Artificial Intelligence has become embedded in executive committees as a promise of increased productivity, cost savings, and new business lines. However, the first Cloudflare App Innovation Report 2026 argues that many organizations are hitting a less glamorous barrier than models or data: legacy infrastructure and applications. This “technical glass ceiling,” as the report describes it, not only slows down actual AI adoption but also leaves companies more vulnerable to increasingly automated cyberattacks.
The message is clear: AI doesn’t scale on fragile foundations. And when organizations try to do so, familiar engineering symptoms appear: projects stuck in pilot stages, interminable integrations, over-reliance on overlapping tools, and security that’s always playing catch-up, firefighting instead of preventing.
A measurable gap: leaders versus laggards
Cloudflare categorizes organizations into three groups based on their application modernization progress: those leading, those on schedule, and those falling behind. The distribution already highlights the size of the challenge: 72% report being behind their modernization timeline, compared to 13% who are ahead and 14% who are on track.
But the gap isn’t just about timing. Modernization acts as a “catalyst” for real AI capabilities. Among leading organizations, 93% say modernization has had a “very positive” impact on their AI capabilities. Among laggards, that percentage drops to 49%. The divide widens when asked about “the basics” for scaling: 96% of leaders believe their infrastructure is sufficient for AI development, versus 74% of laggards; and 95% trust their internal talent to meet AI needs, compared to 72% in the behind group.
This isn’t just a snapshot of technological maturity; it also reflects operational culture. The report emphasizes that leading organizations have simplified processes and decision-making structures to move forward without “paralysis by analysis.” In a landscape where AI introduces continuous changes in products, data, and operations, this agility becomes a competitive advantage.
AI is no longer “adoption”: it’s deep integration
The report highlights a shift in corporate language: the race is no longer about “testing AI,” but about truly integrating it into critical processes and application portfolios. In this transition, Cloudflare describes two mentalities: “builders” who scale, and “spectators” who continue to rebuild foundations.
The result is uneven acceleration. Among leaders, 74% plan to double their AI integration in the next year, whereas among laggards, the figure drops to 58%. The implicit takeaway for those behind: the more delayed the modernization, the harder it becomes to justify AI investments with visible returns, leading to greater reliance on tactical initiatives rather than structural change.
Security by design: building versus “just patching”
The report stresses that modernization and security shouldn’t operate as separate departments that “hand off tickets.” When done separately, organizations risk falling into a cycle: each new system adds complexity, visibility diminishes, and operational effort is consumed in mitigation. When aligned, security ceases to be a bottleneck and instead enables agility.
Cloudflare offers a revealing statistic: among those leading in modernization, 71% say aligning security and modernization initiatives is “very easy.” Among laggards, only 32% share this view. Furthermore, the report notes that organizations finding this alignment “easy” are almost four times more likely to be far along in AI deployment than those finding it “difficult.” In other words, security isn’t an add-on; it’s a core part of the architecture that enables scaling.
And when this architecture fails, costs multiply. The report indicates that 98% of organizations experiencing a security incident in applications last year reported multiple negative consequences. Costs cited include system recovery and restoration (37%), employee productivity loss (35%), and increased costs associated with data breaches (34%). For companies still “building from scratch,” incident response and investigation tend to be more expensive—not due to lack of will, but due to lack of structure.
The silent enemy: stack complexity
A transversal issue across the sample is the proliferation of tools, vendors, and layers. Cloudflare points out that over 96% of organizations have spent time in the past 12 months consolidating their tech stacks. But consolidation isn’t just “removing tools”: it involves resolving dependencies, redesigning integrations, unifying observability, and reducing blind spots—especially in APIs and distributed data flows.
Additionally, the report offers an interesting insight on productivity: modernization doesn’t always immediately “free up” engineering time. In fact, 53% of leading organizations say their developers spend more time maintaining and modernizing existing systems than building new ones. Conversely, among laggards, 75% devote more time to “new” development, primarily because they’re still laying the foundation that leaders already have. The end result is the same: without a coherent platform, time is spent on configuration, maintenance, and compliance, leaving little room for innovation.
A warning for 2026: modernize or be defined by those who already have
Cloudflare frames this debate as a turning point: artificial intelligence, the rise of sophisticated threats, and increasing user expectations are “rewriting the rules of competition.” The report summarises with a direct call to action: modernize the entire stack—applications and infrastructure—on a unified platform to avoid being trapped in a cycle of technical debt, incidents, and missed opportunities.
Beyond the corporate message, the value of the report lies in quantifying a phenomenon many companies already sensed: AI doesn’t break the glass ceiling; it makes it visible.
Frequently Asked Questions
What is application modernization and why does it impact AI success in companies?
It involves re-architecting applications, data, and processes to become more flexible, observable, and secure. AI requires access to real-time data, rapid integrations, and scalable infrastructure; without that foundation, it remains in pilots.
What signs indicate a company is hitting the “technical glass ceiling” with AI?
AI projects that fail to go into production, slow integrations, lack of end-to-end visibility, over-dependence on tools, risky deployments, and predominantly reactive security after incidents.
Where should organizations start if they have legacy systems and multi-cloud/hybrid setups?
A practical approach usually combines inventorying applications, consolidating critical tools (for observability and security), automation (infrastructure as code), and phased roadmaps (rehosting, replatforming, refactoring) based on impact and risk.
How does stack consolidation relate to API security?
Reducing vendors and layers often improves visibility and policy control, making it easier to apply consistent protections. Fragmented environments tend to turn APIs into blind spots: they change rapidly, are more exposed, and are harder to govern.