Hybrid cloud security isn’t just getting harder – it’s reaching a breaking point. This is according to the Red Hat 2026 State of Cloud-Native Security Report which reveals that security incidents are now a near-universal experience.
Almost all organisations surveyed (97%) reported at least one cloud-native security incident in the past year. The software company says these are not just sophisticated, one-off attacks; rather, they are often the result of everyday lapses.
According to the findings, the most frequently reported incident types include:
- Misconfigured infrastructure or services (78%): The leading cause of exposure, often due to manual errors in complex environments.
- Known vulnerabilities: Workloads are being deployed with “known-bad” code, creating avoidable windows of risk.
- Unauthorised access: A persistent operational hurdle that frequently leads to sensitive data exposure.
These incidents carry a tangible business cost that extends far beyond the IT department, says Red Hat. Almost three in four organisations (74%) have delayed or slowed application deployments in the last 12 months due to security concerns. Beyond delays, 92% of respondents experienced significant impacts ranging from increased time spent on remediation (52%) and reduced developer productivity (43%) to the loss of customer trust (32%). In short, says the company, security is no longer just a technical checkbox—it is a primary risk to business agility.
Confidence vs strategy
One of the report’s most striking findings is the gap between perceived readiness and actual strategy. While 56% of organisations describe their day-to-day security posture as “highly proactive”. However, only 39% actually possess a mature, well-defined cloud-native security strategy. This suggests that while teams aspire to be forward-looking, many are “improvising”. In fact, approximately 22% of organisations operate with no defined strategy at all.
This lack of structure, says Red Hat, leads to inconsistent adoption of security guardrails, including:
- Identity and Access Management (IAM): Roughly 75% adoption, as identity is widely recognised as a core control.
- Container image signing: Only about half of organisations have implemented this capability for software integrity.
- Runtime protection: Implementation remains patchy, leaving many teams to rely on default settings rather than intentional governance.
The data underscores that maturity pays off: organisations with a well-defined strategy are far more likely to adopt advanced guardrails and report 61% confidence in securing their software supply chain, compared to much lower confidence among less mature peers.
Shifting investment trends
Recognising these gaps, organisations are rebalancing their budgets for 2026. The focus is shifting from disparate point tools towardplatform consolidation and building security directly into the software lifecycle.
According to the findings, key investment priorities for the next 1-2 years include:
- DevSecOps automation: Over 60% of organisations plan to invest in automating security within CI/CD pipelines. The goal is to move from manual “gates” to “security as code” to reduce human error.
- Software supply chain security: 56% of organisations are prioritising this area. With supply chain attacks soaring, there is an urgent need to verify open source dependencies and container images through Software Bills of Materials (SBOMs) and provenance checks.
- Runtime protection: 54% of respondents intend to expand defences that can detect and block active threats, such as cryptojacking or rogue container behaviour, in real time.
Compliance is no longer a back-burner issue. More than half of organisations (64%) expect the EU Cyber Resilience Act (CRA) to be a primary driver of their 2026 investment decisions. This shifts security governance from a “nice-to-have” to a mandatory, board-level requirement.
The emerging risk frontier: AI and cloud security
In 2026, AI has become a double-edged sword for cloud-native teams. While 58% of organisations say AI adoption is now a core driver of their security planning, actual governance is lagging “dangerously behind” the pace of implementation. The report reveals a near-universal anxiety regarding generative AI (gen AI) in cloud environments, with 96% of respondents expressing significant concerns.
Red Hat says these fears aren’t just theoretical; they are cantered on three specific risks:
- Ubiquitous concern: 96% of respondents have worries about gen AI in their cloud environments.
- Top fears: These include exposure of sensitive data, shadow AI tools used without approval, and the integration of insecure third-party AI services.
- The governance gap: Despite these fears, 59% of organisations lack documented internal AI usage policies or governance frameworks.
Image courtesy Red Hat.
Without clear rules, organisations risk AI-powered behaviours altering configurations or leaking proprietary code outside of normal processes, essentially amplifying existing identity and supply chain risks.
Data-based recommendations for 2026
The report concludes that the speed of cloud-native innovation has officially outpaced traditional security. To bridge the maturity paradox, organisations must move beyond ad-hoc firefighting and adopt a structured, platform-centric approach.
Red Hat provides the following 5 critical actions for 2026:
- Establish a formal strategy: Organisations must move beyond “ad-hoc firefighting” by creating a structured path from a reactive to a proactive posture.
- Embed guardrails and automation: Security must be a secure-by-default part of the platform, executed by DevOps or platform engineering teams to scale without adding friction for developers.
- Prioritise supply chain integrity: Implement mandatory image signing and dependency scanning. As one respondent noted, while everyone uses open source, “hardly anyone scans or signs their dependencies”. Being the exception is critical for resilience.
- Close the feedback loop: Unify observability and security data so that insights from runtime threat detection are fed back into the development process to prioritise the most critical fixes.
- Govern AI usage now: Organisations can’t wait for external regulations. They must convene cross-functional teams to develop guidelines on acceptable AI use and data handling immediately.
* Read the Red Hat 2026 State of Cloud-Native Security Report here.