4 ways to manage cloud transformation risk: PwC

4 ways to manage cloud transformation risk: PwC Skip to content Skip to footer Featured insights Capabilities Industries Technology About us Careers More

Search Menu

Featured insights Featured insights 2026 Global Digital Trust Insights Survey Board governance issues C-suite insights Case studies Policy on Demand Podcasts PwC Executive Pulse Tech Effect Viewpoint Webcasts All Research and insights Menu

Featured insights 2026 Global Digital Trust Insights Survey Menu

Featured insights Board governance issues Menu

Featured insights C-suite insights Board of directors Chief AI Officer (CAIO) Chief Executive Officer (CEO) Chief Financial Officer (CFO) Chief Information Officer (CIO) Chief Information Security Officer (CISO) Chief Marketing Officer (CMO) Chief Operating Officer (COO) Chief Risk Officer (CRO) Controller Corporate development Legal officer Sustainability leader Tax leader Menu

Featured insights Case studies Menu

Featured insights Policy on Demand Menu

Featured insights Podcasts Menu

Featured insights PwC Executive Pulse Menu

Featured insights Tech Effect Menu

Featured insights Viewpoint Menu

Featured insights Webcasts Menu

Featured insights All Research and insights

Featured

America in motion Executive leadership hub - What’s important to the C-suite? Menu

Capabilities Capabilities Audit and Assurance Alliances and ecosystems Artificial Intelligence (AI) Board governance issues Consulting Cybersecurity, Risk and Regulatory Deals Digital assets and crypto Digital assurance and transparency Engineering & AI Enterprise Strategy Financial Markets & Real Estate Finance and Accounting Financial statement audit Front Office Managed Services Metaverse Operations PwC Private Risk Modeling Services Sustainability and ESG Tax services Workforce All capabilities Menu

Capabilities Audit and Assurance Menu

Capabilities Alliances and ecosystems Adobe Amazon Web Services Google Guidewire Microsoft Oracle Salesforce SAP Workday All alliances Menu

Capabilities Artificial Intelligence (AI) Menu

Capabilities Board governance issues Menu

Capabilities Consulting Menu

Capabilities Cybersecurity, Risk and Regulatory Menu

Capabilities Deals Menu

Capabilities Digital assets and crypto Menu

Capabilities Digital assurance and transparency Menu

Capabilities Engineering & AI Menu

Capabilities Enterprise Strategy Menu

Capabilities Financial Markets & Real Estate Menu

Capabilities Finance and Accounting Menu

Capabilities Financial statement audit Menu

Capabilities Front Office Menu

Capabilities Managed Services Menu

Capabilities Metaverse Menu

Capabilities Operations Menu

Capabilities PwC Private Family enterprises Law firms Private equity and portfolio companies Ultra high net worth individuals US inbounds Menu

Capabilities Risk Modeling Services Menu

Capabilities Sustainability and ESG ESG reporting Sustainability strategy Sustainable technology and digital Menu

Capabilities Tax services Menu

Capabilities Workforce Menu

Capabilities All capabilities Menu

Industries Industries Aerospace and defense Asset and wealth management Automotive Banking and capital markets Chemicals Consumer markets Consumer packaged goods Energy Energy and industrials Engineering and construction Financial services Gaming Health industries Health services Hospitality and leisure Industrial manufacturing Insurance Media Medical technology Pharmaceutical and life sciences Power and utilities Private equity Real estate Restaurants, wholesale and agriculture Retail Space Sports Technology Technology, media and telecommunications Telecommunications Travel, transportation and logistics Menu

