Global cloud encryption rates are declining despite increased security investment
Cloud encryption should be a solved challenge by now. Yet, it’s slipping backward. The 2026 Thales Data Threat Report, based on insights from over 3,000 IT and security professionals, shows that only 47% of sensitive cloud data is encrypted. That’s down from 51% the year before. This decline is happening even as organizations spend more on cybersecurity and shift more critical workloads to the cloud.
For executives, this is about strategy and alignment. Many enterprises have focused their budgets on new platforms and solutions without being sure those investments deliver measurable protection. Encryption coverage is falling at a time when both data volumes and exposure points are rising across distributed, AI-driven systems. That’s a bad equation for long-term resilience.
This is the moment for leadership teams to re-evaluate what “security spending” really means. Buying technology is easy; coordinating it effectively is not. Executives should question whether their organizations truly understand where their most sensitive data resides, how it’s secured, and who governs it. The next few years will reward companies that purchase more tools, and deploy them in a way that produces measurable encryption coverage across all cloud environments.
Fragmented security tools create visibility and accountability gaps
The typical enterprise security stack has become bloated. According to Thales, 77% of companies now use five or more data protection tools, while nearly half juggle five or more separate key management systems. These numbers don’t signal neglect, they reveal overcomplexity. Every additional system adds operational drag, increases maintenance burdens, and dilutes accountability.
Fragmentation is dangerous because it hides gaps. With data spread across many platforms and managed under varying policies, organizations lose the clear view of what’s encrypted and what isn’t. Misconfiguration, cited as the leading cause of cloud breaches at 28%, is a natural byproduct of this confusion. When teams can’t easily see which controls apply where, small oversights become costly incidents.
For C-suite executives, this is an execution issue. Security leaders must simplify and consolidate. Centralized governance and single-point visibility are now essential conditions for effective encryption control. That means fewer tools, integrated workflows, and complete accountability for encryption standards. Fragmentation wastes security potential. Integration builds security power.
Executives need to drive that shift themselves. It’s a strategic necessity for protecting digital assets at enterprise scale.
A project in mind?
Schedule a 30-minute meeting with us.
Senior experts helping you move faster across product, engineering, cloud & AI.
The rise of AI amplifies risks associated with weak encryption and access controls
Artificial intelligence has changed the scale of enterprise operations. It’s also changed the scale of risk. The Thales report found that 61% of organizations say their AI applications have already been targeted by attackers focused on sensitive data. These systems are being granted automated access to large repositories of cloud data, often with less supervision and weaker oversight than human users. When those connections are not properly governed, exposure can multiply fast.
Executives should recognize that AI is no longer a secondary security concern, it’s now central to it. Expanded AI integration means the effects of a single weakness, like a faulty access policy or a missing encryption process, can spread across entire environments automatically. Attackers understand this. They’re no longer only pursuing human credentials, they’re targeting the machine identities that drive automation.
Sébastien Cano, Senior Vice President of Cyber Security Products at Thales, summarized the challenge clearly: “Insider risk is no longer just about people. When identity governance, access policies, or encryption are weak, AI can amplify those weaknesses across environments far faster than any human ever could.” Leadership teams should act on this insight. Securing AI workflows means enforcing strict encryption standards, building AI-specific access controls, and integrating continuous monitoring into every stage of data interaction.
The solution isn’t to slow down AI adoption, it’s to evolve security models to match its speed. Executives should ensure that governance, not just technology, scales alongside AI deployments. That’s where real resilience will come from.
Credential theft is the leading method for cloud intrusion, shifting security priorities
Credential theft is now the leading way attackers gain entry into cloud systems. The Thales report shows that 67% of organizations experiencing cloud attacks identified stolen credentials as the main technique used against management infrastructure. This shift reflects the rise of automated services and machine-to-machine communication. Instead of targeting human passwords, threat actors focus on tokens, API keys, and other credentials that control access to data at scale.
For business leaders, this means identity security has become the new foundation of cloud defense. It’s no longer enough to rely on strong passwords or basic access controls. Organizations need robust identity and access management (IAM) frameworks that monitor, authenticate, and verify every digital identity, human or machine. As Thales notes, IAM skills have now overtaken both cloud and application security as the top priority for security teams globally.
Executives should view this as a broader operational shift. When attackers breach machine credentials, they often gain unrestricted entry to unencrypted data before detection is possible. Strengthening identity protection directly limits that risk. Prioritizing IAM investments, automating credential lifecycle management, and eliminating unused or weak access tokens must become standard governance practice.
The path forward is clear: identity is now the control point that defines enterprise security. C-suites that act decisively on this reality will position their organizations to withstand current and emerging threats across increasingly complex cloud ecosystems.
Quantum computing presents long-term risks to current encryption methods
Quantum computing is moving from theoretical promise to practical capability, and that progress carries consequences for data security. The Thales Data Threat Report shows that 61% of organizations consider “harvest now, decrypt later” their primary quantum-related concern. Adversaries are already collecting encrypted data today, anticipating the future ability to break it once quantum processing reaches sufficient maturity.
This creates a long-term vulnerability few enterprises are fully addressing. While 59% of organizations are already testing or developing post-quantum cryptographic solutions, roughly 40% have not yet begun the work. That gap exposes a future risk where data that seems safe today may be decrypted when quantum power becomes economically accessible. For executives, the message is straightforward: time is not on the side of outdated cryptographic models.
Post-quantum readiness is not only a technical transition, it’s a strategic one. Businesses that depend on data durability over long timelines, such as those in financial services, defense, or healthcare, must prioritize cryptographic modernization now, not later. This includes auditing existing encryption methods, identifying critical archives, and working with technology partners who are advancing quantum-resilient standards.
Executives should treat this issue as part of long-range governance planning. Organizations that delay cryptographic migration risk being forced into reactive, rushed transitions once quantum disruption arrives. The opportunity lies in starting early, ensuring encrypted data, current and historical, remains secure well into the quantum future.
Key executive takeaways
- Falling encryption, rising risk: Encryption coverage for sensitive cloud data has dropped to 47%, even as security spending increases. Leaders should reassess whether their investments are improving real protection rather than just expanding security infrastructure.
- Tool overload reduces control: Seventy-seven percent of organizations use five or more data protection tools, creating fragmented oversight and higher breach risk. Executives should reduce tool sprawl and centralize encryption management for better visibility and accountability.
- AI-driven exposure demands stronger governance: With 61% of AI systems already targeted by attackers, weak encryption and poor access governance amplify risks. Leaders must implement AI-specific security controls and continuous monitoring to safeguard sensitive data in automated environments.
- Credential theft takes the lead: Credential theft now drives 67% of cloud attacks, as machine identities become prime targets. Executives should prioritize advanced identity and access management to secure both human and machine credentials.
- Quantum readiness is falling behind: Sixty-one percent of companies fear that harvested encrypted data will one day be decrypted by quantum computing, yet 40% haven’t begun quantum-proofing their systems. Leaders should accelerate post-quantum cryptography adoption to protect long-term data integrity.
A project in mind?
Schedule a 30-minute meeting with us.
Senior experts helping you move faster across product, engineering, cloud & AI.
