Cloud security is exposing identity gaps across multi-cloud estates

At a glance

What this is: This is a cloud security analysis that shows multi-cloud, AI, and unpatched assets are compounding exposure across cloud estates.

Why it matters: It matters because IAM, NHI, and human access controls all break down when cloud environments expand faster than privilege governance, review, and remediation can keep up.

By the numbers:

• 55% of organizations now use two or more cloud providers.
• 84% use AI in the cloud, yet 62% have at least one vulnerable AI package.
• 13% of organizations have a single cloud asset responsible for more than 1,000 attack paths.

👉 Read Orca Security’s 2025 State of Cloud Security Report

Context

Cloud security is the set of controls that protect cloud data, applications, identities, and infrastructure from misuse or exposure. In this article, the primary problem is not a lack of tools but the widening gap between cloud sprawl and the identity governance needed to keep access, privilege, and assets under control.

For IAM and NHI programmes, the important signal is that cloud risk now spans human users, service accounts, workload identities, and AI-enabled systems in the same operational environment. That means access review, least privilege, and lifecycle governance cannot stay siloed by platform or team without creating blind spots.

Key questions

Q: How should security teams govern access across multi-cloud environments?

A: Security teams should govern multi-cloud access as one entitlement problem, not as separate provider issues. That means standardising identity lifecycle controls, least privilege, approval logic, and audit visibility across all clouds. The goal is to reduce drift between assigned permissions and real operational need, especially where service accounts and workload identities cross platform boundaries.

Q: Why do cloud environments create more identity risk than on-premises systems?

A: Cloud environments create more identity risk because resources are more dynamic, access paths are more interconnected, and privilege can spread across providers quickly. Human users, service accounts, and workload identities often accumulate permissions that persist longer than the workloads they support, which expands the blast radius of any compromise.

Q: What do teams get wrong about least privilege in cloud security?

A: Teams often treat least privilege as a provisioning exercise instead of an ongoing control. In cloud environments, permissions drift as workloads change, roles expand, and temporary access becomes standing access. Least privilege only works when it is continuously validated against actual use, not just assigned once.

Q: How do organisations reduce attack paths in cloud security?

A: Organisations reduce attack paths by identifying the cloud assets and identities that connect directly to high-value data or control-plane functions, then removing unnecessary privilege and exposure first. This is more effective than broad remediation because it targets the routes most likely to produce real impact.

Technical breakdown

Identity and access management in cloud security

Identity and access management, or IAM, is the control plane that decides who or what can access cloud resources and what they can do once inside. In cloud environments, IAM must cover human users, service accounts, workload identities, and increasingly AI systems that consume APIs and infrastructure privileges. The failure mode is rarely a single bad login. It is accumulation: over-permissioned roles, stale credentials, and inconsistent enforcement across providers. When those issues combine with ephemeral cloud resources, access decisions outlive the environment they were meant to protect. That creates a governance problem as much as a technical one.

Practical implication: map cloud identities to actual privilege use, not just assigned roles, and review cross-cloud entitlements continuously.

Least privilege and just-in-time access in multi-cloud estates

Least privilege in cloud security means granting only the minimum permissions needed for the shortest practical duration. The report’s recommendation to use just-in-time, or JIT, access reflects a broader shift away from standing privilege in cloud-native environments where resources are created and destroyed rapidly. JIT is most effective when it is tied to strong identity verification, scoped approvals, and auditable session boundaries. Without those controls, temporary access simply becomes another unmanaged entitlement. In multi-cloud estates, the challenge is consistency, because each provider and control stack can implement privilege differently.

Practical implication: standardise JIT access policies across cloud providers and require expiry, approval, and logging for elevated access.

Cloud security posture management and attack path reduction

Cloud security posture management, or CSPM, focuses on identifying misconfigurations and exposure, while attack path analysis shows how those weaknesses connect into real compromise routes. The report’s finding that some assets sit on more than 1,000 attack paths shows why isolated alerts are not enough. Security teams need to understand which exposed assets, vulnerable packages, and broad permissions form the shortest route to high-value data. That is where cloud security shifts from inventory to prioritisation. A control that does not reduce attacker movement across the environment has limited value.

Practical implication: prioritise the small set of assets that unlock the most attack paths, then remediate exposure in that order.

Threat narrative

Attacker objective: The attacker aims to turn one exposed cloud weakness into broad access to sensitive data, workloads, or control-plane functions.

1. Entry occurs through exposed cloud credentials, vulnerable AI packages, or publicly accessible services in a sprawling multi-cloud estate.
2. Escalation follows when over-privileged identities, stale permissions, or neglected assets let the attacker move from initial foothold to broader cloud access.
3. Impact comes from data exposure, control-plane abuse, or access to crown-jewel workloads that sit behind too many connected attack paths.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Codefinger AWS S3 ransomware attack — Codefinger used compromised AWS credentials to encrypt S3 buckets via SSE-C.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Cloud security is now an identity governance problem, not just a posture problem. The report shows that cloud estates are spreading across providers, AI workloads, and ephemeral resources faster than access governance can keep up. That means the real control gap is not only misconfiguration detection but whether IAM, NHI, and lifecycle controls can still answer who or what should have access at any moment. Practitioners should treat cloud security as a cross-domain identity discipline, not a siloed operations task.