Industries Aerospace and defense Menu

Industries Asset and wealth management Menu

Industries Automotive Menu

Industries Banking and capital markets Menu

Industries Chemicals Menu

Industries Consumer markets Menu

Industries Consumer packaged goods Menu

Industries Energy Menu

Industries Energy and industrials Menu

Industries Engineering and construction Menu

Industries Financial services Menu

Industries Gaming Menu

Industries Health industries Menu

Industries Health services Menu

Industries Hospitality and leisure Menu

Industries Industrial manufacturing Menu

Industries Insurance Menu

Industries Media Menu

Industries Medical technology Menu

Industries Pharmaceutical and life sciences Menu

Industries Power and utilities Menu

Industries Private equity Menu

Industries Real estate Menu

Industries Restaurants, wholesale and agriculture Menu

Industries Retail Menu

Industries Space Menu

Industries Sports Menu

Industries Technology Menu

Industries Technology, media and telecommunications Menu

Industries Telecommunications Menu

Industries Travel, transportation and logistics Menu

Technology Technology Alliances and ecosystems Delivery platforms Emerging technology Engineering & AI Products Tech-enabled services Tech Effect Menu

Technology Alliances and ecosystems Adobe Amazon Web Services Google Cloud Guidewire Microsoft Oracle Salesforce SAP Workday Menu

Technology Delivery platforms Concourse Sightline Menu

Technology Emerging technology Artificial Intelligence (AI) Digital assets and crypto Metaverse Responsible AI Web3 Menu

Technology Engineering & AI Menu

Technology Products Analytics Foundation Beacon Bookkeeping Connect Connected Solutions Enterprise Control Investor Survey Model Edge Next Level HR Profit Seeker Ready Assess Saratoga Risk Link View all products Menu

Technology Tech-enabled services Agile Commerce Carbon Ledger Culture Thumbprint Enhanced insurance analytics for Salesforce ESG Geospatial Climate Intelligence (GCI) Insights to Enablement Market Advantage Payer Advocacy Center Ready Command Shovel Ready Menu

Technology Tech Effect Menu

About us About us Alumni Analyst relations Investing in our people Newsroom Offices Our leadership Purpose and values Menu

About us Alumni Join the PwC Alumni Network Meet our alumni Menu

About us Analyst relations Menu

About us Investing in our people Menu

About us Newsroom Menu

About us Offices Menu

About us Our leadership Menu

About us Purpose and values Be Well, Work Well Environmental sustainability Inclusion Social impact

Featured

Tech Effect Menu

Careers Careers Why PwC Entry Level Careers Experienced Careers University Relations Menu

Careers Why PwC Benefits & Compensation The PwC Professional US Careers Podcast hub Menu

Careers Entry Level Careers Search opportunities Recruiting process Student Development Programs Advance Internship Military and Veterans Student programs quiz Menu

Careers Experienced Careers Search opportunities Contract opportunities Alumni Careers Military and Veterans Menu

Careers University Relations University Relations Faculty Newsletter

Featured

Shared success benefits Loading Results

No Match Found

View All Results 4 ways to manage cloud transformation risk Copy link Link copied to clipboard  

Summary Cloud and data modernization, especially with AI integration, adds complexity and requires careful management of risks. Effective use of the shared responsibility model with CSPs and a strong multi-cloud governance program are essential to success. Build trust through security compliance and risk management integration to avoid costly redesigns and delays. Employ continuous compliance to reduce audit fatigue and respond to compliance gaps in real-time. Like any transformation initiative, cloud and data modernization comes with risks. And now that AI is often part of the effort, the technology landscape is even more complex. As CFOs take advantage of more scalable, more flexible cloud architectures, companies can more easily tap into rapidly advancing technologies. But that raises new questions for your risk and compliance teams: Is your data sensitive or subject to regional regulations? Do you have a clear understanding of your cloud service provider’s (CSP’s) control environment for the products, services and technologies you use?

PwC’s 2024 Cloud and AI Business Survey asked more than 1,000 business executives about their digital transformation strategy and practices. The survey identified a group of Top Performers — 12% of respondents — whose companies are more likely to realize value from their cloud and related technology investments. Notably, these top-performing companies are about twice as likely as other companies to see improved outcomes related to risk, security and controls.

