Are cloud providers neglecting security to chase AI?

For years, cloud computing was synonymous with transformative innovation and, perhaps more importantly, robust security. Cloud providers proudly marketed their platforms as safer and more resilient than anything enterprise IT could match.

They held themselves as stewards of trust and protection, armed with unified defenses and economies of scale to counter ever-evolving cyberthreats. But an unsettling trend now challenges this narrative. Recent research, including the “State of Cloud and AI Security 2025” report conducted by the Cloud Security Alliance (CSA) in partnership with cybersecurity company Tenable, highlights that cloud security, once considered best in class, is becoming more fragmented and misaligned, leaving organizations vulnerable.

The issue isn’t a lack of resources or funding—it’s an alarming shift in priorities by cloud providers. As investment and innovative energies focus more on artificial intelligence and hybrid cloud development, security efforts appear to be falling behind. If this neglect persists, cloud platforms could lose their position as the trusted foundation of enterprise IT.

Security is foundational

It’s hard to overstate the role security played in businesses’ enthusiastic migration to the public cloud. Faced with challenges like distributed denial-of-service (DDoS) attacks, ransomware, and insider threats, enterprises looked to major cloud providers for technological sophistication and scalable, built-in security frameworks. The promise of superior controls, proactive defenses, and shared responsibility models led organizations to confidently leap to these platforms.

Now, however, according to the CSA/Tenable report, 82% of organizations now manage hybrid setups that combine on-premises and cloud systems, while 63% use more than one cloud provider. These multicloud strategies average 2.7 cloud environments per organization, resulting in large, fragmented infrastructures that traditional security tools find difficult to defend.

The dangers of this complexity are made worse by what the report calls the weakest link in cloud security: identity and access management (IAM). Nearly 59% of respondents cited insecure identities and risky permissions as their main concerns, with excessive permissions and poor identity hygiene among the top reasons for breaches. Respondents said that, alarmingly, identity management was poorly enforced and scattered across hybrid systems. Differences between IAM teams and cloud operations teams are a common issue, with organizations struggling to follow best practices such as enforcing least-privilege access or monitoring identity-related KPIs.

The consequences of these failures are becoming increasingly clear as reactive approaches dominate organizational cloud security postures. According to the report, the most commonly tracked cloud security metric remains incident frequency and severity—indicators that only measure the damage after attackers have already exploited vulnerabilities. Unsurprisingly, respondents reported an average of two cloud-related breaches in the past 18 months, with misconfigured systems and excessive permissions topping the list of root causes. These findings suggest that enterprises are still responding to crises rather than devoting sufficient resources to proactive resilience.

Too much focus on AI

The survey data that demands our attention isn’t the rise in breaches or identity mismanagement; it’s the strategic decisions being made at the highest levels of the cloud ecosystem. The report states that 55% of organizations actively leverage AI workloads today, with another 34% experimenting with AI-driven systems. While AI investments and innovations dominate the agendas of cloud providers, security seems relegated to the background. These workloads introduce risks that are neither well-understood nor adequately addressed.

In fact, 34% of organizations that use AI for business needs have already experienced AI-related breaches caused by software vulnerabilities, insider threats, or misconfigured environments. The data highlights a key contradiction: Companies fear new AI-related threats such as model manipulation or rogue AI use, but the breaches they face often come from the usual vulnerabilities rooted in complacency and a lack of proper safeguards. Despite industry awareness of these risks, few organizations prioritize essential technical measures such as AI data encryption or security testing for machine learning operations (MLOps).

The obsession with AI reflects a skewed set of priorities among cloud providers, whose marketing and engineering road maps remain overwhelmingly centered on enabling workloads like generative AI while security is pushed to the side. This approach may make good business sense in the short term due to the AI boom, but it leaves enterprises vulnerable and weakens the trust that initially propelled public cloud platforms to prominence.

Even as organizations advocate for greater strategic alignment and holistic risk management, the shift away from security-first mindsets is clear in the metrics. Research shows that only 20% of organizations prioritize unified risk assessments, and a mere 13% focus on tool consolidation. Without coordinated efforts to break down silos and track specific metrics such as privilege misuse or access anomalies (rather than vague measures of compliance), organizations face an increasing risk of preventable breaches. As hybrid cloud setups become more common, the fragmented visibility across these environments will only create more opportunities for attackers.

Get your priorities straight

Deprioritizing security in favor of AI products is a gamble cloud providers appear willing to take, but there are clear signs that enterprises might not follow them down this path forever. The CSA/Tenable report highlights that 31% of surveyed respondents believe their executive leadership fails to grasp the nuances of cloud security, and many have uncritically relied on native tools from cloud vendors without adding extra protections. Historically, strong security guarantees from cloud providers justified such trust, but as evidence grows that these guarantees no longer match the expanding threat landscape, enterprises might seek alternatives or reconsider their dependence on public cloud vendors entirely.

Here’s the sobering truth: If cloud providers continue to treat security as an afterthought, it could be their undoing in the long term. AI might be exciting and lucrative, but security remains the linchpin of enterprise trust. Once lost, trust will be hard to regain.

To the major players in this space: You’ve been warned. Rapid innovation is crucial, but neglecting security can damage your credibility and competitive edge. Without swift action, the public cloud might lose its status as the top platform for enterprises globally. Unless providers recommit to security excellence, their most valuable customers may start to wonder if their cloud is truly safer than their on-premises systems.