As organisations race to adopt artificial intelligence, a new report from Tenable reveals that many are doing so at the expense of security. The State of Cloud and AI Security 2025 report highlights a growing disconnect between innovation and risk management, showing that outdated assumptions and reactive metrics are leaving organisations more vulnerable than ever.
Surveying over 1,000 IT and security professionals globally, including in India, the report finds that 34% of organisations have already suffered AI-related breaches. Yet leadership remains focused on rearview KPIs, such as incident frequency and severity, which only reflect problems after they occur. While companies reported an average of 2.17 cloud-related breaches in the last 18 months, only 8% classified any as “severe,” suggesting that critical risks are being minimised. Root causes such as misconfigured cloud services (33%) and excessive permissions (31%) are largely preventable, underscoring the shortcomings of reactive strategies.
The rapid adoption of AI further exposes these gaps. Despite 55% of organisations using AI for business needs, security readiness lags behind. Breaches are most often caused by familiar security failures—exploited software vulnerabilities (21%), insider threats (18%), and misconfigured settings (16%)—rather than novel AI-native threats.
“Leaders are understandably excited about AI, but they are applying 21st-century technology to a 20th-century security mindset,” said Liat Hayun, VP of Product and Research at Tenable. “They are measuring the wrong things and worrying about futuristic AI threats while ignoring foundational weaknesses attackers exploit today. This isn’t a technology problem; it’s a leadership and strategy issue.”
The report highlights that in hybrid and multi-cloud environments, executives overestimate platform security, prioritise reactive metrics, and neglect foundational solutions like unified risk assessment (20%) or tool consolidation (13%). Without a strategic reset, even capable security teams remain locked in reactive operations, leaving organisations exposed to preventable threats.
