As organisations aggressively pursue technologies like artificial intelligence, a dangerous disconnect is growing between innovation and security. Data from Tenable’s State of Cloud and AI Security 2025 report reveals that critical strategic errors – from a reliance on outdated assumptions to the use of purely reactive performance metrics – are leaving organisations more vulnerable than ever. This approach challenges the C-suite’s decision-making and priorities, suggesting that the very strategies intended to drive growth are instead creating a perfect storm for breaches. The research commissioned by Tenable and developed in collaboration by the Cloud Security Alliance surveyed more than 1,000 IT and security professionals worldwide, including [Australia/India/Japan/Singapore].

The foundation of this vulnerability lies in a culture that measures failure instead of preventing it. Key Performance Indicators (KPIs) remain stubbornly reactive, focusing on incidents after they occur rather than on forward-looking risk reduction and resilience. The most commonly tracked cloud security KPI, cited by 43% of organisations, is security incident frequency and severity, a metric that only has value after a compromise. This rearview mirror mindset creates a dangerous illusion of security. While organisations reported an average of 2.17 cloud-related breaches in the last 18 months, a mere 8% categorised any of them as “severe.” This discrepancy suggests incidents are being minimised, obscuring the true risk, especially when the root causes, such as misconfigured cloud services (33%) and excessive permissions (31%), are preventable.

This reactive approach to cybersecurity is amplified by the rapid, yet unprepared, adoption of AI. While 55% of organisations are already using AI for active business needs, their security readiness has not kept pace, with more than a third (34%) of them having already experienced an AI-related breach. A critical misalignment exists between perceived and actual threats. Security teams are most concerned about novel, “AI-native” risks like model manipulation, yet the most common causes of AI breaches are familiar, fundamental security failures such as exploited software vulnerabilities (21%), insider threats (18%), and misconfigured settings (16%).

“Leaders are understandably excited about the promise of AI, but they are applying 21st-century technology to a 20th-century security mindset,” said Liat Hayun, VP of Product and Research at Tenable. “They are measuring the wrong things and worrying about futuristic AI threats while ignoring the foundational weaknesses that attackers are exploiting today. This isn’t a technology problem; it’s a leadership and strategy issue.”

Ultimately, the failure rests with leadership, where outdated assumptions prevent effective risk management and cripple investment in security fundamentals. In today’s complex environments, where 82% of organisations operate in a hybrid model and 63% are multi-cloud, executives often overestimate the security provided by cloud platforms, leading them to endorse reactive metrics. They face significant challenges, including a lack of visibility (28%) and overwhelming complexity (27%), yet fail to prioritise foundational solutions that can overcome the visibility gap and simplify risk reduction. Only 20% focus on unified risk assessment and a mere 13% on tool consolidation. To break this cycle, leadership must enact a strategic reset. Until that reset occurs, even the most capable security teams will remain locked in reactive operations, unable to scale or adapt, leaving their organisations exposed to preventable threats. Download the report here.

More information on Tenable Cloud Security is available at: https://www.tenable.com/cloud-security