Applying the proper risk and controls lens is essential to successful cloud and technology investments. In a rush to deploy new technologies and retain a competitive advantage, some companies overlook these considerations. But a lack of strong risk management can potentially lead to unforeseen consequences, including cybersecurity breaches, business disruptions, regulatory violations and fines, plus costly budget overruns. Drawing on our research and our significant history working alongside Fortune 1000 companies, we’ve identified four key risk and controls success factors and what you can do to get more from your cloud investments.

1. Use the shared responsibility model with your CSPs for greater transparency In our survey, less than a quarter (23% of Top Performers and 24% of other companies) cite inadequate or a lack of cyber and privacy controls as a top-three barrier to achieving measurable value from their cloud technologies. A shared responsibility model can help delineate the distinct security and management responsibilities between cloud service providers and their customers. For technology and business executives navigating the transition to the cloud, understanding this shared responsibility model is important for laying a foundation of reliable security, risk management and compliance. While it seems intuitive as a concept, many companies struggle to confidently understand where a cloud provider's responsibility ends and the consumer's responsibility begins.

Variations of the shared responsibility model exist based on the CSP used, the family of cloud services consumed (e.g., compute, networking, databases, machine learning), whether you employ a managed service or serverless options, and a myriad of other factors.

Both business and security executives should understand the cloud services their organization uses, including the platforms and technologies, along with the recommended industry leading practices, configurations and controls to be applied. Only 52% of surveyed executives who use CSPs say they are monitoring and managing compliance with their CSPs. Are you part of the nearly half leaving that on the table?

To help identify control gaps and opportunities for enhancing existing controls responses to relevant risks, use an industry-accepted controls framework to evaluate your cloud environments for areas where new or enhanced controls are needed. As new cloud services and AI models are adopted, update your risk register and controls library accordingly. Inventory your resources and assets in the cloud — appropriate risk and control treatment can't be performed without identifying what resides in your cloud estate.

You also want to understand what controls your CSP has in place for their side of the shared responsibility model, and whether those controls have been tested and operate effectively. Currently, just 37% of companies in our survey say they conduct regular audits of their CSPs. If you require more clarity in your CSP and its controls posture, consider adding a right-to-audit clause during contract negotiations and working with your CSP to provide greater transparency.

To further help build confidence, obtain your CSP’s third party-issued reports on internal controls, referred to as system and organization controls (SOC) reports. Review these SOC reports to better understand the services your organization uses, whether they’re cloud- or AI-specific services provided by the CSP. Those services would be listed in the SOC section that details the services covered within the scope of the report.

“Only 52% of executives are monitoring and managing compliance at their CSPs.”

Source: PwC's 2024 Cloud and AI Business Survey 2. Establish a strong governance program for multi-cloud environments With the number of services and offerings from CSPs continuing to grow rapidly — especially new AI offerings — cloud customers want to take advantage of industry leading capabilities, and that often manifests in a multi-cloud strategy. Many organizations — 72% according to our survey — embrace a multi-provider model that leverages the top capabilities each CSP has to offer.

Despite unprecedented growth overall, increased competition between these CSPs has made it difficult to keep attracting talent with a broad range of technical acumen and deep cloud knowledge. Additionally, there are no all-in-one software solutions to adequately evaluate cloud and AI ecosystems. Cloud providers often introduce new features and capabilities, while application programming interfaces (APIs) change frequently — making it even more challenging to develop a unified view to help identify misconfigurations, where and when patches should be applied or where missing controls are required.

Given these challenges, an effective governance program is essential when workloads are distributed across multiple cloud providers. Governance can give structure and stability to a constantly changing environment, allowing organizations to realize greater return on investment and avoid missteps. A strong governance framework can help cover domains such as asset and configuration management, financial operations, data management, and security and compliance.

