Cloud compliance pulse shows privileged MFA gaps are still widespread

At a glance

What this is: Unosecur’s H1 2025 cloud compliance pulse quantifies identity control weakness across public-cloud estates and shows privileged MFA remains the most common violation.

Why it matters: It matters because cloud identity gaps now affect audit readiness, breach exposure, and insurance cost for NHI, autonomous, and human identity programmes alike.

By the numbers:

• 94% of participating organisations exhibited at least one high-severity gap.
• 68% of tenants failed this control.
• Four recurring gap families together accounted for 70% of all high-severity findings.

👉 Read Unosecur's Cloud Compliance Pulse H1 2025 findings

Context

Cloud identity governance fails when privileged access is granted and left to drift across accounts, keys, and roles. Unosecur’s H1 2025 pulse measures that drift directly across public-cloud estates, showing that the most common failures are not exotic exploits but basic control breakdowns around privileged identity handling.

For IAM teams, the issue is not only whether access exists, but whether it is continuously provable, reviewable, and constrained. The findings sit squarely in the overlap of NHI governance, human admin access, and machine credentials, which is why visibility, rotation, and elevation policy now belong in the same control conversation.

Key questions

Q: How should security teams reduce cloud identity risk without overcomplicating access management?

A: Start with the controls that remove the most exposure first: privileged MFA, short-lived access, and a complete inventory of service-account secrets. Then tie every exception to an owner and an expiry date. That approach reduces audit noise and narrows the path an attacker can use after one credential is exposed.

Q: Why do stale credentials and unmanaged service-account keys matter so much in cloud environments?

A: They matter because they create invisible, durable access that may outlive the people or systems that created it. When ownership, age, and usage are unclear, the organisation cannot prove who can still act, which turns a governance problem into a breach and audit problem at the same time.

Q: What breaks when privileged roles remain permanent instead of time-bound?

A: Permanent privileged roles break containment. Once an account has standing admin rights, a compromised credential can move straight to high-impact actions without a separate elevation step. That increases blast radius, weakens audit defensibility, and makes incident response harder because the access was never temporary to begin with.

Q: Who is accountable when cloud identity gaps lead to audit findings or breaches?

A: Accountability sits with the team that owns the identity control plane, not only the application or cloud platform owner. Security, IAM, and cloud operations must share responsibility for MFA coverage, key rotation, and privilege scope, because these failures cross technical and governance boundaries.

Technical breakdown

Why privileged MFA failures remain the dominant cloud control gap

Privileged-account multifactor authentication is the most visible control boundary in cloud identity, because it separates a password or token from actual administrative authority. When that boundary is absent, every compromised credential becomes a direct path to elevated access rather than a contained login event. The report’s finding reflects a deeper issue: many cloud environments still treat privileged identities as durable accounts instead of high-risk access states. In practice, that means the control failure is not only MFA absence, but the persistence of standing privilege behind the login step.

Practical implication: Treat privileged MFA as a baseline admission control, then verify that high-risk roles cannot be activated without an additional approval or elevation step.

How stale credentials and unmanaged service-account keys create audit and breach exposure

Stale credentials, duplicate credentials, and unmanaged service-account keys create the kind of hidden access surface that audit tools struggle to prove cleanly. These assets often outlive the people or systems that created them, which turns identity lifecycle failure into both an operational and evidentiary problem. In cloud estates, the gap is not simply that secrets exist. It is that their age, scope, and ownership are frequently unknown or unconstrained, so the organisation cannot demonstrate control over who can still use them.

Practical implication: Track key age, ownership, and last-use data together so lifecycle review can remove dormant access before it becomes an audit exception or an intrusion path.

What four recurring gap families reveal about cloud identity governance

Missing MFA, over-privileged roles, stale credentials, and unmanaged service-account keys are not separate problems. They are four expressions of the same governance weakness: identity is being provisioned faster than it is being governed. That matters because the control failure shows up simultaneously in access reviews, incident response, and compliance evidence. When organisations see these findings as isolated, they miss the structural pattern. When they see them as one lifecycle and privilege problem, remediation becomes measurable rather than cosmetic.

Practical implication: Use one remediation queue for privilege, secrets, and lifecycle exceptions so the same root cause does not reappear under different control labels.

Threat narrative

Attacker objective: The attacker wants durable cloud access that survives normal account hygiene and gives them authority over workloads, data, or identity controls.

1. Entry begins when a privileged account, stale key, or unmanaged service-account secret provides access that bypasses normal user controls.
2. Escalation follows when over-privileged roles or missing multifactor authentication allow the actor to move from valid access to administrative capability.
3. Impact occurs when that access is used to alter cloud workloads, exfiltrate data, or establish persistent control inside the tenant.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Cloud identity governance is still failing at the level of basic trust assumptions, not just implementation quality. A programme that cannot keep privileged MFA, key age, and role scope under control is not dealing with edge cases. It is showing that cloud identity is being treated as durable access rather than continuously governed risk. The practitioner takeaway is that audit evidence, incident exposure, and lifecycle hygiene now need to be managed as one control plane.

