Organisations across the globe are still struggling with the fundamentals of cloud security, leaving themselves dangerously vulnerable to cyberattacks despite years of warnings. According to the newly released State of Cloud and AI Security 2025 report by Tenable, in partnership with the Cloud Security Alliance (CSA), a widespread failure to manage identity-based risks and a persistent shortage of internal expertise are exposing companies to breaches at an alarming scale. The study, which surveyed more than 1,000 IT and security professionals worldwide—including those in Asia Pacific—reveals how enterprises are falling behind in safeguarding increasingly complex cloud and hybrid environments.
The modern IT ecosystem has evolved into a tangled mix of infrastructures, with 82% of organisations operating hybrid environments and 63% relying on multiple cloud providers. This fragmented approach requires unified visibility and consistent security policies, yet many organisations lack the necessary controls to manage it effectively. As a result, attackers are exploiting blind spots created by this lack of cohesion.
The report highlights that identity has become the primary battleground for cloud security. Although 59% of organisations recognise insecure identities and permissions as their top risk, most fail to implement effective measures. Breach data confirms this misalignment, showing that excessive permissions (31%), inconsistent access controls (27%), and weak identity hygiene (27%) are the leading causes of cloud security incidents. These issues point to a systemic governance breakdown rather than isolated technical flaws.
Compounding the issue is a critical skills shortage. More than a third of respondents (34%) cite lack of expertise as their biggest challenge, creating a domino effect across strategy, leadership alignment, and resource allocation. The report notes that 39% of organisations suffer from unclear security strategies, while nearly a third (31%) believe their own executives do not adequately understand cloud security risks. This leadership gap further hinders the ability to prioritise and fund essential security measures.
“Identity has become the cloud’s weakest link, but it’s being managed with inconsistent controls and dangerous permissions,” said Liat Hayun, VP of Product and Research at Tenable. “This isn’t just a technical oversight; it’s a systemic governance failure, compounded by a persistent expertise gap that stalls progress from the server room to the boardroom. Until organisations get back to basics, achieving unified visibility and enforcing rigorous identity governance, they will continue to be outmanoeuvred by attackers.”
The report calls for urgent action, urging businesses to strengthen identity governance, address the skills gap, and adopt unified visibility across their cloud and hybrid infrastructures. Without these fundamentals in place, organizations risk falling further behind in an increasingly AI-driven and threat-intensive landscape.