Cloud environments are moving faster than the systems meant to protect them. A new Palo Alto Networks study shows security teams struggling to keep up with development cycles, growing cloud sprawl, and attacker tactics that now compress breaches into minutes instead of weeks.
Cloud serves as the default operating environment
Production workloads now run primarily in cloud environments, with public cloud services carrying a growing share of sensitive systems and data. Enterprises rarely rely on a single provider. Multicloud usage is common, and hybrid architectures shape daily operations.
This environment combines virtual machines, containers, managed services, and serverless workloads within the same estates. Security teams manage identities, permissions, data access, and configuration across layers that change constantly. The research shows that risk increasingly stems from operational complexity.
Software ships faster than controls adapt
Weekly deployments are now routine, and many organizations push code daily. Generative AI tools support nearly every development team, adding large volumes of machine generated code to pipelines that already move quickly.
Security teams report difficulty enforcing guardrails before release. High severity issues still reach production when pre deploy controls lag behind delivery speed or integrate poorly with CI/CD workflows. Developer resistance and alert noise add friction.
Once vulnerabilities reach production, fixes take time. Most organizations report that deploying a code fix takes more than a week. Few teams prioritize issues using runtime context, which creates uncertainty about which flaws pose immediate risk.
Data exposure tracks identity and sprawl
Fragmented environments rank as the top data security concern, followed closely by overly broad identity permissions and weak secret handling. These issues cut across cloud accounts, SaaS platforms, and automation pipelines.
Manual processes remain common for identifying sensitive data. At cloud scale, this creates blind spots. Data moves between systems without consistent tagging or inventory, which complicates enforcement and early detection.
Data loss often occurs through everyday business tools. Misuse of SaaS sync and export features leads reported exfiltration paths, alongside oversharing and compromised credentials. Direct public exposure still appears, though less often than identity driven issues.
Incident response shows signs of strain
Every organization surveyed experienced multiple types of security incidents in the past year. API related attacks increased faster than any other category, reflecting growing automation and interface sprawl. Identity based threats and long running intrusions also rose.
Teams often detect and contain threats within a day, but closing incidents takes longer. Analysts spend much of their time gathering and correlating data from disconnected tools, which slows decisions during active events.
Cloud security, application security, and SOC teams often operate with separate workflows and telemetry. Many organizations struggle to build a single timeline that shows how an attack unfolds across environments.
AI expands the attack surface
AI systems run in production across most organizations, embedded directly into existing cloud infrastructure. Security leaders point first to risks in cloud platforms and CI/CD pipelines that support model training and deployment. Data protection and regulatory pressure follow close behind.
Attacks targeting AI systems appear widespread. Common techniques include data leakage through assistants or plugins, supply chain tampering, token abuse, and prompt manipulation. Many of these paths rely on exposed APIs and permissive access rather than direct model flaws.
The research also highlights how AI accelerates attackers. Tools that generate convincing phishing content, automate reconnaissance, or exploit interfaces reduce the time needed to move from access to impact.