Qualys, Inc. (NASDAQ: QLYS), a leading provider of cloud-based IT, security and compliance solutions, has published its Cloud Security Forecast 2026 report, warning that cloud compromise is increasingly driven by how environments are designed and operated, rather than by novel attack techniques. The research signals a shift from exploit-driven breaches to design-driven compromise, where risk stems from architectural decisions and operational practices. It highlights consistent patterns across organisations, industries and cloud providers, including over-permissioned identities, expanding trust relationships, and exposure that lingers long enough to be exploited.
Drawing on insights from Qualys Threat Research Unit (TRU), together with findings from the Qualys Cloud and Application Security Maturity Survey 2026 conducted in collaboration with more than 250 global enterprises, the report reveals cloud risk has become a structural, expected byproduct of modern cloud operations. With Agentic AI systems continuously enumerating identities, permissions, and trust relationships, this accelerates the discovery of privilege escalation paths, increasing the importance of autonomous remediation to close that gap. As the interactions between identity systems, SaaS integrations, software supply chains and AI workloads deepen, they increasingly determine how access propagates and how compromise unfolds.
“Cloud compromise is increasingly shaped by identity design and delegated trust — not a single ‘critical’ flaw in isolation. When remediation lags behind the pace of change, small issues combine into real impact. Organisations need to treat access, trust relationships and response speed as core security controls — and govern them continuously. The advantage in 2026 will not come from seeing more signals. It will come from reducing unnecessary access at the same pace at which it is created, and tightening the speed from detection to enforced action,” said Shilpa Gite, Senior Manager, Cloud Security Compliance at Qualys.
Key findings from the Cloud Security Forecast 2026 report
There are three defining signals changing how cloud risk should be read:
1. Identity architecture is deciding who wins the breach race
Cloud authority is encoded in IAM policies, role inheritance and federated trust relationships – creating permission graphs that can enable privilege escalation without exploiting a single vulnerability. Yet governance maturity remains limited, with only 17.3% of organisations implementing Cloud Infrastructure Entitlement Management (CIEM) and 26.1% incorporating identity context into risk prioritisation.
2. Agentic AI is making exploitability the new unit of cloud risk prioritisation
Agentic systems can continuously map identities, policies, OAuth scopes and trust relationships to reveal escalation paths humans rarely detect manually. Instead of treating exposures as isolated technical findings, agentic analysis correlates signals across teams and tools to identify the conditions that create a real path to compromise.
Adoption is advancing quickly: 35.7% of organisations report operating AI/LLM workloads, yet only 19.1% report adequate visibility and controls. At the same time, AI is widening the attack surface as attackers exploit the seams: new machine identities, delegated access and quiet trust relationships introduced across cloud environments.
3. Cloud environments change instantly, while remediation still moves by ticket
While infrastructure-as-code, CI/CD and ephemeral workloads can introduce new roles, secrets and access paths in minutes, 49.4% of organisations still rely on monitoring followed by manual response workflows — creating exploitable delays between change and remediation.
To read the full report, download it here or read the blog post here.
