Cloud migration governance reset for enterprise data and AI risk

At a glance

What this is: This is a cloud migration governance analysis showing that fragmented controls, weak ownership and AI amplification turn lift-and-shift programmes into risk multipliers.

Why it matters: It matters because IAM, NHI and data-governance teams all inherit the same failure pattern when access, lineage and accountability are not managed as one programme.

By the numbers:

• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.

👉 Read Collibra’s cloud migration governance analysis

Context

Cloud migration governance is the discipline of keeping policy, ownership, lineage and access aligned while workloads move. The article argues that migration breaks down when teams treat governance as an afterthought, because fragmented controls create shadow workarounds, compliance gaps and data that no one can confidently trust.

That problem matters beyond data operations. When access reviews, metadata stewardship and policy enforcement are split across teams, IAM programmes lose the context they need to distinguish routine lift-and-shift activity from unmanaged privilege sprawl, especially once AI layers more automation on top.

The result is not just operational friction. It is a governance environment where cloud scale makes weak control patterns multiply faster than organisations can correct them.

Key questions

Q: How should security teams govern cloud migrations without losing access control context?

A: Security teams should connect asset ownership, sensitivity and entitlements in one workflow before cutover. The key is to keep review, approval and audit evidence attached to the workload as it moves, so exceptions do not drift away from the control record. Migration speed should never outrun governance visibility.

Q: Why do lift-and-shift migrations create hidden identity and compliance risk?

A: Lift-and-shift often moves systems faster than governance can classify them. That leaves inherited permissions, unclear ownership and stale controls in place while compliance obligations change underneath them. The hidden risk is not the move itself. It is the absence of a current control story for the new cloud state.

Q: How do you know if cloud governance is actually working?

A: Cloud governance is working when every important asset has a current owner, an explicit policy, a review path and a traceable exception history. If teams cannot explain who approved access, why it exists and when it will be revisited, governance is probably operating on paper rather than in practice.

Q: What should IAM teams do when AI starts using migrated cloud data?

A: IAM teams should treat AI-enabled access as part of the same governance boundary as the cloud workload. If AI systems can consume, transform or act on migrated data, then access scope, lineage and accountability must be reviewed together or the organisation will lose control of the decision chain.

Technical breakdown

Why lift-and-shift migrations create governance blind spots

Lift-and-shift migration moves workloads and data before the organisation has fully mapped ownership, sensitivity and control dependencies. That creates blind spots because the technical move happens faster than the governance model that should classify assets, assign responsibility and define policy exceptions. In practice, the migration succeeds operationally while control evidence lags behind. The result is a cloud estate that looks functional but is difficult to audit, explain or contain when something changes.

Practical implication: inventory ownership, sensitivity and policy dependency before workload cutover, not after.

How fragmented access reviews become cloud risk

Access reviews fail in migration programmes when entitlements, exceptions and security checks are managed in separate spreadsheets or teams. In that setup, identity decisions lose context, so reviewers cannot tell whether access is still needed, whether a dataset changed sensitivity, or whether a temporary exception has become permanent. The issue is not just review frequency. It is the absence of a unified record that links who can do what to which asset and why.

Practical implication: tie cloud entitlements to asset lineage and review them in the same governance workflow.

Why AI turns weak cloud governance into a larger exposure

AI magnifies cloud governance gaps because models and automations consume the same data pipelines that migration programmes often leave partially curated. If data quality, lineage and ownership are inconsistent, automated decisions inherit those defects at scale. That means cloud governance is no longer only about controlling storage or access. It becomes the control plane for the quality of downstream decisions, including those made by AI-enabled systems.

Practical implication: treat data governance controls as inputs to AI risk management, not as separate programmes.

NHI Mgmt Group analysis

Cloud migration exposes an identity governance problem before it exposes a technology problem. When roles, policies and metadata are split across teams, access decisions lose the context needed for control enforcement. The result is not simply administrative confusion. It is a governance model that cannot reliably answer who owns the data, who approved the access, or whether the entitlement still matches the migration state. Practitioners should read cloud migration as a lifecycle and accountability issue, not a platform change.

Governance fragmentation is the real failure mode in lift-and-shift programmes. The article is right to frame broken control processes, data swamp syndrome and lack of ownership as distinct pitfalls, because they are different symptoms of the same structural weakness. A cloud programme that lacks a single source of truth for policy and lineage forces teams into manual exceptions and shadow workarounds. Practitioners should treat fragmentation as the primary risk signal, not an incidental process issue.

