Virtually each organisation working cloud-native programs has been hit by a safety incident prior to now 12 months. The causes are much less dramatic than the frequency suggests, in accordance with Crimson Hat’s 2026 State of Cloud-Native Safety Report, revealed on March 24. It states that 97% of organisations reported a minimum of one cloud-native safety incident over the earlier 12 months.
As per the report’s findings, misconfigured infrastructure or companies have been probably the most generally reported incident kind at 78%, adopted by recognized vulnerabilities and unauthorised entry. These will not be subtle, hard-to-anticipate assaults however execution failures – recurring and dear.
The report’s sharpest discovering is the gap between how ready organisations imagine they’re and what their safety programmes can truly exhibit. In accordance with the 2026 report, 56% of respondents described their day-to-day safety posture as proactive. But solely 39% reported having a mature, well-defined cloud-native safety technique, and round 22% had no outlined technique in any respect. Which means roughly six in ten organisations are working on confidence not construction.
The sensible penalties are evident within the uneven adoption of primary controls. As per the report, identification and entry administration had roughly 75% adoption – one of many strongest figures within the survey. Container picture signing, nevertheless, had been applied by solely about half of organisations, and runtime safety remained inconsistent, with many groups defaulting to out-of-the-box settings not intentionally outlined insurance policies.
Based mostly on Crimson Hat’s knowledge, organisations with a well-defined technique reported 61% confidence in securing their software program provide chain, significantly increased than much less mature friends, and have been much more prone to have deployed superior guardrails of their environments.
Safety slows supply
In accordance with the report, 74% of organisations delayed or slowed utility deployments prior to now 12 months attributable to safety issues. Of people who reported downstream results – a determine that reached 92%– 52% stated remediation calls for had consumed extra time than deliberate, 43% reported decrease developer productiveness, and 32% stated incidents had broken buyer belief.
That sample – safety as a brake on supply – is what Crimson Hat’s prescription is designed to interrupt. The report argues that embedding safety earlier and extra constantly into improvement pipelines reduces the remediation burden downstream, not including friction on the level of deployment.
AI’s governance downside
The 2026 version of the report introduces a dimension that earlier variations didn’t should take care of at scale: the safety implications of generative AI inside cloud environments. In accordance with the report, 58% of organisations now determine AI adoption as a core driver of their safety planning.
The priority ranges are near-universal; 96% of respondents expressed worries about generative AI in cloud settings, with the principle fears centring on publicity of delicate knowledge, shadow AI instruments deployed with out approval, and the combination of insecure third-party AI companies.
The governance response has not saved tempo. As per the report, 59% of organisations lack documented inside AI use insurance policies or governance frameworks, leaving the bulk managing an increasing and fast-moving set of AI instruments with out agreed-on guidelines for knowledge dealing with, entry, or oversight.
Crimson Hat has been working to increase zero-trust ideas into the AI agent layer, particularly to deal with this. In January 2026, the corporate made its Zero Belief Workload Identification Supervisor usually out there on OpenShift, offering cryptographically verifiable identities to workloads utilizing the open SPIFFE and SPIRE requirements.
Crimson Hat’s personal technical documentation on the discharge reveals the instrument extends the identical identification and entry controls utilized to human-driven processes to AI brokers working at runtime – overlaying agent-to-agent and agent-to-tool interactions that conventional perimeter safety doesn’t attain.
Anjali Telang, senior principal product supervisor for OpenShift Safety and Identification at Crimson Hat, described the rationale: “Zero belief means you belief nobody, you all the time confirm, and then you definately base that verification on an identification. With AI, we need to usher in the identical belief that we have already got constructed into the system, ensuring that belief interprets to AI workloads and AI brokers.”
In accordance with Crimson Hat’s rising applied sciences group, writing in February 2026, agentic AI programs introduce what NIST 800-207 defines as a transaction boundary downside – the place authentication sometimes occurs solely between the consumer and the agent platform, with no specific belief established in subsequent downstream calls. Most safety breaches in recent times have exploited precisely these hidden belief assumptions between parts.
Based mostly on the 2026 report, organisations are altering safety funding away from level instruments and towards platform consolidation and integrating safety instantly into improvement workflows. The declared priorities for the subsequent one to 2 years embrace DevSecOps automation, cited by over 60% of respondents, to maneuver from guide overview gates to safety embedded as code inside CI/CD pipelines. Software program provide chain safety adopted at 56%, and runtime safety growth at 54%.
Regulatory strain is reinforcing these priorities. In accordance with the report, 64% of organisations stated they count on the EU Cyber Resilience Act to be a main think about shaping safety funding choices – a determine that implies compliance has moved from a trailing consideration to a boardroom driver.
Crimson Hat’s general advice within the report is to determine an outlined technique, construct guardrails and automation into platforms not layering them on prime, prioritise provide chain integrity, and introduce AI governance now.
The information makes a transparent case that cloud-native safety’s main downside in 2026 is the hole between the safety posture organisations imagine they’ve and the one their processes and governance constructions maintain.
Crimson Hat is exhibiting on the Cyber Safety & Cloud Expo, a part of TechEx North America, on the San Jose McEnery Conference Centre, 18 – 19 Could 2026.
(Picture by Growtika)
See additionally: Cloud demand shifts towards AI as enterprise use deepens
Need to be taught extra about Cloud Computing from trade leaders? Take a look at Cyber Safety & Cloud Expo going down in Amsterdam, California, and London. The great occasion is a part of TechEx and is co-located with different main expertise occasions, click on right here for extra info.
CloudTech Information is powered by TechForge Media. Discover different upcoming enterprise expertise occasions and webinars right here.
