Cloud Adoption Using AI Security

Cloud adoption is mature across large enterprises, but the security model protecting cloud and AI environments remains uneven. Current evidence indicates that hybrid and multi-cloud operating models are now standard, AI workloads are increasingly in production, and identity has become the most critical point of control. At the same time, organisations are facing a widening gap between the speed of AI adoption and the maturity of the controls used to govern data, models, pipelines, and autonomous actions.

The most effective response is not to treat cloud security and AI security as separate programmes, but to build a unified operating model based on identity governance, continuous visibility, risk-based prioritisation, and lifecycle controls. For most organisations, the practical path forward includes adopting zero trust principles, consolidating fragmented tooling, formalising AI governance, securing the full AI lifecycle, and implementing a phased roadmap that moves from visibility and policy to automation and continuous assurance.

Over the next two to three years, the market is expected to move from broad experimentation to disciplined scale. The major trend is not simply more cloud adoption, but deeper dependence on cloud platforms to host AI services, data estates, development pipelines, and digital business operations. As this dependence increases, security spending is shifting toward identity-centric control models, cloud-native exposure management, data security posture management, and specialised controls for generative AI and agentic systems.

Organisations are also likely to place greater emphasis on platform consolidation because fragmented point solutions cannot easily provide the unified visibility, policy consistency, and response speed required in hybrid and multi-cloud environments. In parallel, boards and regulators are asking for stronger governance, clearer accountability, and measurable assurance that AI systems are secure, controlled, and aligned to business intent. This means the winning organisations are likely to be those that connect business value, architecture, governance, and cyber resilience into one coherent strategy.

Key driving trends from recent reports:

• AI in production is rising fast: Palo Alto Networks says 75% of organisations are running AI in production environments.
• Enterprise AI usage is exploding: Zscaler found AI/ML transactions grew 36x year over year in observed enterprise traffic.
• Governance is cautious but uneven: the same Zscaler report says 59.9% of AI/ML transactions were blocked, suggesting many firms are still tightening policy and data controls. [zscaler.com]
• Identity risk dominates cloud security: Cloud Security Alliance says 59% of organisations see insecure identities and risky permissions as the top cloud risk.
• Zero trust and SASE are moving mainstream: AlgoSec reports 56% of businesses have fully or partially implemented zero trust.

Key risks and challenges in Cloud Adoption using AI:

The risk picture has shifted from just infrastructure to identity, data, models, pipelines, and automation.

The risk landscape has shifted significantly, moving beyond a primary focus on infrastructure to a broader exposure across identity, data, models, pipelines, and automation, each of which now represents a critical part of the enterprise attack surface.

Biggest AI-specific risks:

The OWASP Top 10 for LLM Applications 2025 highlights common categories such as

Organisational challenges:

Cloud Security Alliance identifies lack of expertise as the top challenge, while Deloitte emphasises scaling beyond experimentation and managing compliance and workforce readiness.

A practical implementation roadmap should be phased, risk-based, and aligned to business priorities. Organisations that attempt to scale cloud and AI security in a single step usually create more complexity than control.

A staged model allows teams to establish visibility first, then add governance, technical controls, and automation in a sequence that is operationally sustainable.

1. Phase 1: Establish the baseline. Build an inventory of cloud assets, AI services, models, data stores, third-party dependencies, identities, and privileged accounts. Confirm where sensitive data is used, where AI is already embedded, and which teams own each service.
2. Phase 2: Define governance and policy. Create approved AI use cases, data handling rules, access standards, vendor review criteria, model approval processes, and escalation paths for high-risk deployments. Align policy to existing cyber, privacy, risk, and legal frameworks.
3. Phase 3: Implement core controls. Apply identity hardening, least privilege, secrets management, network segmentation, posture management, logging, model and prompt guardrails, secure software supply chain controls, and continuous vulnerability management.
4. Phase 4: Integrate operations. Connect cloud, SOC, IAM, DevSecOps, data, and AI platform teams through shared workflows, common risk metrics, and incident playbooks. Embed checks into CI/CD and model deployment processes.
5. Phase 5: Automate and optimise. Introduce risk-based prioritisation, automated remediation where appropriate, continuous assurance, and executive dashboards. Review incidents, control gaps, and model outcomes regularly to improve resilience over time.

