1 week ago
15
Cloud data encryption is supposed to be a solved problem. Organisations have been investing in data security for years, deploying platform after platform, and signing off on security budgets that continue to increase. And yet the 2026 Thales Data Threat Report, published last month and based on a survey of 3,120 IT and security professionals worldwide, finds that only 47% of sensitive data held in cloud environments is actually encrypted.
That is down from 51% the previous year. A four-point decline does not sound dramatic until you consider the direction it represents. Cloud adoption has not slowed. The volume of sensitive data being moved into cloud environments has not shrunk. The number of AI systems accessing that data has grown considerably.
And through all of it, encryption coverage has moved backwards.
More tools, less clarity
Part of what makes this finding uncomfortable is that it does not reflect a lack of effort or investment. The Thales report found that 77% of organisations are running five or more separate data protection tools. Nearly half are managing five or more key management systems simultaneously.
That is not a picture of neglect. It is a picture of fragmentation, and that comes with a cost. When protection is distributed across too many systems, with no single point of visibility into what is encrypted, where, and under whose policy, the gaps between tools become the attack surface.
Misconfiguration was cited as the leading cause of cloud breaches in the report, at 28%. That figure becomes easier to understand once you see how many overlapping, poorly integrated systems most security teams are trying to maintain. The Thales report is direct on this point: more tools do not mean better security.
It often means more gaps with no one clearly accountable for closing them.
AI is making the stakes higher, not lower
What shifts the urgency of the cloud data encryption gap is the pace at which AI systems are now accessing enterprise data. The Thales report found that 61% of organisations say their AI applications are already being targeted by attackers, with sensitive data as the primary focus. At the same time, AI tools and agents are increasingly being granted automated access to cloud-held data, often with fewer controls and less oversight than would be applied to human users.
Sébastien Cano, Senior Vice President of Cyber Security Products at Thales, put it plainly in the report: “Insider risk is no longer just about people. When identity governance, access policies, or encryption are weak, AI can amplify those weaknesses across environments far faster than any human ever could.”
That last part matters. The problem with under-encrypted cloud data was always that a breach could expose it. The new dimension is that AI systems can process and propagate that data at a scale and speed that makes exposure far more consequential than it was previously.
Credential theft has overtaken everything else
The Thales report also documents a related shift in how attackers are getting in. Credential theft was cited by 67% of organisations that experienced cloud attacks as the leading technique used against cloud management infrastructure. Identity and access management has now moved to the top of the security skills priority list for the first time, ahead of cloud security and application security.
In an environment where AI agents operate on API keys, tokens, and machine credentials rather than human logins, compromising an identity is often the fastest route to sensitive data. And if that data is unencrypted when it is reached, the breach is complete.
The quantum dimension
There is a longer-horizon problem sitting behind the immediate one. The Thales report found that 61% of organisations cite “harvest now, decrypt later” as their primary quantum-related concern, meaning adversaries are already collecting encrypted data today, intending to decrypt it once quantum computing makes that viable.
The implication is that even data which is currently encrypted may not stay protected indefinitely if the cryptographic standards underpinning it are not updated. 59% of respondents say they are already prototyping or evaluating post-quantum cryptographic algorithms, which leaves roughly four in ten organisations that have not begun that process.
The window for orderly cryptographic migration is not open indefinitely.
Thales will be at the Cybersecurity & Cloud Expo at TechEx North America, taking place 18–19 May 2026 at the San Jose McEnery Convention Centre.
(Photo by Paul Hanaoka)
See also: Cloud demand shifts toward AI as enterprise use deepens
Want to learn more about Cloud Computing from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology events, click here for more information.
CloudTech News is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.