As organisations worldwide accelerate their adoption of artificial intelligence (AI) and cloud technologies, a worrying gap between innovation and security is emerging, leaving many businesses increasingly vulnerable. Findings from Tenable’s State of Cloud and AI Security 2025 report, produced in collaboration with the Cloud Security Alliance, reveal that outdated assumptions, reactive performance metrics, and misplaced priorities are exposing organisations to preventable risks. The research, which surveyed more than 1,000 IT and security professionals globally, including those in Singapore, highlights how C-suite leaders’ focus on innovation is overshadowing the need for foundational security strategies.
At the core of this issue is a culture that prioritises measuring incidents after they occur, instead of preventing them. Nearly half of organisations (43%) continue to rely on reactive Key Performance Indicators (KPIs) such as incident frequency and severity—metrics that only highlight damage once it has already happened. While respondents reported an average of 2.17 cloud-related breaches in the past 18 months, just 8% considered any of them severe, suggesting a dangerous minimisation of risks. In many cases, breaches stemmed from basic, avoidable issues such as misconfigured cloud services (33%) and excessive permissions (31%), pointing to failures in addressing fundamental security hygiene.
The rush into AI adoption is amplifying these vulnerabilities. Over half of organisations (55%) already use AI for business-critical operations, yet more than a third (34%) have experienced an AI-related breach. While security teams express concern about novel threats such as model manipulation, the actual causes of AI incidents are familiar weaknesses: exploited software vulnerabilities (21%), insider threats (18%), and misconfigured settings (16%). This disconnect reflects a misalignment between perceived and real risks, leaving organisations blindsided by preventable failures.
Experts argue the root of the problem lies in leadership and strategy rather than technology. “Leaders are understandably excited about the promise of AI, but they are applying 21st-century technology to a 20th-century security mindset,” said Liat Hayun, VP of Product and Research at Tenable. “They are measuring the wrong things and worrying about futuristic AI threats while ignoring the foundational weaknesses that attackers are exploiting today.”
In today’s increasingly hybrid and multi-cloud environments—where 82% of organisations operate across both and 63% use multiple providers—executives often overestimate the level of protection offered by cloud platforms. Challenges such as lack of visibility (28%) and overwhelming complexity (27%) persist, yet few leaders prioritise solutions that address these gaps. Alarmingly, only 20% of organisations are focused on unified risk assessments, and a mere 13% emphasise tool consolidation.
The report stresses that without a strategic reset, even the most capable security teams will remain reactive, unable to scale or adapt effectively. To safeguard against growing threats, leadership must adopt forward-looking risk strategies, invest in fundamentals, and align performance metrics with prevention and resilience. Without these changes, organizations risk turning the very innovations meant to drive growth into gateways for breaches.