TL;DR: Latio’s 2025 Cloud Security Market Report says 53% of practitioners want more Application Detection and Response, while 65% want better runtime visibility into AI models and applications, reinforcing the shift from posture-heavy CNAPP toward CADR, according to Oligo Security. Runtime context now matters because modern cloud risk is defined by what is executing, not just what is deployed.
NHIMG editorial — based on content published by Oligo Security: The Future of Cloud Security is Runtime
By the numbers:
- 65% said they want better visibility into how AI models and applications behave at runtime.
Questions worth separating out
Q: How should security teams prioritise cloud vulnerabilities when runtime exposure is unclear?
A: Teams should prioritise vulnerabilities that are reachable in the current runtime state, not just those that score highest in abstract.
Q: Why do runtime controls matter more than posture alone for cloud workloads?
A: Posture tells you what could be wrong at deployment time, but runtime tells you what is happening now.
Q: What do security teams get wrong about application-layer cloud protection?
A: Many teams assume broader platform coverage automatically means better protection.
Practitioner guidance
- Separate posture findings from runtime exposure Create a workflow that classifies findings into configuration risk, reachable runtime risk, and active exploitation risk.
- Prioritise live code-path exposures first Tie vulnerability response to function-level reachability so teams fix the issues that are actually callable in production.
- Extend monitoring to AI-enabled workflows Instrument the service identities, tool calls, and application interactions that accompany AI-driven runtime behaviour.
What's in the full article
Oligo Security's full article covers the operational detail this post intentionally leaves for the source:
- How the vendor defines CADR across cloud, workload, application, and AI runtime contexts
- The runtime protection architecture the article associates with function-level reachability and live response
- Why the vendor argues posture-heavy CNAPP tools are missing application-layer context
- How Oligo positions its own runtime visibility claims against the market shift described by Latio
👉 Read Oligo Security's analysis of the cloud security shift toward runtime protection →
Cloud application detection and response: what it means for IAM teams?
Explore further
Runtime security is now an identity problem, not just a cloud security problem. Once applications, workloads, and AI systems act in production, the real question is who or what is allowed to do what at runtime. That pulls workload identity, secret exposure, and service-to-service trust into the same governance conversation. Organisations that still treat these as separate disciplines will keep missing the control boundary that matters most.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- 59.8% of organisations see value in a solution that simplifies non-human access management and introduces dynamic ephemeral credentials, according to The 2024 Non-Human Identity Security Report.
A question worth separating out:
Q: How can organisations tell whether AI runtime monitoring is working?
A: A working programme can explain which AI-driven actions were observed, which service identities enabled them, and whether those actions stayed inside approved operational scope. If the team only sees dashboards and not the behaviour chain from input to tool use to effect, the control is too shallow to rely on.
👉 Read our full editorial: Runtime cloud security is displacing CNAPP for workload protection