Cloud security maturity starts with visibility, not CNAPP

At a glance

What this is: This is an Orca Security perspective on cloud security maturity, arguing that CSPM and CIEM form the starting point because visibility and entitlement control come before workload, data, runtime, and AI layers.

Why it matters: It matters because IAM, NHI, and cloud security teams need a sequencing model that ties identity visibility to workload and data protection instead of treating CNAPP as a shortcut to maturity.

👉 Read Orca Security's cloud security maturity guidance on CSPM, CIEM, and CNAPP

Context

Cloud security maturity is a sequencing problem as much as it is a tooling problem. The article argues that teams cannot secure cloud workloads, data, runtime activity, or AI systems until they first know what assets and identities exist, which makes CSPM and CIEM the starting point for cloud security programmes.

That framing maps directly to identity governance because cloud exposure increasingly follows permissions, not just misconfiguration. Once entitlements, shadow identities, and workload access paths are visible, security teams can connect posture, entitlement, and runtime data into a model that supports NHI governance as well as broader cloud control.

Key questions

Q: How should security teams sequence cloud security controls for better identity governance?

A: Start with CSPM and CIEM, then add workload and data controls, then runtime detection and AI security, and only then layer AppSec where the organisation can connect code to live cloud behaviour. That sequence makes identity governance measurable before the alert volume increases. It also keeps CNAPP as a correlation layer rather than a substitute for foundational control.

Q: Why do service accounts and shadow identities matter so much in cloud programmes?

A: Because cloud compromise often follows excessive entitlement rather than infrastructure failure. Service accounts, shadow identities, and rogue credentials can bypass human approval paths and expand an attacker’s reach across accounts, workloads, and data stores. That is why entitlement review belongs beside posture management, not after it.

Q: What breaks when organisations skip entitlement management and go straight to runtime tools?

A: Runtime tools can see activity, but they cannot explain whether the activity was expected, overprivileged, or simply impossible to correlate without identity context. That creates noisy detections and weak remediation decisions. Teams end up monitoring behaviour without knowing which permissions enabled it or which identities should have been constrained earlier.

Q: When should teams introduce AppSec in a cloud maturity model?

A: Introduce AppSec when the organisation can trace vulnerabilities from source code into running workloads and back to the identities that deploy or access them. If that code-to-cloud link is missing, AppSec produces findings that are hard to prioritise. The goal is to connect application risk to identity, runtime, and data context.

Technical breakdown

Why CSPM creates the baseline for cloud security visibility

Cloud Security Posture Management, or CSPM, builds the inventory and configuration baseline that every later control depends on. It identifies assets, public exposure, misconfigurations, and compliance drift across accounts and business units. Without that map, later controls such as detection or workload protection only react to fragments of the environment. The architectural point is simple: you cannot correlate identity, runtime, and data signals until you first know what exists and how it is configured.

Practical implication: establish CSPM coverage before you try to prioritise runtime or AI-layer controls.

How CIEM exposes shadow identities and entitlement risk

Cloud Infrastructure Entitlement Management, or CIEM, focuses on what identities can do inside cloud environments. It highlights unused permissions, privilege escalation paths, shadow identities, and rogue service accounts. That matters because cloud attack paths frequently begin with excessive entitlements rather than compromised infrastructure. CIEM adds the identity layer that turns posture data into access context, which is why it sits beside CSPM in any realistic maturity model.

Practical implication: inventory service accounts, unused permissions, and escalation paths before assuming workload controls are enough.

Why runtime and AI security depend on earlier layers

Cloud Detection and Response, or CDR, correlates API calls, IAM behaviour, network flows, and process execution to spot threats in motion. AI security extends that same logic to models and pipelines by tying access, data, and runtime behaviour together. Both layers depend on posture and entitlement context, because without it the detections lack meaning and the false-positive rate rises. The sequence matters: runtime only becomes actionable when it is anchored in identity and data visibility.

Practical implication: feed runtime and AI detections with posture and entitlement context before tuning response workflows.

Breaches seen in the wild

• Codefinger AWS S3 ransomware attack — Codefinger used compromised AWS credentials to encrypt S3 buckets via SSE-C.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Cloud security maturity still starts with identity visibility, not platform consolidation. The article is right to treat CSPM and CIEM as the base layers because cloud security fails first at the point of incomplete inventory and excessive entitlement. CNAPP can correlate signals, but correlation does not replace the need to know which identities, workloads, and data stores actually exist. Practitioners should treat visibility as the precondition for every later control decision.

Identity, not infrastructure, remains the primary cloud attack surface. That is the durable lesson here for both human and non-human access models. In cloud environments, overprivileged service accounts, shadow identities, and stale permissions often matter more than the underlying instance or container because they determine what an attacker can reach next. The practitioner conclusion is that entitlement governance has to be built into the cloud maturity model from day one.

