Cloud security is becoming harder to manage, not because organisations lack tools, but because the pace and scale of cloud adoption are outstripping security teams’ ability to maintain real-time visibility and control. That is the central finding of Fortinet’s 2026 State of Cloud Security Report, which points to what it calls a growing “complexity gap” across enterprise cloud environments.
The report, produced by Cybersecurity Insiders and based on a global survey of more than 1,160 cybersecurity leaders and practitioners, suggests that cloud security challenges are no longer driven by isolated vulnerabilities. Instead, they stem from a structural mismatch between highly dynamic cloud environments and security models that remain fragmented, understaffed, and heavily manual.
Fragmentation, skills shortages and machine-speed threats
According to the findings, the complexity gap is being reinforced by three interlinked factors.
First is fragmented defence. As organisations expand their cloud footprints, security tools often proliferate without coordination. Nearly 70% of respondents said tool sprawl and visibility gaps are now the biggest obstacles to effective cloud security, forcing teams to manually stitch together alerts from systems that were never designed to work in unison.
Second is the human constraint. Even as cloud environments grow more complex, security teams are struggling to find and retain skilled professionals. Seventy-four percent of respondents reported an active shortage of qualified cybersecurity talent, while 59% said their organisations remain in the early stages of cloud security maturity. The result is stretched teams, slower response times and missed signals.
The third pressure point comes from adversaries themselves. Threat actors are increasingly using automation and AI to scan for misconfigurations, map permission paths and exploit exposed data at machine speed. Sixty-six percent of surveyed professionals admitted they lack strong confidence in their ability to detect and respond to cloud threats in real time, as the window between vulnerability and attack continues to shrink.
Hybrid and multi-cloud add to the burden
The report also highlights how hybrid and multi-cloud strategies are amplifying complexity. Cloud environments already involve distributed architectures, dynamic identities and constantly shifting data flows. Layering multiple public clouds, on-premises systems, SaaS applications and remote users on top of that makes consistent security enforcement even more difficult.
According to the survey, 88% of organisations now operate in hybrid or multi-cloud environments, up from 82% a year ago. More than four in five rely on two or more cloud providers for critical workloads, and nearly a third use more than three. Each additional platform increases the attack surface, introducing new configurations, permissions and data paths that must be secured.
A shift towards consolidation
Faced with these pressures, many organisations are rethinking their security architectures. Rather than adding more point tools, there is a clear shift towards consolidation and unified security ecosystems.
If they were designing their security strategy today, 64% of respondents said they would choose a single-vendor platform that unifies network, cloud and application security. The motivation is less about vendor preference and more about operational sanity: security teams are overwhelmed by the integration effort required to make disparate tools work together. A shared data model and coordinated enforcement promise better visibility, faster detection and more proactive threat management.
Security foundations for an AI-driven future
The report concludes that cloud security strategies must evolve to address not just today’s complexity, but also the demands of AI-led transformation. As organisations push ahead with AI initiatives, the underlying cloud environment needs to be resilient, observable and well-governed to avoid compounding risk.
“Cloud environments are evolving faster than most security teams can keep up with, especially as AI accelerates both innovation and risk,” said Vishak Raman, Vice President of Sales for India, SAARC, Southeast Asia and ANZ at Fortinet. “While attackers are increasingly operating at machine speed, many organisations are still dependent on manual processes and fragmented visibility. Closing this gap requires a more unified approach to cloud security that enables faster insight, coordination, and response.”
For enterprises, the message is clear: without addressing fragmentation and operational overload, cloud security risks will continue to grow in step with cloud adoption itself.