Lift-and-shift often moves systems faster than governance can classify them. That leaves inherited permissions, unclear ownership and stale controls in place while compliance obligations change underneath them. The hidden risk is not the move itself. It is the absence of a current control story for the new cloud state.
Why This Matters for Security Teams
Lift-and-shift migrations often preserve the exact identity sprawl that teams intended to modernise. Service accounts, API keys, vault entries, and inherited RBAC mappings move into the cloud before ownership, rotation, and review processes catch up. That creates a compliance gap because the control environment changes faster than the identity inventory. NIST’s Cybersecurity Framework 2.0 treats governance and control maintenance as ongoing work, not a one-time migration task.
NHI Management Group’s Ultimate Guide to NHIs shows why this matters operationally: 97% of NHIs carry excessive privileges, and 71% are not rotated within recommended time frames. In a lift-and-shift scenario, those patterns are rarely introduced by the migration. They are simply carried forward into a new trust boundary, a new audit scope, and often a new data residency regime. In practice, many security teams discover the identity risk only after the cloud cutover has already expanded access paths and broken the old control assumptions.
How It Works in Practice
The main failure mode is continuity without reclassification. A lift-and-shift move may reproduce production access exactly as it existed on-premises, but the cloud environment changes the meaning of that access. A service account that was acceptable behind a network segment may become overprivileged once it can reach more APIs, storage, and automation planes. NHI Management Group’s Top 10 NHI Issues and Lifecycle Processes for Managing NHIs both point to the same operational requirement: identify, classify, and continuously govern machine identities before and after the move.
Practitioners should expect three controls to matter most:
- Inventory all non-human identities before migration, including secrets in code, CI/CD, and backup systems.
- Revalidate ownership, purpose, and business justification for every identity after it lands in the cloud.
- Replace inherited long-lived secrets with rotation, expiration, and revocation processes tied to change events.
Compliance risk appears when the new cloud state no longer matches the evidence collected for the old environment. A control that was documented for an on-prem application may fail under cloud logging, key management, or shared responsibility requirements. Current guidance suggests mapping identity controls to the target state, not the source state, and preserving audit evidence for both the migration and the post-migration baseline. These controls tend to break down in hybrid environments where ownership is split between infrastructure, application, and security teams because no single group can prove effective authority over the migrated identities.
Common Variations and Edge Cases
Tighter migration control often increases delivery time and remediation cost, so organisations must balance speed against the cost of inheriting unknown identity risk. That tradeoff becomes sharper when regulated workloads, third-party integrations, or shared platform accounts are involved.
Not every lift-and-shift creates the same exposure. A simple stateless workload with ephemeral credentials is easier to normalise than a legacy application that embeds secrets in configuration files or depends on service accounts with broad shared access. Best practice is evolving, but current guidance is clear that a migration is not complete until the identity estate is re-baselined and the compliance story is updated. NHI Management Group’s Regulatory and Audit Perspectives is useful here because auditors will usually ask for current ownership, rotation evidence, and revocation paths, not just a migration checklist.
Edge cases include M&A integrations, shared SaaS administration, and environments with hard-coded secrets that cannot be rotated without code changes. In those situations, the hidden risk is not only technical drift but accountability drift, because no one can confidently attest who approved the access, how long it remains valid, or which policy now governs it.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Lift-and-shift often preserves stale NHI credentials that should be rotated or revoked. |
| NIST CSF 2.0 | GV.OC-03 | Migration changes the operating context, so ownership and governance must be re-established. |
| NIST AI RMF | The same governance gap applies when autonomous or AI-enabled workloads are migrated. |
Assess migrated systems for changed risk, accountability, and policy enforcement in the new environment.
Related resources from NHI Mgmt Group
- Why do non-human identities create compliance risk even when policies exist?
- Why do identity provider migrations often create hidden governance risk?
- Why do silent data changes create governance risk for identity and security programmes?
- Why does self-managed DNS create more operational risk for identity teams?
