Broken access control in hybrid cloud is still an IAM problem

At a glance

What this is: This is an analysis of why broken access control remains the top OWASP risk and how hybrid cloud identity sprawl makes authorization failures persist.

Why it matters: It matters because IAM, PAM, NHI, and lifecycle teams all inherit the same runtime entitlement problem once identities cross cloud, on-prem, and CI/CD boundaries.

By the numbers:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

👉 Read P0 Security's analysis of broken access control in hybrid cloud

Context

Broken access control is the failure of an authenticated identity to stay inside its intended permissions. In hybrid cloud, that failure is usually an identity governance problem, not a pure application bug, because permissions are spread across AWS IAM, Azure roles, Kubernetes RBAC, and on-prem directories.

The key issue is that access often outlives the condition that justified it. Temporary elevation becomes standing privilege, static roles meet ephemeral infrastructure, and security teams lose sight of who can do what at runtime.

That is why this topic belongs in the broader NHI and IAM governance conversation. Service accounts, workload identities, and API keys can bridge environments just as easily as human users can, which makes entitlement drift a shared control problem across identity programmes.

Key questions

Q: How should security teams govern access across hybrid cloud environments?

A: Security teams should govern hybrid access by measuring effective permissions, not just approved ones. The core control is continuous reconciliation across cloud IAM, directory services, Kubernetes RBAC, and workload identities so that stale grants, inherited roles, and exceptions are visible before they become abuse paths.

Q: Why does broken access control persist even when IAM policies exist?

A: Broken access control persists because policies are often static while infrastructure and identities are dynamic. A policy can exist and still fail if permissions are inconsistently enforced across systems, if temporary elevation becomes standing privilege, or if no one continuously checks the actual access an identity holds.

Q: What do teams get wrong about least privilege in cloud and on-prem estates?

A: Teams often treat least privilege as a provisioning decision instead of a runtime condition. In hybrid estates, the same identity may accumulate access through roles, inheritance, and exceptions, so the real problem is not defining least privilege once. It is maintaining it as environments change.

Q: Which identity governance control best reduces hybrid cloud authorization risk?

A: Continuous entitlement discovery is the most effective control because it exposes what identities can do across systems in real time. That gives security teams the data needed to remove stale grants, reduce privilege creep, and block cross-environment combinations that turn one account into a broad breach path.

Technical breakdown

Why broken access control persists across hybrid cloud IAM

Broken access control persists when identity policy is fragmented across multiple control planes that do not enforce the same semantics. AWS IAM, Azure roles, Kubernetes RBAC, and on-prem directory groups each express permissions differently, so least privilege becomes a moving target. The issue is not that access control is absent, but that the effective rights of an identity are assembled from overlapping grants, inherited roles, and environment-specific exceptions. In practice, this means an identity may be compliant in one system and over-permissioned in another. Runtime authorisation therefore depends on continuous reconciliation, not one-time approval.

Practical implication: map effective access across every control plane, not just assigned roles.

Static entitlements in ephemeral infrastructure

Cloud infrastructure changes faster than most access models. Instances disappear, containers redeploy, and workloads move, yet many permissions were designed for fixed servers and long-lived users. That mismatch creates stale entitlements, especially when temporary elevation is never revoked or when group membership silently persists after a task ends. The result is access that no longer matches the workload's purpose or lifecycle. In NHI terms, this is privilege persistence in a system that now expects short-lived execution. In human IAM terms, it is access that stays valid after the operational need has passed.

Practical implication: replace static grants with time-bound, scope-bound access tied to workload and task state.

Runtime entitlement governance and continuous visibility

Runtime entitlement governance means knowing what an identity can do right now, not what it was approved to do last quarter. Continuous visibility matters because drift, toxic combinations, and environment-specific exceptions are invisible to periodic review cycles. The article's point is that authentication can succeed while authorisation still fails, which is why attackers often move after login rather than before it. Effective governance therefore requires discovery, analysis, and enforcement to operate together across cloud and on-prem environments. Without that, access review becomes a record of outdated intent instead of current reality.

Practical implication: run continuous entitlement discovery and policy checks across identity systems.

Threat narrative

Attacker objective: The attacker wants to turn one authenticated identity into broad cross-environment control by exploiting the gap between access approval and actual enforcement.

1. Entry occurs after authentication succeeds, because the weakness is not login failure but an identity that already holds too much effective access.
2. Escalation happens when over-permissioned roles, stale group memberships, or inherited privileges let the actor act outside the intended boundary across cloud and on-prem systems.
3. Impact follows when that identity is used to reach production systems, CI/CD pipelines, or management planes and move laterally between environments.

