License management may be one of the cases where there's an actual benefit for companies. Then again, it's at the expense of heightened dependency on someone else. But that's quite normal as far as business decisions go, you always depend on someone, somehow. But it's rarely limited to license management, and the question really is and should be how critical the information is for the survival of the company that must inevitably be sent back and forth between the cloud provider and you.
Can you trust the cloud provider?
Can you trust his employees?
Can you trust the underlying public IT infrastructure?
Will the dependency on the cloud provider create a single point of failure for company operations?
Can the cloud infrastructure handle sustained DDOS attacks from a cyber mob?
What's the potential damage to the company - both in finances and reputation - if the cloud provider cannot protect the data, or cannot maintain the infrastructure?
Tight security can only be maintained for truly critical data, if at all. The more people are involved, the more people can (and will) screw up. IT security requires a security oriented mindset in the first place, and since that mindset is often detrimental to other, equally important processes it must be limited to what's absolutely necessary. There, however, half-assed solutions are worse than no solutions at all. IT security isn't free, never was, never will be. Willingness to hand over mission-critical infrastructure to some service provider requires desperation, or a huge leap of faith (which more often than not results in a broken nose after the fall). If it cannot be avoided (the "desperation case") have some contingency plan for a worst case scenario.
The worst case can have many different faces. It could be data duplication that goes completely unnoticed. That's a risk that you'll also have to take for complete in-house solutions, of course. The vast majority of IT attacks are insider jobs, after all. Having everything in a remote location (e.g. a data center near the arctic circle) certainly reduces the chances of disgruntled employees to gain physical access to it. Then again, you just have to trust that this data center under aurora borealis illumination actually is as secure as the cloud operator claims, that your data are really there and not elsewhere, that the data center actually exists (if you want to go full retard on paranoia), that there are no government mandated backdoors, and if they exist, that they are created in a way that only the government can use it (unlikely).
Then there's the case of data theft and blackmail.
Then there's the case of PII data falling into the hands of cybercriminals (identity theft, credit card fraud) which opens the door for litigation risk and damage to reputation.
A careful analysis will probably reveal more possible risks. Some of them can be diminished with cloud solutions, others may be increased, but in any case good risk management starts with a systematical analysis of what can go wrong, and contingency plans how to react to it. The times where all vital corporate knowledge was stored in lever-arch file binders and rolodesks is long over, yet some managers still haven't grasped the graveness of the situation (or are unwilling to actually deal with it).