Almost every organisation running cloud-native systems has been hit by a security incident in the past year. The causes are less dramatic than the frequency suggests, according to Red Hat’s 2026 State of Cloud-Native Security Report, published on March 24. It states that 97% of organisations reported at least one cloud-native security incident over the previous 12 months.
As per the report’s findings, misconfigured infrastructure or services were the most commonly reported incident type at 78%, followed by known vulnerabilities and unauthorised access. These are not sophisticated, hard-to-anticipate attacks but execution failures – recurring and costly.
The report’s sharpest finding is the distance between how prepared organisations believe they are and what their security programmes can actually demonstrate. According to the 2026 report, 56% of respondents described their day-to-day security posture as proactive. Yet only 39% reported having a mature, well-defined cloud-native security strategy, and around 22% had no defined strategy at all. That means roughly six in ten organisations are operating on confidence not structure.
The practical consequences are evident in the uneven adoption of basic controls. As per the report, identity and access management had approximately 75% adoption – one of the strongest figures in the survey. Container image signing, however, had been implemented by only about half of organisations, and runtime protection remained inconsistent, with many teams defaulting to out-of-the-box settings not deliberately defined policies.
Based on Red Hat’s data, organisations with a well-defined strategy reported 61% confidence in securing their software supply chain, considerably higher than less mature peers, and were far more likely to have deployed advanced guardrails in their environments.
Security slows delivery
According to the report, 74% of organisations delayed or slowed application deployments in the past 12 months due to security concerns. Of those that reported downstream effects – a figure that reached 92%– 52% said remediation demands had consumed more time than planned, 43% reported lower developer productivity, and 32% said incidents had damaged customer trust.
That pattern – security as a brake on delivery – is what Red Hat’s prescription is designed to break. The report argues that embedding security earlier and more consistently into development pipelines reduces the remediation burden downstream, not adding friction at the point of deployment.
AI’s governance problem
The 2026 edition of the report introduces a dimension that previous versions did not have to contend with at scale: the security implications of generative AI inside cloud environments. According to the report, 58% of organisations now identify AI adoption as a core driver of their security planning.
The concern levels are near-universal; 96% of respondents expressed worries about generative AI in cloud settings, with the main fears centring on exposure of sensitive data, shadow AI tools deployed without approval, and the integration of insecure third-party AI services.
The governance response has not kept pace. As per the report, 59% of organisations lack documented internal AI use policies or governance frameworks, leaving the majority managing an expanding and fast-moving set of AI tools without agreed-on rules for data handling, access, or oversight.
Red Hat has been working to extend zero-trust principles into the AI agent layer, specifically to address this. In January 2026, the company made its Zero Trust Workload Identity Manager generally available on OpenShift, providing cryptographically verifiable identities to workloads using the open SPIFFE and SPIRE standards.
Red Hat’s own technical documentation on the release shows the tool extends the same identity and access controls applied to human-driven processes to AI agents operating at runtime – covering agent-to-agent and agent-to-tool interactions that traditional perimeter security does not reach.
Anjali Telang, senior principal product manager for OpenShift Security and Identity at Red Hat, described the rationale: “Zero trust means you trust no one, you always verify, and then you base that verification on an identity. With AI, we want to bring in the same trust that we already have built into the system, making sure that trust translates to AI workloads and AI agents.”
According to Red Hat’s emerging technologies team, writing in February 2026, agentic AI systems introduce what NIST 800-207 defines as a transaction boundary problem – where authentication typically happens only between the client and the agent platform, with no explicit trust established in subsequent downstream calls. Most security breaches in recent years have exploited exactly those hidden trust assumptions between components.
Based on the 2026 report, organisations are changing security investment away from point tools and toward platform consolidation and integrating security directly into development workflows. The declared priorities for the next one to two years include DevSecOps automation, cited by over 60% of respondents, to move from manual review gates to security embedded as code inside CI/CD pipelines. Software supply chain security followed at 56%, and runtime protection expansion at 54%.
Regulatory pressure is reinforcing those priorities. According to the report, 64% of organisations said they expect the EU Cyber Resilience Act to be a primary factor in shaping security investment decisions – a figure that suggests compliance has moved from a trailing consideration to a boardroom driver.
Red Hat’s overall recommendation in the report is to establish a defined strategy, build guardrails and automation into platforms not layering them on top, prioritise supply chain integrity, and introduce AI governance now.
The data makes a clear case that cloud-native security’s primary problem in 2026 is the gap between the security posture organisations believe they have and the one their processes and governance structures sustain.
Red Hat is exhibiting at the Cyber Security & Cloud Expo, part of TechEx North America, at the San Jose McEnery Convention Centre, 18 – 19 May 2026.
(Photo by Growtika)
See also: Cloud demand shifts toward AI as enterprise use deepens
Want to learn more about Cloud Computing from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology events, click here for more information.
CloudTech News is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.