Full Report
Insights from 96 organizations on the state of AI security in the cloud.
Analysis Summary
# Main Topic
Summary of AI Security Readiness based on insights from 96 organizations regarding the state of AI security adoption and challenges in cloud environments.
## Key Points
- **High AI Adoption:** 87% of surveyed organizations are already using AI services, often via platforms like OpenAI or Amazon Bedrock.
- **Security Expertise Gap:** Lacking AI security expertise is the top challenge cited by 31% of respondents.
- **Reliance on Traditional Controls:** Only 13% of organizations are currently using dedicated AI-specific Security Posture Management (AI-SPM) tools.
- **Legacy Control Reliance:** Most organizations lean on traditional security methods: 53% use secure development processes, 41% use tenant isolation, and 35% audit for shadow AI.
- **Visibility Deficit:** 25% of respondents do not know what AI services are currently running in their environment, indicating widespread "Shadow AI."
- **Environmental Complexity:** 45% are using hybrid cloud environments, and 33% are multi-cloud, increasing the complexity that legacy tools (like EDR) fail to adequately address.
## Threat Actors
- No specific named threat actors or named threat campaigns targeting AI infrastructure were detailed in this report summary.
- The primary "actors" discussed are internal teams struggling to secure rapidly deployed AI services.
## TTPs
- The focus is on organizational and security posture issues rather than specific attacker TTPs.
- **Observed Threat Vectors (Implied Risks):**
- Exposing sensitive data via AI service misconfigurations.
- Unmonitored or unauthorized deployment of AI services ("Shadow AI").
- **Defensive Posture Gaps (Not Attacker TTPs):**
- Over-reliance on EDR tools not designed for modern AI cloud architectures.
## Affected Systems
- **General AI Services:** Platforms like OpenAI and Amazon Bedrock.
- **Deployment Environments:** Hybrid cloud (45% impacted) and multi-cloud environments (33% impacted).
- **Security Tooling:** Traditional security controls like EDR are noted as insufficient for the emerging AI attack surface.
## Mitigations
- **Adopt AI-Specific Security Posture Management (AI-SPM):** Only 13% are using this essential tool.
- **Address Expertise Deficit:** Focus on training security teams in AI security (cited as the top challenge).
- **Improve Visibility and Governance:** Organizations must develop frameworks to identify and monitor all AI services running, especially those resulting from Shadow AI.
- **Leverage Foundational Controls (While Moving Beyond Them):** Continue utilizing secure development processes, tenant isolation, and auditing for shadow AI, recognizing these are not sufficient alone.
- Organizations are advised to consult the full report for actionable recommendations on building visibility, governance, and automation for AI strategy.
## Conclusion
AI adoption is far outpacing current security maturity. The key finding is a significant gap between widespread AI usage (87%) and the lack of specialized security tooling and expertise required to manage the associated risks, particularly concerning visibility into Shadow AI and the limitations of traditional cloud security controls. Rapid adoption of AI-SPM and targeted skill development are critical next steps for organizations.