In the fast-evolving landscape of 2026, the cloud has moved beyond a simple infrastructure choice to become the primary engine for AI-driven enterprise transformation. However, a landmark report from Fortinet, "2026 Cloud Security Report: Closing the Cloud Complexity Gap," reveals a sobering reality: security teams are falling behind.
The report, which surveyed more than 1,100 global cybersecurity leaders, identifies a "Cloud Complexity Gap"—a structural mismatch between the blistering velocity of modern cloud environments and a security team's ability to maintain real-time visibility and response.
For CISOs, the report highlights that the problem isn't necessarily a lack of funding. While 62% of organizations expect their cloud security budgets to increase this year, 59% remain stuck in the "initial" or "developing" stages of security maturity. This "Budget-Maturity Gap" is fueled by three primary factors:
Fragmented defenses: 69% of organizations name tool sprawl and visibility gaps as their top barrier. Managing disconnected tools leads to "alert fatigue" and forces teams to manually correlate data across systems that weren't designed to work together.
Stretched talent: 74% of organizations are struggling with an active shortage of cybersecurity professionals. This shortage is most acute in roles requiring expertise across infrastructure, identity, and data layers.
Machine-speed adversaries: Attackers are now using AI and automation to map permission paths and discover misconfigurations faster than human-led teams can react. As a result, 66% of organizations lack high confidence in their ability to respond to cloud threats in real time.
The report underscores that as organizations rush to integrate AI, the attack surface expands not just in size, but in fragmentation.
Non-Human Identities (NHIs): Automated workflows and AI agents have multiplied the number of identities to manage, making Identity & Access Security the top concern for 77% of respondents.
The automation gap: While 37% of organizations use automation for basic alerts, only 11% have achieved fully autonomous remediation capabilities. This leaves a dangerous window between detection and action that AI-powered attackers are eager to exploit.
The risk exposure chain: Breaches are rarely isolated events; they follow an "exposure chain" where a misconfiguration leads to an overprivileged identity, which finally leads to data theft. Traditional siloed tools only see one link in the chain at a time.
The complexity has reached a breaking point. In a significant shift, 64% of organizations now say they would prefer a single-vendor platform that unifies network, cloud, and application security if they were starting their strategy today. This is a clear rejection of the "best-of-breed" approach (favored by only 27%) which has historically contributed to the integration overhead and visibility silos currently plaguing SecOps teams.
To close the gap, Fortinet suggests moving from function-specific tools toward unified security ecosystems. Here are the five guiding principles for CISOs in 2026:
Treat visibility as a foundation: Establish a baseline of shared visibility across all cloud accounts, identities, and workloads.
Reduce fragmentation: Rationalize your toolset and consolidate around telemetry and policies that share context.
Connect risk domains: Stop looking at identity, configuration, and data as silos; assess how they interact to create attack paths.
Automate for outcomes: Move beyond alert-only automation toward remediation workflows that can keep pace with machine-speed threats.
Extend integration: Ensure your cloud security isn't an island; integrate it with your broader network and endpoint visibility.
We asked some cybersecurity experts from the vendor community for their thoughts.
Diana Kelley, CISO at Noma Security, said:
"Fortinet's 2026 Cloud Security Report captures a reality that I see every day as a CISO and consistently hear from practitioner peers. Cloud adoption across IaaS, PaaS, and SaaS has become increasingly fragmented, and many teams are trying to manage that complexity by adding more tools to the stack. The report shows that approach is failing. This matters because as AI adoption accelerates, attackers are operating at machine speed, using automation to outpace defenders who are still constrained by siloed controls and incomplete context."
"For practitioners, securing AI in 2026 and beyond is not just about protecting models. It requires addressing stack sprawl and moving toward a platform-driven approach that delivers defense in depth through unified, AI-aware identity, configuration, and data visibility. Organizations that simplify their cloud and AI security stack and enable effective automation will be far better positioned to safely scale AI as threats continue to evolve."
Ram Varadarajan, CEO at Acalvio, said:
"Fortinet's 2026 findings confirm that the cloud 'complexity gap' has become a systemic risk, with AI-driven expansion now outpacing the ability of traditional, human-dependent defenses to respond in real-time. Defenders are expending finite resources against adversaries whose AI automation is driving attack costs toward zero—a gap that's not going to be closed by adding more disconnected defensive security tools."
"Clouds are going to continue to sprawl—that's a reality. To be able to scale with the attackers, AI-first cloud security has to shift from reactive blocking to AI-driven preemptive defense; it's bot-on-bot violence. We believe the key to scaling defense on the cloud will be to use an AI-driven, real-time deception fabric to target the known cognitive and computational limits of attacker AI, imposing asymmetric conditions of compounding uncertainty and computational exhaustion."
Shane Barney, CISO at Keeper Security, said:
"The key takeaway from this report is that cloud security challenges today are no longer driven by a lack of investment; they are driven by structural complexity. Organizations are spending more on cybersecurity, but fragmented tools, multi-cloud sprawl, and persistent skills shortages are preventing that investment from translating into stronger protection."
"As cloud environments expand across multiple providers, the number of identities, configurations, and data paths grows rapidly. Attackers are taking advantage of this complexity by using automation and AI, moving faster than traditional, alert-driven security operations can respond. When two-thirds of organizations lack confidence in their ability to detect and respond to cloud threats in real time, it's a clear signal that existing approaches are struggling to scale."
