Almost every organisation running cloud-native systems experienced a security incident in the past year. That figure alone would be striking, but the detail that makes Red Hat’s 2026 State of Cloud-Native Security Report genuinely uncomfortable is what caused most of those incidents.
According to the report, published in late March, 97% of organisations reported at least one cloud-native security incident over the previous 12 months. Misconfigured infrastructure or services topped the list of causes at 78%, followed by known vulnerabilities and unauthorised access. These are not sophisticated zero-day attacks or novel threat techniques. They are execution failures that repeat across organisations at significant cost.
The report’s most pointed finding concerns the gap between perceived and actual security readiness. While 56% of respondents described their day-to-day security posture as proactive, only 39% reported having a mature and well-defined cloud-native security strategy. Around 22% had no defined strategy at all. That means roughly six in ten organisations are operating on confidence rather than structure, which is a meaningful distinction when incidents arrive.
The practical consequences show up in delivery timelines as much as in breach statistics. Some 74% of organisations delayed or slowed application deployments in the past 12 months due to security concerns. Among those reporting downstream effects, 52% said remediation demands consumed more time than planned, 43% reported lower developer productivity, and 32% said incidents had damaged customer trust. Security functioning as a brake on delivery rather than a component of it remains a persistent and expensive pattern.
Generative AI has introduced a new layer of complexity that previous editions of the report did not need to address. Some 58% of organisations now identify AI adoption as a core driver of security planning, and 96% expressed concerns about generative AI in cloud environments, with fears centering on sensitive data exposure, shadow AI tools deployed without approval, and insecure third-party integrations. Despite that near-universal concern, 59% of organisations currently lack documented internal AI use policies or governance frameworks.
Red Hat has responded to the AI governance gap through its Zero Trust Workload Identity Manager, made generally available on OpenShift in January 2026, which extends cryptographic identity verification to AI agents operating at runtime, covering interactions that traditional perimeter security does not reach.
The report’s overall conclusion is that cloud-native security’s primary challenge in 2026 is the distance between the posture organisations believe they maintain and the one their actual processes sustain.