Standing privilege is the cloud’s default attack multiplier. The report’s least-privilege recommendations matter because cloud services reward persistence, while attackers exploit it. When service accounts, workload identities, or human-admin roles retain broad access, the blast radius is no longer tied to one system but to every connected workload, data store, and API. The implication is that privileged access governance must move from periodic review to continuous entitlement minimisation.

Attack-path reduction is the right lens for cloud risk prioritisation. The finding that a single cloud asset can sit on more than 1,000 attack paths shows why raw vulnerability counts are a poor operating metric on their own. Cloud security teams need to understand which identity, configuration, and asset combinations create the shortest route to impact. Practitioners should prioritise the access paths that collapse the environment fastest, not the alerts that are easiest to queue.

Ephemeral cloud resources expose the weakness of static governance models. Containers, serverless functions, and AI-enabled services can appear and disappear faster than review cycles, patch windows, or manual approvals. That creates governance debt across human access, NHI secrets, and machine permissions. Security programmes that still assume assets are durable enough to inspect later will continue to miss the access state that mattered most at runtime.

Identity blast radius is the new cloud security organising concept. The report’s combination of multi-cloud sprawl, vulnerable AI packages, and broad attack-path connectivity shows that the critical question is not simply whether an asset is exposed, but how far one compromise can travel through identity relationships. That framing helps unify CNAPP, CIEM, and IAM around the same operational outcome. Practitioners should measure cloud risk by how much privilege a single weakness can unlock.

From our research:

• 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
• Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities.
• The next step is to connect cloud posture to lifecycle governance, using Ultimate Guide to NHIs to align identity scope with cloud attack-path reduction.

What this signals

Cloud security programmes are moving from asset visibility to identity consequence management. With 19% of organisations giving AI systems dramatically more access than human employees, per The 2026 Infrastructure Identity Survey, the operational question is no longer whether the cloud is secure in the abstract, but how much privilege a single identity can unlock.

Identity blast radius: cloud risk is increasingly defined by how far a single credential, role, or workload identity can move across connected services. That should push teams to correlate CIEM, CSPM, and IAM findings into one prioritised control view rather than treating them as separate queues.

For reader programmes, the practical signal is that cloud security and NHI governance are converging on the same control problem. Teams that can connect least privilege, access review, and runtime monitoring across human and machine identities will close the gap faster than teams that still separate cloud operations from identity governance.

For practitioners

• Baseline cloud identities by effective privilege Inventory human users, service accounts, workload identities, and AI-related access together, then compare assigned permissions with actual runtime usage across cloud providers.
• Enforce expiry on elevated access Require JIT access for privileged cloud tasks, with time-bounded approvals, session logging, and explicit revocation at completion.
• Prioritise the assets on the shortest attack paths Use attack-path analysis to identify the cloud assets that connect directly to crown jewels, then remediate those first rather than chasing raw vulnerability volume.
• Treat AI packages and cloud dependencies as governance objects Track AI packages, cloud libraries, and exposed services as part of the identity and posture model so unmanaged components do not bypass review and monitoring.

Key takeaways

• Cloud security failures increasingly reflect identity sprawl, not just configuration drift.
• Multi-cloud and AI adoption are expanding attack paths faster than current governance models can absorb.
• Security teams should prioritise effective privilege, attack-path reduction, and cross-cloud lifecycle control.

Key terms

• Cloud Infrastructure Entitlements Management: Cloud Infrastructure Entitlements Management, or CIEM, is the discipline of discovering and controlling permissions across cloud resources. It focuses on who can do what in complex environments where identities, roles, and inherited privileges often outgrow the original design intent. The goal is to reduce excess access before it becomes a lateral movement path.
• Cloud Security Posture Management: Cloud Security Posture Management, or CSPM, is the practice of detecting misconfigurations, exposure, and policy drift in cloud environments. It evaluates infrastructure settings against expected baselines, but it is only effective when paired with identity context and prioritised remediation, because not every misconfiguration creates the same level of risk.
• Attack Path: An attack path is the sequence of identities, permissions, misconfigurations, and assets an attacker can chain together to reach a valuable target. In cloud security, attack paths matter because a single exposed permission can lead to disproportionate impact when connected to privileged workloads or sensitive data.
• Standing Privilege: Standing privilege is access that remains active even when it is not immediately needed. In cloud and identity governance, it creates persistent attack opportunity because the permission exists before the task starts and after it ends, making compromise easier and review less meaningful.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Orca Security: 2025 State of Cloud Security Report. Read the original.