AI does not create the governance weakness, it amplifies it. Incomplete lineage, inconsistent classification and unclear responsibility already undermine cloud trust. Once AI starts consuming those pipelines, the weak control plane becomes a decision-quality problem as well as a security problem. Control plane drift: this is the named concept the article surfaces, where governance becomes detached from the systems it is meant to steer. Practitioners should assume every unmanaged pipeline can propagate both operational error and policy failure.

Unified governance is the only defensible operating model for cloud migration at scale. The article’s strongest claim is not about tooling, but about the need to centralise policy, roles and metadata so that cloud activity remains explainable as it scales. That aligns with NIST Cybersecurity Framework 2.0’s emphasis on governance and continuous oversight. Practitioners should measure success by whether control evidence stays connected to the asset, the owner and the policy decision across the migration lifecycle.

Identity, data and compliance teams need one control narrative. Cloud migration is often managed as a sequence of local optimisations, but the risk lives in the gaps between them. When IAM, data governance and audit functions do not share the same operating picture, exceptions accumulate faster than remediation. Practitioners should align cloud migration oversight to a shared governance model that can survive scale, automation and post-migration drift.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
• A further 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
• For the governance bridge between cloud, lifecycle and identity, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.

What this signals

Control plane drift: cloud migration failures increasingly show up as a disconnect between policy intent and operational reality. That matters for IAM and data teams because the same fragmentation that slows audits also makes automated access decisions harder to trust, especially when AI systems inherit migrated data pipelines.

With 70% of organisations granting AI systems more access than they would give a human employee performing the exact same job, per The 2026 Infrastructure Identity Survey, the migration problem is no longer only about moving workloads. It is about whether your cloud governance model can still explain and constrain who or what is acting on the data after the move.

Practical programmes should expect cloud governance, identity governance and AI governance to converge. The teams that can maintain one policy narrative across ownership, access and lineage will absorb migration complexity far better than teams still managing exceptions in separate silos.

For practitioners

• Build a unified asset ownership map Link each migrated dataset or workload to a named owner, sensitivity label and policy authority before it is moved. Use that map to decide who can approve exceptions and who must recertify access after cutover.
• Embed access review into migration workflow Require identity review at the same stage as workload readiness so entitlements, temporary exceptions and inherited permissions are checked together. Do not let access certification trail the migration by weeks or months.
• Curate lineage with control relevance Track where data came from, who transformed it and which policy applies at each hop, so reviewers can tell whether a dataset is still fit for its intended use. This is especially important when pipelines feed analytics and AI.
• Define one governance operating model across teams Set a single process for policy ownership, exception handling and audit evidence across data, IAM and security teams. If different teams maintain separate truth sources, migration drift will outpace remediation.
• Treat AI pipelines as governed cloud dependencies Classify AI inputs, outputs and training sources as part of the cloud governance boundary. If a pipeline is not trusted enough for a business decision, it is not governed enough for automation.

Key takeaways

• Cloud migration becomes risky when governance fragments faster than workloads move, because ownership and policy lose their connection to the assets they are meant to control.
• The scale of the issue is not just operational drift but decision drift, since AI and cloud automation multiply the effect of weak lineage and access reviews.
• Unified governance is the practical answer: one control narrative across ownership, policy, access and evidence keeps cloud migration auditable and usable.

Key terms

• Cloud governance operating model: The set of roles, rules and workflows that defines how cloud assets are owned, reviewed and controlled. It turns cloud use from a collection of local decisions into a repeatable governance process that can be audited, enforced and adapted as workloads move.
• Control plane drift: A condition where the governance record no longer matches the operational state of the environment. In cloud migration, drift appears when policy, lineage or access evidence falls behind the workload, leaving teams unable to explain what changed or who remains accountable.
• Data lineage: The trace of where data came from, how it was transformed and where it is used. Good lineage gives governance teams the context they need to assess sensitivity, ownership and policy impact, especially when cloud pipelines and AI systems reuse the same data.
• Lift-and-shift migration: A migration approach that moves workloads into cloud infrastructure with minimal redesign. It can reduce immediate migration effort, but it also risks carrying old access patterns, ownership gaps and control weaknesses into a new environment without fixing the underlying governance problems.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance maturity in your organisation, it is worth exploring.

This post draws on content published by Collibra: From cloud chaos to strategic command: The governance reset for enterprise migration. Read the original.