Tenable Research has released its report, “The State of Cloud and AI Security 2025,” revealing that the rapid evolution of hybrid, multi-cloud, and AI systems outpaces current security strategies, introducing new layers of complexity. The study shows that 34% of organizations with AI workloads have already experienced technology-related breaches, and an additional 14% are unsure.
Complex environments dominate, but security isn’t keeping pace
The study highlights that 82% of organizations currently operate in hybrid environments, combining on-premises and cloud infrastructures, while 63% rely on multiple cloud providers. Furthermore, more than half of these companies (55%) have incorporated artificial intelligence (AI) into their operational processes.
However, security measures are not advancing at the same rate as technological adoption. Only one in four organizations (26%) performs security testing specific to AI, 22% apply data classification and encryption, and just 15% have implemented MLOps practices focused on security. As a result, issues such as fragmented visibility, inconsistent identity management, and gaps in risk oversight arise—areas that attackers can exploit.
Identity is the weakest link in cloud security
Identity has emerged as the main vulnerability: 59% of organizations identified unprotected identities and dangerous permissions as the primary security risk to cloud infrastructure. Among those that experienced breaches, three of the top four causes were related to identity—excess permissions (31%), inconsistent access controls (27%), and poor identity hygiene (27%).
While organizations recognize the issue, they face structural challenges in addressing it. The research indicates that 28% report misalignment between cloud and IAM teams, and 21% struggle to implement the principle of least privilege. The most cited priority for the next 12 months is precisely to implement this control (44%) within a Zero Trust strategy.
Incidents have known causes, but focus remains on ‘new’ risks
In practice, AI-related incidents are driven by traditional threats, such as software vulnerabilities (21%), model failures (19%), insider threats (18%), and misconfigurations in the cloud (16%). However, security teams are more concerned about risks considered “new,” such as model manipulation (18%) and the use of unauthorized models (15%), indicating a disconnect between perceived risk and actual threats. This misalignment suggests that many security programs still treat AI as something fundamentally new rather than applying proven cloud and identity security principles to these emerging systems.
Knowledge gaps hinder strategic alignment
The study identifies that 34% of respondents cite a lack of specialized knowledge as the main challenge. Additionally, 31% state that their executive leadership lacks sufficient understanding of cloud security risks, while 20% believe that cloud provider built-in tools are “good enough.”
“Mexican organizations are adopting AI and multi-cloud environments at an unprecedented pace, but many still operate with fragmented tools and lack unified visibility,” says Arturo Barquín, General Director of Tenable Mexico. “It’s essential to transition from a reactive model to a proactive one in managing exposures. Making this leap will not only reduce risk but also build trust with global partners,” he concluded.
Path toward maturity
To strengthen cloud and AI security programs, the study recommends that organizations:
- Prioritize unified visibility and consistent policy enforcement across hybrid and multi-cloud environments
- Invest in identity governance, including controls for minimal privilege identities and non-human identities (AI)
- Expand KPIs to reflect prevention and resilience, not just incident response
- Align leadership understanding with operational realities to support smarter planning and resource allocation
- Go beyond compliance as the ultimate goal of AI security, using it as a foundation for deeper technical safeguards
“We are in the fastest evolution in cloud computing history. Unfortunately, as our research clearly shows, many security strategies are already outdated,” says Jim Reavis, co-founder and CEO of the Cloud Security Alliance. “The risk of standing still grows every day. Organizations need to rethink their approach and develop adaptive, future-ready defenses capable of evolving as quickly as the technology they protect.”