News

Report: Cloud Complexity Outpaces Security Defenses as Multi-Cloud Becomes the Norm

• By David Ramel
• February 11, 2026

Cloud security teams are increasingly struggling less with whether they can secure the cloud and more with keeping up with it. That is the central message of Fortinet’s 2026 Cloud Security Trends: Closing the Cloud Complexity Gap, which draws on a survey of 1,163 security leaders and practitioners.

For software developers and platform teams, the findings read like an operational reality check: multi-cloud is now the default operating model, and the pace of change in cloud environments is outrunning the human processes and fragmented tools used to defend them.

Mult-cloud is no longer a phase
The report finds that 88% of organizations run hybrid or multi-cloud environments, and 81% rely on two or more cloud providers for critical workloads. That sprawl creates constant churn in assets, identities, and configuration state, expanding the attack surface and making consistent visibility harder to maintain.

That complexity shows up in detection confidence. Sixty-six percent of respondents say they lack strong confidence in their ability to detect and respond to cloud threats in real time, up from 64% in the prior year’s similar survey. Fortinet attributes the drop to fragmented visibility across cloud platforms, identity systems, and security tools that were not designed to work together.

The risk chain developers live inside
In the 2026 survey, identity and access security tops the list of cloud-native risks at 77%, followed by misconfigured cloud services at 70%, and data exposure at 66%. Those categories map directly to day-to-day engineering decisions: permissions in IAM policies, defaults in infrastructure templates, and where sensitive data ends up in logs, object stores, and managed services.

The report also highlights the operational burden of managing controls across environments. Sixty-nine percent of respondents say tool sprawl and visibility gaps are the biggest barriers limiting cloud security effectiveness, suggesting that simply adding more point solutions is not translating into better outcomes.

Spending increases; maturity does not
Cloud security budgets continue to rise, with 62% of organizations expecting increases over the next 12 months. Cloud security accounts for an average of 34% of total IT security spending. Despite that investment, 59% still rate their cloud security posture at the two lowest levels on a five-stage maturity scale.

Fortinet’s explanation is blunt: much of the investment is being consumed by the overhead of managing disconnected tools rather than improving visibility and response. Each new platform tends to add consoles, integration work, and alert streams, increasing friction for already-stretched teams.

Automation is mostly alerts, not fixes
Most organizations report some level of automation in cloud security workflows, but it often stops short of remediation. Thirty-seven percent describe automation focused on notifications and recommendations, while only 11% report fully autonomous remediation. The report suggests that without shared context and trusted visibility, organizations hesitate to allow automated systems to take action, even as attackers operate at machine speed.

What this means for application teams
For development organizations, the report’s shift in framing is notable. A similar 2025 Fortinet report emphasized security and compliance as barriers to cloud adoption. The 2026 report treats cloud complexity as a permanent operating condition, and the primary problem becomes keeping security effective as environments change continuously.

In practice, that pushes application teams toward tighter coordination with platform and security engineering around identity design, configuration hygiene, and data handling, especially in multi-cloud estates where the same intent can be implemented in several provider-specific ways.