A number of workloads moved to the cloud years ago, but the security thinking needed to protect them is still catching up. According to Red Hat’s ‘The State of Cloud-Native Security 2026’ report, 97% of organisations had at least one cloud-native security incident in the past year, and 74% slowed or delayed application deployments because of security concerns. There’s nothing unusual about this. Misconfigurations and known vulnerabilities lead the list of incident types, which means that everyday lapses like leaving a storage bucket open or deploying an unpatched container are actually causing more trouble than sophisticated attacks. “Security often takes a backseat for the sake of innovation and velocity,” says Seagyn Davis, field CTO for cloud and modernisation at LSD Open. “We don’t see many organisations investing in proactive security measures until the real threat of a breach either happens to them or is made known to them.”
Moving to the cloud exposes gaps that are only noticed once workloads are running there. Teams start seeing behaviour they never had to account for on-premises, including lateral movement between virtual machines and applications that traditional firewalls were never designed to detect. By then, the environment is already built on assumptions that do not match how it behaves. Hybrid and multicloud setups only make this harder to untangle as very few environments today run on a single cloud platform. “Organisations that moved to the cloud expanded their attack surface,” says Tunde Abagun, sales lead for West, East and Central Africa at Nutanix.
Seagyn Davis, LSD Open
“Operating in multiple cloud environments creates new opportunities for threats such as ransomware and data breaches to emerge.” The fragmentation is operational too, because patching, resolving incompatibilities and keeping security consistent across a multivendor estate stretches cybersecurity resources that were already thin. Davis says timing is part of the problem. On-premises infrastructure is divided between specialist teams such as networking, security, storage and virtualisation. In the cloud, those people are often brought in too late. He says observability is still treated as something to think about once environments become large and complex rather than something that should have been part of day-zero planning, which means visibility gaps are baked in long before anyone starts looking for them.
Every organisation needs to have at least one individual who is extremely passionate about security and is given the time to fully map out the organisation’s security roadmap.
Seagyn Davis, LSD Open
Cloud certification courses teach the shared responsibility model, and every compliance auditor asks about it. The idea is straightforward: cloud providers secure the infrastructure, and customers are responsible for what runs on top of it. “Fundamentally not knowing or understanding the shared responsibility model is often the first breakdown point,” says Davis, adding that this is particularly true in large organisations where the team that was originally presented with it no longer exists or never communicated it to current teams. It seems that the shared responsibility model was built for a simpler cloud environment. When organisations rented virtual servers and ran their own software on them, the line between provider and customer was clear, but that is not how cloud estates are architected anymore.
Multicloud environments, third-party SaaS integrations and AI features that are seemingly now in every platform have changed the estate so many times that even the bestrun IT teams may not be able to tell where their responsibilities end and the providers’ begin. This results in siloed environments and gaps in visibility, making it harder to maintain consistent protection across the business. A business unit can adopt a new SaaS tool because it solves a problem today and by the time security hears about it, the tool has already collected months of data and is now connected to systems nobody realised it could reach. A vendor that does not comply with security requirements leaves the customer exposed, regardless of how well the customer has managed their own obligations.
“Even something as basic as a cloud provided operating system image is regularly patched, but carries no guarantee of being vulnerability-free,” Davis says. “Customers still need to scan their own instances to understand their actual exposure.” AI systems complicate this because they often arrive enabled by default and start reading data the original contract never contemplated. The shared responsibility model has no language for a feature that appears overnight and shifts the boundary without telling anyone.
Tunde Abagun, Nutanix
According to SentinelOne, 95% of cloud security failures stem from human error rather than platform flaws. “I believe that most failures, whether application or security, are always a system or process issue,” Davis says. “Whether that system is wrong or just missing, it’s still a system issue.” The person who misconfigures a storage bucket is usually working in a system and allowed the mistakes to happen in the first place. What the structural fix actually requires is dedicated attention. “Every organisation needs to have at least one individual who is extremely passionate about security and is given the time to fully map out an organisation’s security roadmap,” says Davis.
He adds that threat modelling is still missing in many environments, which means nobody has mapped where the real concerns are. Even though off-the-shelf tools may catch common missteps, they cannot map the scope of a threat across every organisation’s specific ecosystem. Investment follows incidents, and security becomes something revisited after an uncomfortable meeting instead of something that shapes decisions from the start.
Operating in multiple cloud environments creates new opportunities for threats such as ransomware and data breaches to emerge.
Tunde Abagun, Nutanix
Moving between IaaS and PaaS changes the responsibility model. With IaaS, the burden of managing physical hardware is gone, but responsibility shifts to the organisation to manage virtual infrastructure, operating systems and applications. PaaS providers take on considerably more, which sounds like a relief. “It leaves the organisation at the mercy of the PaaS provider, ensuring they comply and enforce all security measures in all facets of their responsibility,” says Davis. Compliance certifications offer some assurance, but they are not guarantees of security compliance all of the time. Both models also reduce visibility into underlying infrastructure, making it significantly harder to detect vulnerabilities or monitor performance at a granular level.
“When organisations adopt multiple cloud providers, this complexity increases further, as they must navigate APIs, billing models and service structures without standardisation,” says Abagun, from Nutanix. The ease of provisioning resources creates its own problems because sprawl happens quietly and the bill arrives before anyone has noticed the waste. The more abstract the platform becomes, the easier it is to lose sight of what is actually running and who is responsible for it, and this loss of visibility is where most of the surprises tend to hide. An organisation that has invested deeply in its own security ownership will always have more visibility and control than one relying on a provider’s certifications alone.
Source: Cyberarc
A 2026 Cloud Security Alliance survey found that 82% of enterprises have unknown AI agents running in their IT infrastructure and 65% have experienced AI agent-related incidents in the past year. The agents are already there, operating in cloud environments that were not designed to govern them, and most organisations have no clear picture of what those agents are accessing or doing. “Agentic AI gives attackers the ability to run multiple attack vectors against systems simultaneously, attack paths that were once considered impossible,” says Davis. “It is no longer sufficient to be protected against common attack paths.” Used defensively, the same capability offers a way to probe systems more thoroughly than any penetration tester working within a fixed scope. “Using agentic AI to test and even improve your security posture is a must for every security strategy in 2026,” says Davis. It is one of the few areas where the offensive and defensive sides are learning at the same speed, which is not something the industry is used to.
Theoretical security strategies look fine on paper, but whether they hold up against a real attacker is a different question entirely. “A company passes a technical audit with a strategy, but doesn’t have a fully security tested team,” he says. Penetration testers who run the same playbook every engagement will not find what a motivated attacker would, and organisations that treat an annual audit as a proxy for genuine security readiness are ticking a box rather than managing a risk. Organisations with the strongest security practices are rarely the ones with the most certifications, but the ones where security is tested continuously, built into every layer from the start and treated as an ongoing operational commitment rather than a periodic exercise. “We don’t have to sacrifice output for security,” says Davis. “Maintaining innovation velocity doesn’t have to be affected if the correct processes are put into place.”
