AI & cloud security lag as firms rely on outdated measures

Research from Tenable highlights a significant misalignment between the adoption of artificial intelligence and cloud technologies and the effectiveness of current security strategies.

Tenable's State of Cloud and AI Security 2025 report, based on a global survey of over 1,000 IT and security professionals, including respondents from Australia, identifies a concerning reliance on reactive security measures instead of preventive actions.

Reactive measurement

The findings reveal that organisations are predominantly using backward-looking Key Performance Indicators (KPIs) when evaluating cloud security. According to the report, 43% of organisations typically track the frequency and severity of security incidents. This approach assesses incidents only after they have occurred, rather than employing proactive metrics aimed at reducing risk and strengthening resilience.

Within the last 18 months, organisations reported an average of 2.17 cloud-related breaches. However, only 8% of such incidents were classified as "severe." The report notes this low percentage suggests that the impact of many incidents could be underplayed, potentially concealing the real risk landscape. Major causes of these breaches included misconfigured cloud services (33%) and excessive permissions (31%), both of which are identified as preventable weaknesses.

AI use and preparedness

The adoption of artificial intelligence continues to rise, with 55% of surveyed organisations stating they use AI for core business functions. Despite this, security preparedness is lagging. Over a third-34%-of organisations have experienced an AI-related breach to date.

According to the research, security teams express the greatest concern over new "AI-native" threats, such as manipulation of AI models. Nevertheless, the data indicates that the most common causes of AI-related breaches stem from traditional security failures. The report highlights exploited software vulnerabilities (21%), insider threats (18%), and misconfigured settings (16%) as the most frequently observed causes, rather than advanced or novel forms of attack.

Leadership challenges

Leaders are understandably excited about the promise of AI, but they are applying 21st-century technology to a 20th-century security mindset," said Liat Hayun, VP of Product and Research at Tenable. "They are measuring the wrong things and worrying about futuristic AI threats while ignoring the foundational weaknesses that attackers are exploiting today. This isn't a technology problem; it's a leadership and strategy issue.

The research attributes much of the failure to address preventable security issues to leadership decisions. The report argues that executives often operate under outdated assumptions, resulting in an overreliance on the perceived security of cloud platforms and a continued focus on reactive measures. In environments where 82% of organisations use a hybrid IT model and 63% rely on multiple cloud vendors, leaders are also confronted with challenges such as insufficient visibility (28%) and high complexity (27%).

Foundation of security gaps

Despite these challenges, the report finds that only a small proportion of leadership is acting on foundational reforms. Just 20% of organisations prioritise unified risk assessment across all cloud environments, and only 13% focus on consolidating security tools-both of which are recommended strategies for closing visibility gaps and simplifying security processes.

The report concludes that until organisations change their strategic approach from reactive to proactive, security teams will continue to face limitations in their ability to anticipate and prevent incidents. This leaves organisations, especially those rapidly implementing AI, exposed to risks that are both immediate and preventable.