Download Publication

Who it's for:
- CISOs
- Cloud Security Architects
- IT and Security Managers
- IAM Professionals
- Risk and Compliance Officers
The State of Cloud and AI Security 2025
Release Date: 09/09/2025
Updated On: 09/09/2025
This global survey report, developed in partnership with Tenable, examines how organizations are adapting security strategies for hybrid, multi-cloud, and AI-driven environments. Drawing on insights from more than 1,000 professionals, it highlights the widening gap between rapid adoption and security readiness.
Today, the majority of organizations operate hybrid environments and use multiple cloud providers. At the same time, AI workloads are moving quickly into production. Over half of organizations are deploying AI and 34% already report AI-related breaches. Despite this, security programs remain reactive by focusing on incidents rather than prevention and relying on basic identity controls.
This report reveals that identity is the biggest cloud risk. It also highlights the growing skills gap and the many ways organizations leave AI systems unprotected. It offers practical recommendations for resetting security strategies around unified visibility, identity governance, and proactive risk management.
Key Takeaways:
- Over half of organizations (63%) report using more than one cloud provider. Even more (82%) maintain a hybrid infrastructure of some kind.
- Many organizations (59%) identified insecure identities and risky permissions as the top security risk to their cloud infrastructure. However, many of these same organizations lack the structure or workflows to address these issues at scale.
- Lack of expertise is the top challenge to securing cloud infrastructure.
- The most commonly tracked cloud security KPI is security incident frequency and severity. In IAM, the top metric is MFA/SSO adoption rates. Organizations remain focused on surface-level indicators rather than forward-looking measures of performance.
- More than a third of organizations with AI workloads (34%) have already experienced an AI-related breach.
- Only 20% of organizations prioritize unified risk assessment, and only 13% focus on tool consolidation.
Download this Resource
Acknowledgements
Marina Bregkou
Principal Research Analyst, Associate VP, CSA
Marina Bregkou
Principal Research Analyst, Associate VP, CSA

Josh Buker
Research Analyst, CSA
Josh Buker
Research Analyst, CSA

Alex Kaluza
Research Analyst, CSA
Alex Kaluza
Research Analyst, CSA

Ryan Gifford
Senior Research Analyst, CSA
Ryan Gifford
Senior Research Analyst, CSA

John Yeoh
Chief Scientific Officer, CSA
John Yeoh
Chief Scientific Officer, CSA
With over 15 years of experience in research and technology, John excels at executive-level leadership, relationship management, and strategy development. He is a published author, technologist, and researcher with areas of expertise in cybersecurity, cloud computing, information security, and next generation technology (IoT, Big Data, SecaaS, Quantum). John specializes in risk management, third party assessment, GRC, data protection, incid...
Are you a research volunteer? Request to have your profile displayed on the website here.
Interested in helping develop research with CSA?
Related Certificates & Training

Learn the core concepts, best practices and recommendation for securing an organization on the cloud regardless of the provider or platform. Covering all 14 domains from the CSA Security Guidance v4, recommendations from ENISA, and the Cloud Controls Matrix, you will come away understanding how to leverage information from CSA's vendor-neutral research to keep data secure on the cloud.
Learn more
Learn more