Unmanaged service-account keys are the clearest sign that NHI lifecycle discipline is still incomplete. These identities often bypass the visibility, ownership, and offboarding discipline that human accounts receive, yet they are frequently more powerful. The report’s four gap families show that cloud estates still struggle to answer who owns the key, how long it has existed, and whether it still needs to work. Practitioners should treat secret lifecycle control as a first-class governance requirement.

Standing privilege remains the governance pattern that most consistently widens cloud blast radius. Over-privileged roles and missing elevation controls create a state where compromise is not bounded by task or time. That means the real control question is not whether access exists, but whether it can be constrained, proven, and revoked quickly enough to matter. The practitioner conclusion is that permanent privilege should be an exception, not the default architecture.

Identity blast radius is the right named concept for this report’s message. The same control failures that raise audit findings also expand the number of systems, identities, and secrets an attacker can touch after the first compromise. That makes cloud identity governance a containment discipline as much as a compliance discipline. The field should measure how far a single credential can travel, not just how many controls are listed on paper.

Across human, NHI, and autonomous programmes, lifecycle failure now looks structurally similar. The report’s findings show that once privileged access is left standing, the governance gap is no longer about identity type alone. It is about whether the organisation can prove ownership, expiry, and least privilege across every identity class. Practitioners should unify those review motions instead of managing them in separate silos.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, according to the same Astrix Security & CSA report.
• For a broader control baseline, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the provisioning, rotation, and offboarding practices that close these gaps.

What this signals

Identity blast radius: the practical measure of how far one privileged credential can travel across cloud, SaaS, and infrastructure estates. The report’s findings show that organisations need to manage blast radius as a programme metric, not a post-incident afterthought, because control failures in one identity class quickly leak into others.

The governance gap is widening because cloud estates now mix human administrators, workload identities, and service accounts inside the same operational path. That makes combined policy and lifecycle oversight essential, especially when privileged MFA, rotation, and standing-access reduction all need to be measured together rather than in separate reports.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, per The State of Non-Human Identity Security, identity governance is no longer just about internal accounts. Practitioners should expect third-party access, service-account lifecycle, and privileged elevation to be reviewed as one control chain.

For practitioners

• Measure privileged MFA coverage monthly Track the percentage of privileged identities protected by multifactor authentication across cloud tenants, then investigate every exception by owner, platform, and role type.
• Inventory access keys by age and ownership Build a living register for service-account secrets that includes creation date, last use, business owner, and rotation status so dormant credentials can be retired before review cycles.
• Replace permanent admin roles with elevation paths Shift standing administrator access to just-in-time elevation for tasks that truly require it, and require a separate approval or control point for high-risk actions.
• Consolidate audit, breach, and insurance evidence Use the same identity control metrics for compliance reporting, incident readiness, and underwriting conversations so the organisation can show one consistent risk story.

Key takeaways

• Cloud identity risk is still being driven by basic governance failures, especially privileged MFA gaps and unmanaged secrets.
• The report’s evidence shows that audit exposure, insurance cost, and breach probability now rise from the same identity control weaknesses.
• Practitioners should unify privilege, lifecycle, and secrets oversight so cloud access can be proven, constrained, and revoked quickly.

Key terms

• Privileged MFA: Multifactor authentication applied to accounts that can change systems, data, or security settings. In cloud environments it is the basic gate that prevents a single stolen password or token from becoming administrative access, especially where standing privilege still exists.
• Standing privilege: Persistent access that remains active until someone manually removes it. In identity programmes this creates a larger attack surface because the right to act already exists before a task begins, which makes compromise easier and audit evidence harder to defend.
• Service-account secret: A credential such as a key, token, or password used by a non-human identity to authenticate to a system. These secrets often outlive their original purpose, so lifecycle control, rotation, and ownership become essential to limit silent access.
• Identity blast radius: The amount of access, systems, and data that a single compromised identity can reach. The concept is useful because it links governance and incident response, showing whether one failure is contained or capable of spreading across an environment.

What's in the full report

Unosecur's full report covers the operational detail this post intentionally leaves for the source:

• The full control-by-control benchmark across ISO 27001/27002, PCI DSS v4, SOC 2, CIS v8, and GDPR mappings.
• The stratified sample methodology and margin-of-error notes behind the H1 2025 cloud estate results.
• The sector-specific remediation playbooks that map the four recurring gap families to board-level risk dashboards.
• The incident-response and insurance implications of privileged MFA and key-rotation failures across cloud tenants.

👉 The full Unosecur report breaks down the benchmark methodology, control mappings, and remediation focus areas.

Deepen your knowledge

NHI governance, machine identity security, and identity lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.