Financial services organizations have moved beyond asking whether to adopt cloud computing and artificial intelligence. The conversation has shifted to how these technologies can be governed, secured, and managed at scale.
The strategic question is no longer whether institutions will adopt cloud services, Large Language Models (LLM) and agents. It is now whether security, governance, and operating models are evolving fast enough to keep pace to manage the potential risk. The 2026 survey findings show a sector moving toward agent-mediated financial operations. Sixty-two percent of organizations report deploying AI agents. Among those using agents, 38 percent have granted conditional or high autonomy.
According to the 2026 State of Cloud and AI for Financial Services report from the Cloud Security Alliance and Anjuna, cloud adoption has reached near-universal levels, with 98.3% of financial services organizations operating cloud environments. At the same time, AI adoption has accelerated significantly, with more than 90% of organizations either using, piloting, or actively implementing AI technologies.
The report makes one thing clear: the future of financial services will be increasingly cloud-powered, AI-enabled, and autonomous but only organizations that invest in security and governance will fully realize the benefits.
Key Findings
Cloud Adoption: A Universal Baseline with New Complexities
Only 1.7 percent of respondents describe their organizations as entirely on-premises. The remaining 98.3 percent spans primarily on-premises with some cloud at 20 percent, hybrid environments at 46 percent, primarily cloud with some on-premises at 14 percent, and fully cloud-based architectures at 19 percent. Hybrid remains the dominant model because legacy core systems still coexist with cloud-native services.
For most institutions, the real work now lies in managing resilience, data locality, integration, and control across mixed environments rather than deciding whether to use cloud at all.
The report’s message is clear: cloud has become infrastructure, and the governance challenge now sits in how it is used, not whether it is used.
Multi-Cloud Strategy: Active Diversification and Exit Planning
Multi-cloud strategy is actively changing. Nearly half of respondents, 48 percent, report changing their cloud service provider strategy in the prior 12 months. Among those organizations, 44 percent migrated workloads between providers, 37 percent introduced exit or contingency plans, 31 percent consolidated providers, 29 percent added a new CSP, and 25 percent reduced reliance on a single provider.
The primary drivers of CSP strategy changes reflect a more disciplined approach to cloud concentration and the priorities shaping financial services. Improved resiliency and availability was the leading driver at 51 percent, narrowly ahead of cost optimization at 50 percent.
The most common questions are how to distribute workloads across providers to optimize for resilience, cost, and regulatory compliance.This shift likely reflects, at least in part, DORA’s explicit requirements for ICT third-party exit strategies, which became enforceable in January 2025.
The Governance Framework Landscape: Fragmented but Evolving
ISO/IEC 27001 leads adoption at 62 percent, confirming its position as the de facto baseline for information security management in global financial services. The NIST Cybersecurity Framework follows at 59 percent, SOC 2 attestations (42 percent). The CSA Cloud Controls Matrix maintains strong adoption at 39 percent, serving as a cloud-specific complement to broader frameworks. Note that for CSA’s STAR Level 2, independent assessments for CCM, they must be associated with either an ISO/IEC 27001 or SOC 2 assessment.
This fragmentation creates both risk and opportunity. The risk is that organizations invest significant effort in compliance mapping without achieving coherent security outcomes. The opportunity is for integrative frameworks to serve as unifying layers that reduce duplication and align cloud and AI security governance within coherent control structures.
This also is the catalyst for CSA’s Compliance Automation Revolution (CAR) to support industry interest in creating more machine-language capabilities to accommodate continuous monitoring, real-time security posture and more easily demonstrated compliance requirements.
Security Posture: Tools, Risks, and Priorities
The security tooling landscape is maturing, but coverage is uneven. SIEM remains the most widely deployed tool at 76 percent. This could reflect regulatory requirements for central log aggregation, audit trails and alerting as well as the customization, such as tailored automated forensics as noted by one respondent.
CSPM follows at 56 percent, XDR for cloud at 40 percent, CNAPP at 39 percent, and CWPP at 28 percent. Respondent write-ins also point to the next wave of tooling, including AI Security Posture Management, DSPM, CTEM, and shadow-AI detection.
CSPM adoption shows significant adoption in the past three years up from an estimated 25-29%, representing the fastest-growing tool category.
Top Risks
When asked to identify the three greatest security risks to their cloud infrastructure, respondents produced a risk ordering that reflects the current threat environment. Third-party risks and supply chain attacks dominate at 55 percent. Cloud misconfigurations remain the second greatest concern at 52 percent, a persistent challenge that reflects both the complexity of cloud environments and the difficulty of maintaining consistent security configurations across multi-cloud architectures.
One notable shift from prior surveys is the dramatic decline of ransomware as a perceived top-three risk, falling to just 9 percent of respondents — down from a far more prominent position in 2023 when it featured alongside data exfiltration and system sabotage as a leading concern.
Implementation Barriers: Budget, Skills, and Policy Maturity
The greatest barriers to implementing new cloud security capabilities paint a picture of an industry constrained less by technology availability than by organizational capacity. Budget limitations and competing priorities lead at 45 percent, a persistent challenge that reflects the tension between security investment and revenue-generating initiatives.
The skills gap has also migrated up the technology stack since the prior surveys. In 2020, the shortage was primarily in foundational cloud security competencies — configuring cloud-native controls, understanding shared responsibility models, managing cloud IAM. By 2026, the AI/ML expertise gap (45 percent) surpassed the cloud security staffing gap (28 percent) as the more acute constraint, and the talent market for AI security professionals resembles the cloud security market nearly a decade prior:
Intense competition for practitioners who combine machine learning expertise with security architecture knowledge and financial services domain understanding.
AI Agents: The Autonomy Frontier
Sixty-two percent of respondents report that their organization is using AI agents. Because the survey defined agents broadly, that figure includes both more capable autonomous systems and simpler task-oriented bots. Even so, the adoption signal is strong. Only 27 percent report no agent use, and 11 percent are unsure, which may itself signal shadow deployment outside formal governance.
The most immediate AI risk for enterprises is not adversarial attack on AI systems but rather the uncontrolled exposure of sensitive data through normal use of those systems
From cloud security to AI-cloud security
One of the most important insights from this report is that cloud security and AI security can no longer be treated as separate disciplines.
The report found that:
- 61% of respondents identified sensitive data leakage as their top AI security concern.
- 55% identified third-party and supply chain risks as their leading cloud security concern.
- 62% are already deploying AI agents.
- 20% reported known AI-related security incidents, while another 21% were unsure whether incidents had occurred.
As AI becomes integrated into business processes, organizations must move beyond traditional cybersecurity approaches and focus on:
- AI governance and oversight
- Identity and access management for human and non-human identities
- Data classification and protection
- Cloud security posture management
- Third-party risk management
- Zero Trust architecture
- AI readiness and workforce awareness
The organizations that succeed in the AI era will not necessarily be those adopting AI the fastest. They will be the ones building secure, trusted, and well-governed digital foundations that allow innovation to scale safely.
Preparing for the Future of Cloud and AI?
Whether your organization is exploring:
- Cloud modernization
- AI readiness
- Cloud security assessments
- Identity and access management
- Zero Trust security
- AI governance frameworks
- Microsoft 365 or Google Workspace security
Reputiva can help you build a secure foundation for digital transformation. Our cloud, cybersecurity, and AI readiness services are designed to help organizations adopt emerging technologies while maintaining security, compliance, and operational resilience.
Book a consultation with Reputiva to discuss your cloud security, AI governance, and digital transformation strategy.