Industry best practices:

Cloud adoption using AI security works best when organizations combine Zero Trust, strong identity controls, continuous monitoring, AI-driven detection, data governance, and clear model oversight. The most effective programs treat security as a business enabler, automate routine protection, and keep human accountability for high-risk decisions.

Some of the best practices include:

1. Adopt Zero Trust – Verify explicitly, enforce least privilege, segment workloads, and assume breach.
2. Make Identity the Core Control Plane – Focus on MFA, SSO, PAM, CIEM, service account governance, and just-in-time access. Cloud Security Alliance identifies identity as the biggest cloud risk area.
3. Use Recognised Frameworks – Base governance on NIST AI RMF, OWASP Top 10 for LLM Applications 2025, and the CSA AI Controls Matrix.
4. Secure the Full AI Lifecycle – Cover data, training, fine-tuning, model storage, deployment, prompts, retrieval, plugins/tools, and outputs. CSA AI Controls Matrix is specifically structured for cloud-based AI systems.
5. Shift Left and Shielded Right – Protect CI/CD, dependencies, model supply chain, infrastructure as code, and runtime behaviour.
6. Continuously Monitor – Inventory assets, models, identities, permissions, APIs, and data flows across all cloud environments.
7. Apply Human Guardrails – Especially for agentic or autonomous actions: approval gates, action limits, sandboxing, and rollback.
8. Prepare for AI Incidents – Add playbooks for prompt injection, model abuse, data leakage, poisoned training data, and unsafe autonomous actions.

An effective governance model should define who sets policy, who approves risk, who operates controls, and who is accountable when incidents occur. In most organisations, this means establishing a cross-functional structure that includes security, cloud platform, enterprise architecture, data governance, legal, privacy, procurement, and business owners.

A central governance body should approve policy, classify AI use cases by risk, review exceptions, and monitor high-impact deployments. Operational teams should remain responsible for day-to-day execution, including configuration, identity hygiene, model monitoring, data protection, incident response, and vendor assurance. The governance model should also require documented ownership for each AI-enabled workload, minimum control baselines for different risk tiers, human oversight for sensitive or autonomous use cases, and regular reporting to executive leadership on exposure, incidents, control effectiveness, and remediation progress.

Cloud adoption using AI security has reached a decisive stage. The issue is no longer whether organisations will adopt cloud and AI together, but whether they can do so with sufficient control, resilience, and accountability. The evidence shows that hybrid and multi-cloud environments, rapid AI deployment, identity-related weakness, and fragmented governance are now defining features of the market. Organisations that respond successfully will focus on a unified security model that combines governance, architecture, operations, and measurable risk reduction.

Those that delay is likely to face increasing exposure across data, identities, models, software supply chains, and autonomous workflows. The priority now is disciplined execution to establish visibility, formalise governance, implement layered controls, and improve continuously as the cloud and AI landscape evolves. The cloud adoption is mature, AI adoption is accelerating, but AI security is still catching up.

Summary about the Author-

Kavitha Srinivasulu | Director – Cyber Security & Data Privacy | TCS

Senior cyber risk and resilience executive with over 22 years of global leadership experience advising Boards and Executive Committees across Financial Services, Healthcare, Retail, Technology, and regulated industries. Delivered and led large-scale, regulator-driven cybersecurity, AI driven, PCI, and SOC transformations for Tier-1 banks, global healthcare organisations, and highly regulated enterprises operating across the UK, EU, USA, APAC, and ANZ. Trusted advisor to Boards, C-suite, regulators, and global enterprises, consistently delivering resilient, compliant, and scalable cyber operating models.

Disclaimer to be added at the end of the article:

“The views and opinions expressed by Kavitha in this article are solely her own and do not represent the views of her company or her customers.”