Nearly every organisation operating cloud-native systems experienced at least one security incident in the past year. However, the causes are often less dramatic than the high frequency might suggest. According to Red Hat’s 2026 State of Cloud-Native Security Report, published on March 24, 97% of organisations reported at least one incident over the previous 12 months.

The most common issue was misconfigured infrastructure or services, accounting for 78% of incidents. This was followed by known vulnerabilities and unauthorised access. These problems are not typically the result of sophisticated attacks, but rather recurring execution failures that continue to be costly.

A key finding in the report is the gap between perceived preparedness and actual capability. While 56% of respondents described their day-to-day security posture as proactive, only 39% said they had a mature, clearly defined cloud-native security strategy. Around 22% had no defined strategy at all. In effect, many organisations are relying more on confidence than on structured security programmes.

This disconnect shows up in uneven adoption of basic security controls. Identity and access management is relatively well implemented, with about 75% adoption. In contrast, only around half of organisations have implemented container image signing, and runtime protection remains inconsistent, with many teams relying on default settings instead of deliberately designed policies.

Organisations with well-defined strategies reported significantly higher confidence—61%—in securing their software supply chains and were more likely to have implemented advanced safeguards.

Security concerns are also affecting development speed. The report found that 74% of organisations delayed or slowed application deployments over the past year due to security issues. Among those experiencing downstream impacts, 52% said remediation took longer than expected, 43% reported reduced developer productivity, and 32% noted damage to customer trust.

To address this, Red Hat recommends integrating security earlier in the development lifecycle. Embedding security into development pipelines can reduce the need for time-consuming fixes later, rather than adding friction at deployment stages.

A newer challenge highlighted in the 2026 report is the rise of generative AI within cloud environments. About 58% of organisations now consider AI adoption a key factor in their security planning. Concerns are widespread, with 96% of respondents worried about risks such as sensitive data exposure, unapproved “shadow AI” tools, and insecure third-party integrations.

Despite these concerns, governance is lagging. Around 59% of organisations lack formal policies or frameworks for AI usage, leaving them without clear rules for data handling, access control, or oversight.

In response, Red Hat has begun extending zero-trust principles to AI systems. Its Zero Trust Workload Identity Manager introduces cryptographically verifiable identities for workloads, applying the same identity-based controls used for human users to AI agents. This helps secure interactions between agents and other systems, addressing gaps that traditional perimeter security cannot cover.

Agent-based AI systems introduce what is known as a “transaction boundary problem,” where authentication often occurs only at the initial entry point, leaving downstream interactions implicitly trusted. Many recent breaches have exploited these hidden trust assumptions.

Looking ahead, organisations are shifting their security investments toward integrated platforms rather than standalone tools. Key priorities over the next one to two years include DevSecOps automation (cited by over 60% of respondents), software supply chain security (56%), and expanded runtime protection (54%).

Regulation is also playing a growing role. About 64% of organisations expect the EU Cyber Resilience Act to significantly influence their security investment decisions, indicating that compliance is now a strategic concern at the leadership level.

Overall, Red Hat’s guidance is to establish clear security strategies, build automated guardrails into platforms, prioritise supply chain security, and implement AI governance early. The report ultimately highlights that the biggest challenge in cloud-native security today is not a lack of tools, but the gap between perceived readiness and the reality of organisational processes and governance.