Krishna Ksheerabdhi | VP, Product Marketing
More About This Author >
Krishna Ksheerabdhi | VP, Product Marketing
More About This Author >
The Thales 2025 Data Threat Report reveals a critical inflection point in global cybersecurity. As the threat landscape grows more complex and hostile, the rapid adoption of generative AI is amplifying both opportunity and risk. While GenAI promises powerful gains, rushed deployments are outpacing security readiness, leaving sensitive data increasingly vulnerable. With most security teams still navigating unfamiliar GenAI architectures, prioritizing data protection is urgent. This year’s report underscores a clear mandate: organizations must refocus their security strategies around the data they collect, process, and safeguard on behalf of customers and stakeholders.
Can Organizations Keep Up with AI Adoption?
As organizations race to embrace AI and capitalize on new capabilities, a new generation of risk is rapidly emerging. This year’s report exposes a troubling gap: while awareness of GenAI threats is growing, true preparedness remains dangerously low. It’s a moment that demands reflection and a reassessment of how ready we really are.
- Nearly 70% cited the fast-moving GenAI ecosystem as their greatest security concern. However, respondents in the more advanced stages of AI adoption aren’t waiting to fully secure their systems or optimize their tech stacks before forging ahead.
Because the drive to achieve rapid transformation often outweighs efforts to strengthen organizational readiness, these organizations may inadvertently create significant security vulnerabilities.
Among the challenges of securing AI-based systems is the growing complexity of application architectures, which necessitates improved application security.
- 34% of businesses have over 500 application programming interfaces (APIs) in use.
- 59% of the respondents are now concerned about code vulnerabilities, and 48% worry about their software supply chain.
However, only 16% identified secrets management as necessary for data protection, despite the high risk associated with secrets management failures, which can expose authentication data such as API keys. This concern is amplified given the high reported number of APIs in use.
Quantum Cuts Both Ways
Those surveyed identified three major quantum computing security threats.
- 63% cited future encryption compromise
- 61% said key distribution, and
- 58% are concerned about the future decryption of today’s data, including the “harvest now, decrypt later” threat.
In response to these concerns, standards bodies have made progress. NIST released a transition guide in 2024. The guide recommends phasing out RSA and ECC by 2030 and entirely discontinuing them by 2035, giving firms a decade to prepare for a quantum-secure future. Encouragingly, businesses are taking steps in the right direction.
- 57% are prototyping or evaluating post-quantum cryptography (PQC) algorithms.
- 48% of the respondents said they are assessing their current encryption strategies.
- 45% focus on improving their crypto agility.
- Only 33% rely on their telco or cloud providers to do the work for them.
Cloud Complexity Threatens Data Sovereignty
The Thales 2025 Data Threat Report highlights the rising importance of digital sovereignty in today’s cloud-driven world. As organizations expand their cloud footprints and navigate tightening data privacy regulations, the need for greater control over data handling has become critical. Businesses now assert control to decide where data resides, who manages it, and how it moves across platforms. Three distinct levels of sovereignty have risen: data sovereignty (control over data residency), operational sovereignty (control over personnel and operations), and software sovereignty (portability across platforms).
In the GenAI era, where sensitive data powers predictive models and automated decisions, sovereignty concerns are legal and operational.
- 33% of respondents said future-proof portability was the top driver behind sovereignty initiatives.
- 50% said they were willing to refactor applications to achieve it.
Complicating these efforts is the continued rise of multicloud environments, with 76% of enterprises saying they now use two or more public clouds. Differences in security models, pricing, and provider integration can lead to fractured implementations and tool sprawl.
Companies reported using five or more tools for data discovery alone, and a similar number of key managers for encryption. This fragmentation clouds visibility and undermines uniform policy enforcement, making simplification and consolidation a priority.
Compliance is More Than a Checkbox
The Thales 2025 Data Threat Report particularly reveals the powerful correlation between regulatory compliance and breach prevention.
- 78% of those surveyed who failed a recent compliance audit had a history of data breaches.
This is nearly four times the rate of those who passed all audits, widening the gap seen in 2021, and shines a clear light on a simple truth:
- Robust compliance processes do more than appease regulators; they dramatically reduce the chance of successful breaches.
However, achieving compliance remains challenging. Nearly half (45%) did not pass a recent audit, a sign of difficulties with manual processes and fragmented tooling. In complex hybrid environments, where data is scattered across clouds and on-premises, having no unified policy enforcement becomes a dangerous vulnerability.
Phishing, Malware, and the Rise of Resilient MFA
Malicious actors continue to hone and improve their tactics. Unsurprisingly, malware and phishing continue to top the list of threat vectors, with ransomware close behind as a rapidly growing concern. While human error is now perceived as a lesser risk, it remains a significant factor in data breaches, particularly when phishing attacks lead to stolen credentials.
One area showing marked improvement is the adoption of phishing-resistant authentication methods.
- Nearly 60% reported using biometrics
- 47% have adopted passwordless systems based on passkeys.
As more cloud applications support this method, passkeys may help neutralize entire classes of attacks, a promising sign of proactive security posture development.
These improvements may justify a sense of optimism:
- The percentage of businesses dealing with breaches dropped from 23% in 2021 to just 14% in 2025.
However, there’s little room for complacency because gaps remain. Only 57% of respondents reported using strong multi-factor authentication (MFA) for cloud applications more than half the time. Alarmingly, 13% of data breaches boiled down to the failure to enforce MFA for privileged users, a reminder that even as tools improve, their effectiveness hinges on consistent implementation.
Toward a Unified Approach to Data Protection
The key takeaway from the 2025 Data Threat Report is that data protection must evolve from a fragmented, siloed function into a cohesive, strategic capability. To meet today’s challenges, organizations must unify disparate security tools, enforce centralized policy controls, and ensure seamless, transparent protection across increasingly complex hybrid environments. Data security posture management, encryption & key management, and improved API visibility have become essential steps toward operational maturity.
Download the Thales 2025 Data Threat Report for in-depth findings, expert insights, and practical guidance on securing modern enterprises in the GenAI, multicloud, and quantum computing age.