AI adoption outpaces cloud security as leaders rely on old metrics

A new report from Tenable has identified a widening disconnect between organisational AI adoption and the effectiveness of cloud security, with leadership teams found to be focusing on outdated security metrics that increase vulnerability.

The State of Cloud and AI Security 2025 report, developed with the Cloud Security Alliance and based on a survey of over 1,000 IT and security professionals globally, including participants from Singapore, indicates that strategic errors in risk assessment and the use of reactive metrics are exposing companies to preventable breaches.

Measuring failure, not prevention

According to the report, 34% of organisations have already suffered at least one AI-related security breach. The research points to a prevailing culture among leadership that emphasises the severity and frequency of past incidents-metrics tracked by 43% of respondents as key performance indicators-rather than looking ahead to prevent future threats and build resilience.

This retrospective approach, described as a "rearview mirror mindset," creates what Tenable calls a dangerous illusion of security. While the surveyed organisations reported an average of 2.17 cloud-related breaches in the past 18 months, only 8% described any breach as "severe." This perception gap may lead companies to underestimate risks, especially since the most common root causes-misconfigured cloud services (33%) and excessive permissions (31%)-are preventable issues.

The AI paradox

The rapid integration of AI into business operations is exacerbating these challenges. Over half (55%) of organisations surveyed are already utilising AI for active business purposes, yet more than a third (34%) have experienced an AI-related breach, highlighting a mismatch between enthusiasm for AI and security readiness.

The report identifies a misalignment between what security teams perceive as threats and what is causing real breaches. While concerns are elevated around novel, "AI-native" risks like model manipulation, most actual breaches are tied to familiar security fundamentals: exploited software vulnerabilities (21%), insider threats (18%), and misconfigured settings (16%).

Leaders are understandably excited about the promise of AI, but they are applying 21st-century technology to a 20th-century security mindset," said Liat Hayun, VP of Product and Research at Tenable. "They are measuring the wrong things and worrying about futuristic AI threats while ignoring the foundational weaknesses that attackers are exploiting today. This isn't a technology problem; it's a leadership and strategy issue."

Strategic challenges at board level

The findings place the responsibility for these shortcomings on organisational leadership. The report states that "outdated assumptions prevent effective risk management and cripple investment in security fundamentals." The operational environments for many companies are complex: 82% run in hybrid settings, while 63% use multiple cloud platforms. Yet executives often overestimate the level of security offered by these environments and continue to endorse reactive metrics.

Lack of visibility (28%) and complexity (27%) are named as the major barriers faced by leadership, but only 20% of organisations are focused on unified risk assessment and just 13% target tool consolidation as a priority.

According to the report, this continued reliance on fragmented strategies and legacy thinking means that even as security teams attempt to adapt, their efforts are often undermined by limited direction from above. This creates ongoing operational challenges and leaves organisations exposed to breaches that could be averted through more proactive governance.

The report suggests that without a significant shift towards strategic risk management and investment in security basics, companies will remain at risk, regardless of their capabilities in adopting new technologies like AI.