Which is the greater risk: advancing into the cloud without a plan, or assuming that identity controls will catch up later? In the Asia–Pacific region, organisations appear to be confronting that very dilemma as they build cloud strategies while identity-related risks already account for the largest share of cloud breaches.
Where organisations stand
Many organisations in the region are still in the early stages of building their cloud strategy. At the same time, identity-related risks are the leading cause of cloud breaches. Those two facts, stated plainly, set up a clear tension: adoption is underway, but the most common pathway to compromise—problems tied to identity—has already emerged as the dominant cause of incidents.
Why the gap matters
The combination of early-stage cloud plans and identity-led breaches suggests several practical vulnerabilities. When organisations are still defining architecture, governance and operational practices, they may not have fully matured controls for authentication, access management, credential lifecycle or visibility across cloud identities. That immaturity can increase the window in which identity weaknesses exist and can be exploited.
Because identity-related issues are the leading cause of cloud breaches, even incremental missteps—such as insufficiently scoped permissions, weak credential protections or incomplete oversight of privileged accounts—could have outsized consequences in cloud environments. In short, the timing of adoption and the nature of the principal threat intersect in a way that elevates risk.
How different stakeholders should read the signals
- For technologists: the facts suggest prioritising identity-focused measures early in cloud programmes. Where cloud strategy is still being formed, incorporating identity controls into architecture, deployment and operations may reduce exposure as services scale.
- For policymakers and risk managers: the concurrence of early-stage adoption and identity-led breaches indicates a potential need to align guidance, standards and oversight with the practical realities of cloud rollouts. Policies that emphasise identity hygiene and accountability may address the leading vector for compromise.
- For users and business leaders: the situation underscores that moving workloads to the cloud is not solely a technical migration. It is also an identity-management challenge that touches procurement, vendor relationships and ongoing governance. Awareness of identity risk should inform decisions about pace, scope and controls.
- For potential adversaries: the two facts together imply that the regions’ varying levels of maturity create opportunities. Where identity protections lag cloud adoption, the likelihood of successful exploitation may rise.
What organisations can consider now
The reported state of play — early-stage cloud programmes paired with identity-driven breaches — argues for treating identity as a front-line concern rather than as a later optimisation. That does not prescribe a single technical solution, but it does suggest sequencing: make identity controls, visibility and governance visible elements of early cloud strategy planning rather than post-deployment add-ons.
At minimum, the facts point to three pragmatic priorities: designing cloud architectures with identity boundaries in mind; establishing governance that ties identity to risk and accountability; and aligning operational practices so that identity controls are tested and adapted as cloud usage grows. Each of these is an area where attention paid early could reduce reliance on retroactive fixes.
Viewed together, the two statements supplied — that many organisations are still building cloud strategy, and that identity-related risks lead cloud breaches — form a warning and an opportunity. They warn that accelerating cloud adoption without commensurate identity controls can magnify risk. They offer the opportunity to reduce that risk by front-loading identity work into cloud strategies now, while architectures and processes are still taking shape.
If the region’s cloud journey is only beginning, will leaders treat identity as an afterthought or as the foundational element it appears to be? The choice will shape how exposure evolves as cloud adoption continues.




