Qualys has published its Cloud Security Forecast 2026 report, arguing that cloud compromise is increasingly driven by how environments are designed and operated rather than by new attack techniques.
The company said the research points to a shift from exploit-driven breaches to “design-driven compromise”, where architectural decisions and operational practices create persistent risk. It cited recurring patterns across organisations, industries and cloud providers, including over-permissioned identities, expanding trust relationships, and exposures that remain in place long enough to be exploited.
According to Qualys, the report draws on analysis from its Threat Research Unit and a Cloud and Application Security Maturity Survey 2026 conducted in collaboration with more than 250 global enterprises. The report frames cloud risk as a structural byproduct of modern cloud operations, particularly as identity systems, SaaS integrations, software supply chains and AI workloads become more interconnected.
“Cloud compromise is increasingly shaped by identity design and delegated trust — not a single ‘critical’ flaw in isolation. When remediation lags behind the pace of change, small issues combine into real impact. Organisations need to treat access, trust relationships and response speed as core security controls — and govern them continuously. The advantage in 2026 will not come from seeing more signals. It will come from reducing unnecessary access at the same pace at which it is created, and tightening the speed from detection to enforced action,” said Shilpa Gite, Senior Manager, Cloud Security Compliance at Qualys.
The report lists three trends it says are changing how organisations should interpret cloud risk. First, it argues that identity and access management design—such as IAM policies, role inheritance and federated trust—can create paths to privilege escalation without a traditional vulnerability. Qualys said governance maturity remains limited, with 17.3% of organisations implementing Cloud Infrastructure Entitlement Management and 26.1% incorporating identity context into risk prioritisation.
Second, the report says agentic AI is accelerating the mapping of identities, policies, OAuth scopes and trust relationships, changing risk prioritisation toward “exploitability” rather than isolated findings. Qualys reported that 35.7% of organisations are operating AI/LLM workloads, while 19.1% report adequate visibility and controls, and warned that new machine identities and delegated access can expand attack surface.
Third, it said cloud environments can change in minutes through infrastructure-as-code, CI/CD and ephemeral workloads, while remediation practices often remain slow. The report stated that 49.4% of organisations still rely on monitoring followed by manual response workflows, which can create delays between change and remediation.
The findings add to growing industry focus on identity governance and automation in cloud security, as organisations attempt to reduce misconfiguration and over-privilege risks that may not be addressed through vulnerability management alone.
You can read the full report here.

