I’ve seen many pitfalls in my time. Often cloud adoption builds a head of steam and charges off down the tracks to do cloud migration but then there's an absence of control.
Cost control, understanding who can actually spin up cloud resources under a pay-as-you-go model, is very important. And who's responsible for switching them off if they don't work. That allocation of who's actually paying for those cloud resources needs to be a closed loop because if there isn't, people can basically treat the cloud as if it's free, but somebody, ultimately in that organisation, will get the bill.
Cloud is almost infinitely flexible, but with that infinite flexibility comes a potential for misconfiguration. So if something is misconfigured in a way which is not to an industry recognised or a vendor recognised standard, then that can potentially lead to security exposures.
You need to know where your data is, what the controls are around that data, and also understand who it is that has got the ability to extract potential snapshots of that data or your whole organisational data set to do whatever they happen to feel the need to do. This is part of understanding what you've got and then building adequate controls around it irrespective of whether it's on premises or within the cloud. That's just a basic hygiene factor.