Inconsistent identity controls and dangerous permissions are emerging as the cloud’s weakest link, according to a new report from cybersecurity firm Tenable and Cloud Security Alliance.
Although 59% of organisations cite insecure identities and permissions as their top cloud risk, data breaches continue to be driven by failures such as excessive permissions (31%), inconsistent access controls (27%) and weak identity hygiene (27%).
“This isn't just a technical oversight; it's a systemic governance failure, compounded by a persistent expertise gap that stalls progress from the server room to the boardroom,” says Liat Hayun, Tenable’s vice president of product and research.
The State of Cloud and AI Security 2025 research shows that identity is being undermined by fragmented oversight in increasingly complex IT estates. Today, 82% of companies operate hybrid environments and 63% use multiple cloud providers, making consistent policy enforcement and visibility difficult to achieve. The resulting blind spots have become ground for attackers.
That fragmentation is amplified by the lack of skills. More than a third of organisations say they do not have the expertise to close identity gaps, with 39% citing unclear strategies. Thirty-one per cent also report that their executives fail to grasp the scale of cloud security risks, hindering the alignment, budget, and resources needed to protect the business.
“Until organisations get back to basics, achieving unified visibility and enforcing rigorous identity governance, they will continue to be outmanoeuvred by attackers," warns Hayun.