"AI adoption raises the stakes even further. AI workloads depend on dynamic access to sensitive data, service accounts, and APIs, which significantly increases the impact of misconfigurations or overprivileged access. Without strong identity governance and consistent least-privilege enforcement, AI can amplify risk instead of enabling innovation."
"The solution isn't adding more point tools; it’s reducing fragmentation by consolidating around integrated security platforms that deliver shared visibility across identity, cloud configuration, and data. Security teams need fewer consoles, consistent policy enforcement, and automation they can trust, not more alerts that require manual correlation."
"For organizations accelerating their use of AI and multi-cloud environments, cloud security must be treated as an operating model, not a collection of products. Prioritizing identity-first security through a modern Privileged Access Management (PAM) platform, simplifying architectures, and enabling context-driven automation are essential steps. Without that foundation, the cloud complexity gap will continue to widen, regardless of how much organizations spend."
Karen Walker, CFO at Sysdig, said:
"Cloud-native security has become mission-critical for modern businesses, not simply a nice-to-have. Organizations are increasingly building infrastructure across multiple cloud and on-prem environments. As multi-cloud and hybrid infrastructure continue to become the standard, the need for visibility, security, and performance across environments will only grow. Organizations are watching closely to see who will continue to deliver that power and independence."
According to the 2025 Cloud‐Native Security and Usage Report, the best option for rapid and robust incident investigation that allows security teams to keep pace with cloud attacks is automating the collection and correlation of the misbehaving identities to all related events, postures, and vulnerabilities. For example, the report found that Sysdig customers using enhanced investigation and real‑time identity correlation features can visualize and understand the relationships between resources and their impact on the attack chain, completing their investigations and moving on to response in less than three‑and‑a‑half minutes on average.
Agnidipta Sarkar, Chief Evangelist at ColorTokens, said:
"The initial hours following a breach are often marked by chaos and urgency as teams check systems, analyze logs, call vendors, and brief executives. No one questions what tools were adopted as AI adoption increases. But as the report highlights, after the initial chaos, questions will focus on why we have fragmented defenses, and yet so many security tools, without a focus on being ready for the next breach. Let us face it: we will have to live with two realities that hit hardest in the effort to be cyber-resilient, as AI adoption increases. The first is that talent shortages will continue to haunt us, and the second is that attackers will bypass defenses. Attackers will use automation and AI to discover misconfigurations and identify exposed identities and data faster than human-led defenses can respond, unless we move the needle from being secure to breach-ready."
"Breach readiness expects organizations to adopt zero-trust architectures that integrate and optimize existing cybersecurity investments to withstand the next cyberattack. With microsegmentation capabilities that scale to integrate EDR, Firewalls, SIEM, and SOAR at machine speed, it is time to set it up as a foundational cybersecurity fabric. Operational cyber resilience practices must leverage AI-based capabilities to anticipate and prepare for attackers, using available information from CISA, MITRE, and others to narrow attack surfaces—leaving far less elbow room for attackers to navigate. Incident response plans can leverage the fact that a reduced blast radius would render seemingly normal lateral movement malicious much earlier. And if AI-enabled decoys are set up in the denied path, a simple recon can deny a future attack before it begins."
"However, breach readiness is not a permanent state but a continuously evolving leadership practice that builds stakeholder trust. Breach readiness is never tested during normal operations but during uncertainty, when information is incomplete, time is limited, and resources are strained."
Here's a checklist based on the "Risk Exposure Chain" and "Cloud Security Principles" identified in the Fortinet 2026 Cloud Security Report.
Establish a visibility baseline
Do we have a unified inventory of all cloud accounts and data stores across every provider?
Have we cataloged all Non-Human Identities (NHIs), including AI agents and automated service accounts?
Are we able to see telemetry across multi-cloud silos in a single pane of glass?
Map the exposure chain
Can we identify where a "low-priority" misconfiguration connects to an overprivileged identity?
Do our tools see the relationship between configuration, identity, and data exposure simultaneously?
Have we mapped the direct paths an attacker could take from an entry point to our most sensitive data?
Harden identity and access
Is Least-Privilege enforced for all cloud identities to prevent "shadow access paths"?
Are we specifically monitoring for excessive permissions granted to AI-driven workflows?
Have we consolidated identity governance so policies are consistent across all cloud environments?
Shift from alerting to remediation
What percentage of our security automation is "alert-only" versus "autonomous remediation"? (Target: Move beyond the 11% industry average for autonomous action.)
Are high-volume, low-risk misconfigurations being fixed automatically at machine speed?
Do we have a trusted workflow to contain threats within seconds of detection?
Rationalize and consolidate
Are we still managing disparate "best-of-breed" tools that require manual data correlation?
Have we explored a unified security ecosystem to reduce tool sprawl and integration overhead?
Is our cloud security telemetry integrated with our broader network and endpoint visibility?
Benchmark maturity and outcomes
Are we tracking success by security outcomes (e.g., fewer overprivileged identities) rather than just tool deployment?
Have we moved out of the "Initial/Developing" maturity phase where 59% of the industry currently sits?
Are our security investments directly improving our detection and response velocity?