Breaches seen in the wild

• Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.
• Codefinger AWS S3 ransomware attack — Codefinger used compromised AWS credentials to encrypt S3 buckets via SSE-C.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Broken access control is now an identity governance failure, not just an application flaw. The article is right to move the problem out of the narrow developer bucket and into the operational reality of hybrid identity. When access is spread across cloud IAM, directory groups, Kubernetes RBAC, and workload identities, the meaningful control question is whether enforcement remains consistent after login. Security teams should treat authorization as a continuous governance domain.

Runtime entitlement governance is the missing control model for hybrid estates. Traditional access reviews capture assigned permissions, but they do not reliably capture effective permissions across heterogeneous systems. That gap explains why least privilege erodes even when approval workflows are technically in place. The implication is that identity programmes need a runtime view of access, not just a provisioning record.

Standing privilege remains the structural weakness behind modern authorization failures. Temporary elevation frequently becomes permanent because the lifecycle of the entitlement is not tied tightly enough to the lifecycle of the task or workload. Once that happens, compromise is less about breaking in and more about using access that was left available. Practitioners should assume persistence unless access is explicitly engineered to expire.

Identity blast radius is the right named concept for this problem. A single user, service account, or API key can bridge production, CI/CD, and on-prem systems, which means one weak entitlement can create multi-environment exposure. That is why broken access control scales so quickly in hybrid cloud. Security leaders should measure and reduce the blast radius of each identity, not just count identities.

From our research:

• From our research: 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which shows how often effective access remains hidden from governance processes.
• For the lifecycle view, NHI Lifecycle Management Guide shows how provisioning, rotation, and offboarding need to be governed together.

What this signals

Identity blast radius: the next phase of hybrid cloud governance is not just stronger approvals, but a measurable reduction in how far one identity can move across environments. Teams that still rely on periodic access reviews will keep missing the short-lived drift that happens between review cycles, which is why runtime visibility now matters more than audit evidence alone.

With 92% of organisations exposing NHIs to third parties, according to our Ultimate Guide to NHIs, hybrid access governance cannot stop at internal IAM boundaries. Security programmes should be preparing for entitlement checks that include vendors, shared workloads, and cross-cloud trust paths.

The practical shift is toward policy evaluation at the point of use, backed by continuous discovery and control mapping. That is where OWASP Non-Human Identity Top 10 becomes useful as a lens for over-privilege, sprawl, and secret-driven access paths.

For practitioners

• Inventory effective access across all control planes Build one view of effective permissions across AWS IAM, Azure roles, Kubernetes RBAC, and on-prem directories. Focus on what identities can actually do today, including inherited grants and exceptions.
• Tie temporary access to task completion Replace persistent elevation with time-bounded access that expires when the work ends. Make revocation part of the entitlement lifecycle instead of a separate cleanup step.
• Review cross-environment privilege combinations Look for identities that are benign in one system but dangerous when combined with rights in another. Prioritise service accounts, workload identities, and admin users that bridge cloud and on-prem systems.
• Automate continuous entitlement drift detection Use policy and discovery controls to surface privilege creep, stale group membership, and orphaned high-risk access before attackers find it.

Key takeaways

• Broken access control persists because hybrid identity environments make effective permissions harder to see and govern than authenticated login itself.
• The evidence points to stale privilege, inconsistent enforcement, and hidden cross-environment access as the real drivers of authorization failure.
• The control response is runtime entitlement governance, backed by continuous discovery, task-bound access, and better visibility into identity blast radius.

Key terms

• Broken Access Control: A condition where an authenticated identity can perform actions beyond the permissions intended for it. In hybrid environments, the failure often comes from inconsistent entitlement enforcement across platforms, not from authentication weakness alone.
• Effective Access: The real permissions an identity can use at runtime after roles, inheritance, exceptions, and overlapping policies are all applied. It often differs from approved access and is the only view that reveals true authorization risk.
• Identity Blast Radius: The amount of systems, data, and operational control that a single identity can reach if its access is abused. In hybrid estates, this can extend across cloud, on-prem, and CI/CD boundaries, making one weak entitlement disproportionately dangerous.

What's in the full article

P0 Security's full article covers the operational detail this post intentionally leaves for the source:

• The OWASP Top 10 changes and how broken access control compares with the other ranked issues
• Examples of how AWS, Azure, Kubernetes, and on-prem identity models diverge in practice
• The article's own view of why runtime entitlement enforcement is harder than authentication hardening
• The original wording and context around just-in-time and continuous access governance

👉 P0 Security's full article covers the OWASP Top 10 context and the access governance shifts in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.