One way to assist with driving governance across the organization is by establishing a cloud center of excellence (CCoE). The CCoE is a cross-functional team with business, finance, operations, security and technical departments working together to help drive uniformity and consistency in adopting industry leading practices, standards and guidelines throughout the organization. It can also identify inconsistencies in tooling, processes and architectures, providing insights to help risk management teams identify, document, course-correct and apply any necessary remediation strategies. The CCoE should also work in close alignment with governance teams to achieve a unified approach to strategy and leading practices, particularly around managing technology risks and controls. This collaboration is crucial, especially as technologies are increasingly deployed within cloud environments.

72% of organizations employ a variety of cloud providers

Source: PwC's 2024 Cloud and AI Business Survey 3. Build and develop trust with security compliance and risk management Eighty-seven percent of survey respondents say they’ve implemented controls to confirm that relevant risks posed by AI solutions have been addressed. Far too often, though, it’s not until workloads are production-ready that security, compliance and risk management get involved. Control gaps and unmitigated risks are then identified, causing technology and business teams to address these findings by re-engineering processes that were already laid out during requirements and design planning. As a result, go-live dates may be pushed out, causing strain, incremental cost increases and unnecessary frustration.

A better way is giving security compliance and risk management an active role during software and system development, serving as value-added contributors integrated from the onset and consulted throughout cloud migration and modernization life cycles. Building trust entails open and clear communication in the development process, as well as weaving security control and policy requirements into the fabric of applications and their underlying infrastructure from the earliest stages. This also allows audit and compliance teams to evaluate workloads sooner, which in turn helps improve deployment speed, produce quality engineering and reduce burdensome redesign later in the development process.

Trust also entails embracing a culture of curiosity and developing technical fluency, allowing security, compliance and risk management teams to serve as trusted advisors to technology departments — a relationship that, at many companies, is strained or nonexistent. Such an environment can lend itself to ongoing collaboration, resulting in new opportunities to help bridge the gap with engineering and development, working together as a cohesive unit. Trust should also extend across every facet of your technology ecosystem, as a principle integrated throughout your transformation journey and covering all software and system development.

 

“98% of Top Performers have implemented controls to confirm AI risks have been addressed.”

Source: PwC's 2024 Cloud and AI Business Survey 4. Adopt strategies for continuous compliance with controls automation Navigating cloud and related technologies for numerous internal and external audits, especially in heavily regulated environments, has proven to be incredibly challenging. The growing number of regulations and compliance requirements has left many teams exhausted from audit fatigue: countless hours spent manually reproducing audit evidence and artifacts to satisfy regulators and assessors, as well as internal and external auditors. Organizations need the ability to identify gaps in real-time and respond to them just as quickly — something automation can readily provide.

Continuous compliance as a strategy leverages the automation capabilities within cloud to help reduce administrative overhead, outputting tailored reports on a recurring basis and alerting teams to issues as they arise. Compliance-as-code solutions can even use configuration settings and standard templates to automatically deploy solutions as needed. Cloud-native and third-party tooling are commonly used to evaluate cloud estates for any gaps in controls and, often, have the ability to fix issues or rollback to previous settings if new configurations stray from security requirements.

This type of automation can allow auditors to inspect configuration settings applied throughout their environments and move away from arduous, sample-based testing. This can significantly free up your technology team from audit support tasks, allowing the group to focus on more strategic, higher-priority items.

Top-performing companies are 2x more likely to see improved outcomes related to risk, security and controls.

Source: PwC's 2024 Cloud and AI Business Survey Digital Assurance Transparency Find out how you can build a robust cloud strategy and enhance your risk management.

Learn more

 

Shar Qureshi

Partner, Digital Assurance and Transparency

Email

Sarah Best

Principal, PwC US

Email

Next and previous component will go here Our insights. Your choices. Subscribe here Follow us Audit and assurance services Consulting Tax services Newsroom Alumni US offices Contact us © 2017 - 2026 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see http://pwc.zhutiblog.com/com/structure for further details.

Privacy Data Privacy Framework Cookie info Legal Terms and conditions Site provider Site map Your Privacy Choices