Cloud security is failing to keep up with the speed, scale, and complexity of modern enterprise IT, and AI is accelerating the gap, per the December 2025 Palo Alto Networks State of Cloud Security Report. Attackers now compromise environments in minutes while defenders still take weeks to remediate, leaving ERP-adjacent cloud systems increasingly exposed.
The report draws on a global survey of more than 2,800 executives and practitioners across 10 countries. Its central finding is: Cloud has become the default operating model, but security architectures and workflows remain fragmented and slow.
More than half of all production workloads now run in the cloud, and 61% of organizations operate at scale across extensive or fully cloud-native environments. Most enterprises use an average of six cloud providers, and multicloud is no longer a maturity goal but a starting condition. Sensitive data is spread across public cloud, private cloud, SaaS platforms, endpoints, and on-premises systems, increasing the difficulty of maintaining consistent controls.
Development velocity complicates the problem. Over half of organizations deploy new or updated code weekly, and 17% release daily or faster. At the same time, 99% now use generative AI tools to assist with coding. While this boosts productivity, it also introduces insecure code and misconfigurations into already strained pipelines. Plus, 53% of organizations report that high or critical security issues still reach production, and 82% say it takes longer than a week to deploy a fix.
Identity and APIs are the dominant risk vectors. API attacks increased 41% year over year, the steepest rise of any threat category. SaaS sync and export misuse is the top data exfiltration vector at 63%, followed closely by overpermissive external sharing and compromised credentials or tokens. Identity weaknesses cut across nearly every breach scenario, reinforcing that cloud risk is increasingly an access and entitlement problem.
Incident response also breaks down under tool sprawl. Organizations use an average of 17 security tools, yet 50% of analysts’ time during incidents is spent correlating data. While most teams can detect and contain threats within 24 hours, one-third still need a full day or more to resolve incidents, and some take weeks. Nearly nine in ten respondents say cloud security and SOC operations should merge to address this fragmentation.
AI adds urgency—75% of organizations already run AI systems in production, and 99% report at least one attack on an AI system in the past year. The most common breach path is data exfiltration through AI assistants or plugins, followed by model supply chain tampering and token theft. The report emphasizes that AI security starts with cloud infrastructure, CI/CD pipelines, and identity controls, not just models and prompts.
What This Means for ERP Insiders
Cloud complexity now defines ERP risk. As SAP and other ERP systems increasingly rely on multicloud integrations, APIs, and SaaS extensions, fragmented visibility and inconsistent identity controls create material exposure that traditional security models cannot address.
Identity, not infrastructure, is the primary control point. Overpermissive access, token sprawl, and SaaS misuse drive many of the most damaging incidents, making least-privilege enforcement and continuous access review essential for protecting ERP data and processes.
Security operations must converge to keep pace. Tool sprawl and siloed cloud and SOC teams slow response times, while attackers operate at machine speed. ERP leaders should expect tighter integration between cloud security, application security, and SOC workflows as a prerequisite for secure modernization.
