As businesses accelerate their use of artificial intelligence, a new report has found a widening gap between innovation and security readiness. The Tenable State of Cloud and AI Security 2025 study warns that leadership teams are relying on outdated strategies and reactive performance measures, leaving organisations vulnerable to preventable cyberattacks.
Reactive security metrics mask real risks
The research, commissioned by Tenable and conducted with the Cloud Security Alliance, surveyed more than 1,000 IT and security professionals globally, including in Singapore. It highlights a culture of measuring failure rather than preventing it. Many organisations continue to track incidents only after they happen, instead of focusing on reducing future risks and strengthening resilience.
The most commonly monitored cloud security key performance indicator, cited by 43% of respondents, is the frequency and severity of security incidents. This rear-facing approach provides little insight into emerging threats. Although organisations reported an average of 2.17 cloud-related breaches in the past 18 months, just 8% categorised any as severe. Experts suggest this downplays the seriousness of incidents and hides underlying weaknesses. Among the most frequent causes of breaches were misconfigured cloud services (33%) and excessive permissions (31%) — both avoidable with stronger controls.
AI adoption outpaces security preparedness
The move towards AI is amplifying the issue. While 55% of companies have adopted AI for business operations, security measures have not kept pace. More than a third (34%) of those using AI reported experiencing an AI-related breach.
A critical mismatch also exists between what leaders fear and what is causing real damage. Security teams worry about advanced, “AI-native” threats such as model manipulation, but most breaches stem from long-standing issues. Exploited software vulnerabilities (21%), insider threats (18%), and misconfigured settings (16%) were among the leading causes of AI-related security incidents.
“Leaders are understandably excited about the promise of AI, but they are applying 21st-century technology to a 20th-century security mindset,” said Liat Hayun, VP of Product and Research at Tenable. “They are measuring the wrong things and worrying about futuristic AI threats while ignoring the foundational weaknesses that attackers are exploiting today. This isn’t a technology problem; it’s a leadership and strategy issue.”
Leadership under pressure to rethink strategy
The report places responsibility on the C-suite for maintaining outdated assumptions that hinder risk management and stall investment in security fundamentals. In modern IT environments — where 82% of organisations run hybrid operations and 63% use multiple cloud providers — executives often overestimate the security offered by their platforms. This misjudgment leads to reliance on reactive metrics and underinvestment in proactive measures.
Visibility and complexity are major hurdles, with 28% of leaders citing a lack of transparency and 27% struggling with the scale of their environments. Yet few are addressing these issues directly. Only 20% prioritise unified risk assessment across their systems, and just 13% are working to simplify and consolidate their security tools.
The study concludes that without a strategic reset led by senior executives, security teams will remain in a reactive mode, unable to scale or adapt to modern threats. As AI adoption deepens and hybrid cloud use expands, organisations that fail to address these leadership-level missteps risk exposing themselves to avoidable breaches and long-term damage.