Runtime security only works when posture and entitlement data already exist. CDR and AI security become useful once they can interpret API activity, workload behaviour, and data movement in context. Without CSPM and CIEM, those detections are noisy and slow to act on. The implication is that security programmes should sequence runtime investment after baseline identity and configuration governance, not before.

CNAPP is an integration model, not a maturity substitute. The article correctly presents CNAPP as the point where posture, identity, workload, data, and runtime signals converge. But convergence only sharpens decisions if the underlying layers are already governed. For practitioners, that means prioritising the control plane before expecting a platform to deliver meaningful risk reduction.

Code-to-cloud linkage becomes valuable only after identity and data context are established. AppSec is positioned as a later-stage bridge because code findings without runtime, entitlement, and data context create an incomplete remediation queue. That is the right sequencing logic for fast-moving cloud programmes. Practitioners should only pull AppSec earlier when they can trace vulnerabilities into live workloads and associated identities.

From our research:

• 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
• Only 23.7% of organisations share secrets through insecure methods such as email or messaging applications, which still leaves a sizeable governance gap in NHI handling.
• For the lifecycle angle, see NHI Lifecycle Management Guide for provisioning, rotation, and offboarding patterns that help close the visibility gap.

What this signals

Identity sequencing will matter more than platform consolidation. Cloud programmes that begin with posture and entitlement visibility can absorb CNAPP later without losing governance clarity. For teams operating mixed human, NHI, and workload estates, the immediate task is to make access paths visible enough that runtime tools can be tuned to real risk rather than raw volume.

Entitlement sprawl is the control debt that slows cloud maturity. When identities are invisible or over-permissioned, every downstream layer inherits uncertainty. Security teams should treat the cloud maturity model as a governance sequence, not a product selection exercise, and anchor that sequence in the NHI Lifecycle Management Guide where service accounts and workload access are part of the programme boundary.

Runtime and AI security will only become durable if they are fed by identity context. The practical signal is that detections, triage, and remediation quality improve when posture, entitlement, and data signals are joined early. That is where cloud security programmes should invest next, alongside the NIST Cybersecurity Framework 2.0 to keep governance and response functions aligned.

For practitioners

• Establish CSPM as the environment baseline Map assets, public exposure, compliance drift, and configuration risk across every cloud account before expanding into deeper controls. Use that inventory to define which services, data stores, and identity paths are actually in scope.
• Build CIEM review around shadow identities Review unused permissions, privilege escalation paths, rogue service accounts, and cross-account entitlements as a distinct workstream. Prioritise the identities that can move laterally or operate without clear ownership.
• Correlate data sensitivity with entitlement paths Tie DSPM findings to identity and access data so sensitive stores are evaluated by who can reach them, not just whether they are encrypted or exposed. This creates a business-risk view that supports remediation prioritisation.
• Sequence runtime detection after governance baselines Introduce CDR and AI security with posture and entitlement context already feeding detections. That reduces noise, makes response actions more precise, and prevents runtime monitoring from becoming an isolated alert stream.
• Add AppSec only when code can be traced to runtime Move application security earlier only if your team can connect source code, deployment paths, running workloads, and associated identities. Otherwise, AppSec findings will stay disconnected from the actual cloud attack surface.

Key takeaways

• Cloud security maturity still depends on visibility first, because posture and entitlement gaps define what later controls can actually protect.
• Identity risk in cloud environments is concentrated in overprivileged and shadow accounts, which makes CIEM a governance control, not just a visibility feature.
• CNAPP and runtime detection become more effective only after teams establish baseline inventory, entitlement governance, and data context.

Key terms

• Cloud Security Posture Management: Cloud Security Posture Management is the discipline of discovering cloud assets, configurations, and exposure so teams can see where risk exists. In practice, it provides the inventory and baseline that later controls use to interpret identity, workload, and data events.
• Cloud Infrastructure Entitlement Management: Cloud Infrastructure Entitlement Management is the process of analysing what identities can do across cloud platforms and where those permissions exceed need. It focuses on unused access, privilege escalation paths, and shadow identities, making it central to cloud identity governance.
• Cloud Detection and Response: Cloud Detection and Response is the use of runtime telemetry to identify active threats in cloud environments. It correlates API calls, IAM behaviour, network flows, and process execution so teams can respond with context rather than isolated alerts.
• CNAPP: Cloud-Native Application Protection Platform is an integration model that combines posture, entitlement, workload, data, and runtime signals in one view. Its value depends on the quality of the underlying governance layers, not on correlation alone.

Deepen your knowledge

Cloud identity sequencing and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your cloud programme is starting with visibility and entitlement control, it is worth exploring.

This post draws on content published by Orca Security: cloud security maturity and the layered path from CSPM to CNAPP. Read the original.