the study identify lack of expertise as the single greatest challenge. Another 39 percent admit that their organizations operate without clear cloud security strategies, while 31 percent point to executives who still do not fully understand cloud risks. Without skills, teams cannot enforce policies effectively. Without leadership alignment, budgets and resources remain constrained. The result is a recurring cycle: adoption accelerates, defenses lag, and attackers exploit the difference.
Cloud complexity will deepen as enterprises continue to expand hybrid deployments and experiment with artificial intelligence workloads. This trajectory makes unified visibility, rigorous identity governance, and a stronger talent pipeline non-negotiable.
Security cannot exist as a compliance checkpoint or a bolt-on after deployment. It must be designed into architectures, operational models, and executive strategies and elevate security from a defensive cost centre into a strategic enabler of trust and resilience.
Attackers operate with an advantage that defenders rarely acknowledge. They require only one overlooked misconfiguration or forgotten asset. Defenders must safeguard thousands of assets across fragmented, shifting environments. The math is unforgiving. Until organizations address cloud governance with the same urgency as cloud adoption, the imbalance will persist, and complexity will remain the attacker’s most reliable ally.