SINGAPORE, October 9, 2025 – The State of Cloud and AI Security 2025 survey by the Cloud Security Alliance (CSA), sponsored by Tenable, highlights that organisations in the Asia-Pacific (APAC) region account for 18% of the global sample. This underscores the region’s growing role in cloud and AI adoption—yet also its exposure to the same security misalignments affecting enterprises worldwide.
With APAC economies driving digital transformation at scale, the findings point to an urgent need for businesses in the region to strengthen governance, skills, and strategic alignment around cloud and AI security. The survey, based on responses from 1,025 IT and security professionals globally, reflects a mix of industries and organisational sizes, including a significant Asia-Pacific footprint.
Hybrid and Multi-Cloud are Entrenched in APAC and Beyond
The report shows that 82% of organisations operate hybrid environments and 63% use multiple cloud providers, averaging 2.7 platforms. This trend is strongly reflected in Asia-Pacific, where businesses face diverse regulatory environments and cost pressures that drive multi-cloud adoption.
To manage risk across these fragmented systems, organisations are increasingly turning to unified exposure management (58%), cloud security posture management (57%), and extended detection and response (54%). This marks a clear shift away from siloed provider-native tools toward broader governance approaches.
Identity Risks Emerge as a Critical Weak Point
Identity management is now considered the top cloud security risk across regions, including APAC. 59% of organisations flagged insecure identities and risky permissions as their leading concern. Breach analysis showed three of the top four causes were identity-related: excessive permissions (31%), inconsistent access controls (27%), and weak identity hygiene (27%).
In APAC’s diverse digital landscape, where multiple jurisdictions and supply chain dependencies complicate security enforcement, these identity-related vulnerabilities represent systemic risks. While 44% of firms plan to prioritise least privilege models in the next year, most still track only surface-level IAM KPIs like MFA adoption—leaving deeper governance gaps unaddressed.
Skills Gap and Leadership Disconnect
The study reveals a global expertise shortage as the most cited challenge (34%), with significant resonance for Asia-Pacific, where cloud security specialists remain in short supply. The gap is compounded by leadership misalignment: 31% of respondents said executives lack adequate understanding of cloud risks, while 20% assume built-in provider tools are “good enough.”
For APAC firms, which often operate across fragmented regulatory regimes, this lack of leadership clarity creates hurdles for scaling secure cloud strategies and allocating sufficient budgets.
Security Still Measured Reactively
Organisations across regions—including APAC—continue to rely on reactive metrics such as incident frequency and severity (43%) as their top KPI. Yet the survey found firms reported an average of 2.17 cloud breaches in 18 months, most caused by preventable issues such as misconfigurations (33%), excessive permissions (31%), and compromised credentials (15%).
This reactive focus, the report warns, obscures true risk exposure and prevents security teams from demonstrating the value of proactive investment.
AI Adoption Outpaces Security Readiness
The study highlights that 55% of organisations now use AI for active business needs, while another 34% are in experimental phases. However, 34% of firms with AI workloads have already faced AI-related breaches.
In APAC, where AI-driven innovation is accelerating in financial services, healthcare, and logistics, this trend carries significant implications. The report notes a misalignment between real causes of breaches—software vulnerabilities (21%), AI model flaws (19%), insider threats (18%)—and the risks organisations claim to prioritise, such as model manipulation or unauthorised AI use.
Moreover, while 51% of firms rely on compliance frameworks like the EU AI Act or NIST AI RMF, only 26% conduct AI-specific security testing and just 22% encrypt AI data, leaving critical workloads exposed.
A Call for Strategic Reset in APAC
The CSA concludes that without a strategic reset, organisations will remain reactive and fragmented in their cloud and AI security strategies. For Asia-Pacific, this means:
• Investing in unified visibility and governance across hybrid and multi-cloud environments,
• Strengthening identity management beyond basic MFA,
• Focusing KPIs on prevention and resilience,
• Bridging the talent and leadership gap, and
• Treating compliance as a baseline, not a ceiling, for AI security.
As the region continues to outpace much of the world in digital transformation, APAC firms must act swiftly to ensure that their rapid adoption of cloud and AI is matched by equally robust security strategies.
Cloud and AI Risks Outpace Security Readiness in APAC Enterprises
