TL;DR: Modern CNAPP can replace “find everything, fix nothing” with prioritized action by combining unified context, dynamic risk scoring, and focused remediation, according to Orca Security. Customers like Paidy and Lemonade reported faster visibility and far fewer actionable alerts, while the governance lesson is that cloud security creates leverage when it reduces friction and turns context into decisions, not tickets.
At a glance
What this is: This is an analysis of how CNAPP is being framed as a workflow shift from broad vulnerability discovery to context-driven prioritisation.
Why it matters: It matters because IAM, cloud, and security teams need controls that support speed without turning every finding into operational drag across NHI, autonomous, and human identity programmes.
By the numbers:
- Paidy connected 12 AWS accounts and achieved full visibility in under 30 minutes.
👉 Read Orca Security's analysis of prioritized action in cloud security
Context
CNAPP is a cloud security approach that combines visibility, risk scoring, and remediation guidance into one operational workflow. The problem it is trying to solve is familiar to any security team running at cloud speed: static scanning and ticket floods create more work than they remove, especially when workloads change faster than manual controls can follow.
For IAM and cloud security programmes, the issue is not only finding issues but deciding which ones deserve attention now. That makes the topic relevant to service accounts, workload identities, and broader access governance because the real failure is often not detection. It is prioritisation, ownership, and follow-through.
The article presents an agentless visibility model as a way to reduce deployment friction and improve context. That starting position is typical for teams trying to modernise cloud security without slowing delivery, but the broader governance question is how much operational trust can be placed in any system that promises both coverage and speed.
Key questions
Q: How should security teams prioritise cloud vulnerabilities without overwhelming developers?
A: Use contextual scoring that combines exposure, asset importance, and privilege adjacency, then reserve urgent treatment for issues that can plausibly create real loss. Everything else should move into planned remediation or security debt. The goal is not to treat fewer problems blindly, but to stop diluting attention across thousands of findings that do not deserve the same response.
Q: Why do agentless CNAPP models appeal to cloud security teams?
A: They reduce deployment friction by avoiding software installation on every workload, which makes it easier to gain broad visibility in fast-moving environments. That matters when teams cannot afford the time and maintenance burden of endpoint-style tooling. The tradeoff is that practitioners must verify the platform’s actual observation scope rather than assuming full workload-level telemetry.
Q: When does risk-based prioritisation work better than simple vulnerability counting?
A: It works better when teams need to separate business-critical issues from noise, especially in cloud environments where reach and privilege change the real severity of a finding. Counting alone creates urgency inflation. Risk-based prioritisation works when it is tied to a response model that makes clear which issues require immediate action and which belong in a managed backlog.
Q: Should cloud security findings be handled as tickets or as campaigns?
A: Use tickets for truly urgent issues, but handle repeated or thematic problems as campaigns when they need coordinated remediation across multiple assets or teams. That approach fits cloud environments better than constant one-off escalation. It lets security leaders frame work around a control objective, not just a stream of individual alerts.
Technical breakdown
Unified context in cloud security
Unified context means correlating asset inventory, exposure, configuration, and runtime signals so findings are interpreted against actual business reach. In cloud environments, the same vulnerability can have very different risk depending on whether a workload is internet-facing, connected to sensitive data, or tied to privileged access. This is why raw scanner output fails as a decision engine. CNAPP attempts to make cloud context usable by joining posture and exposure data before a human has to do that work manually.
Practical implication: map findings to the asset, identity, and exposure context that determines whether they deserve immediate action.
Agentless cloud visibility and SideScanning
Agentless visibility avoids installing software on every workload and instead inspects cloud storage or control-plane data to infer what is present. In practice, that reduces rollout overhead and makes coverage easier in fast-changing environments. The tradeoff is architectural: coverage depends on what the platform can observe from outside the workload, not from inside it. That can be enough for many use cases, but teams should understand exactly which telemetry sources are visible, which are inferred, and which remain opaque.
Practical implication: validate what the agentless model can and cannot observe before treating it as complete visibility.
Dynamic risk scoring and focused remediation
Dynamic risk scoring adjusts severity based on business context rather than static vulnerability grades alone. That shifts remediation from volume-based ticketing to decision-based prioritisation, where a trusted critical issue gets immediate attention and lower-risk issues become planned work or security debt. The mechanism is less about scoring every problem perfectly and more about shrinking the review set to the issues most likely to create real loss. This is what turns security into a queue management problem with business context attached.
Practical implication: use contextual scoring to separate urgent remediation from backlog work and prevent engineering teams from being overwhelmed.
Breaches seen in the wild
- Codefinger AWS S3 ransomware attack — Codefinger used compromised AWS credentials to encrypt S3 buckets via SSE-C.
- Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
CNAPP only becomes operationally useful when it turns cloud findings into governance decisions. The article’s core argument is not really about scanning, it is about reducing the distance between discovery and action. That matters because security programmes fail when they produce inventory instead of prioritisation. The practical implication is that cloud security has to be judged by how quickly it helps teams decide what to fix, not by how many issues it surfaces.
Agentless visibility changes the implementation burden, but it does not eliminate the governance burden. Removing workload agents reduces deployment friction and can improve time to value, yet practitioners still have to decide what level of assurance is acceptable from outside-the-workload inspection. That is an architectural tradeoff, not a free control. The practical implication is that teams should treat visibility claims as scope decisions, not blanket coverage claims.
Prioritised action is a useful concept because it names the real failure mode: ticket flood without operational focus. Security teams do not struggle because they lack findings. They struggle because static severity models turn every environment into an equal emergency and erode engineering trust. The practical implication is that cloud security programmes need a shared language for urgency that reflects business context, not just technical scoring.
CNAPP is becoming a bridge between cloud operations and identity governance, especially where workload access is involved. Cloud posture, secrets exposure, and excessive privilege are increasingly intertwined, which means the old separation between platform security and identity security is less and less useful. The practical implication is that IAM, cloud, and AppSec teams should evaluate findings together instead of handing them off as separate queues.
From our research:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
- That pattern is why the NHI Lifecycle Management Guide and the Guide to NHI Rotation Challenges matter when cloud controls meet identity sprawl.
What this signals
Identity blast radius: cloud security programmes now need to distinguish between technical exposure and identity exposure, because the latter often determines whether a finding becomes operationally relevant. As cloud estates expand, the practical problem is not discovering every issue but understanding which identities can actually move risk across environments. That is where Top 10 NHI Issues becomes a useful lens for programme design.
With 72% of organisations reporting or suspecting an NHI breach in our research, the signal is not that visibility is missing. The signal is that identity governance still struggles to turn awareness into bounded action across cloud workloads, secrets, and access paths.
For practitioners, the next step is to align CNAPP findings with identity lifecycle controls so that account sprawl, excessive privilege, and stale access are not managed as separate queues. In practice, that means linking cloud remediation to NHI lifecycle management rather than treating posture and governance as different programmes.
For practitioners
- Define contextual severity rules for cloud findings Classify issues by exposure, data sensitivity, privilege adjacency, and exploitability so engineering teams only see genuinely actionable work in the critical path.
- Test the real scope of agentless visibility Validate which accounts, storage layers, and runtime states are actually observable through the platform and where blind spots remain for workload-level evidence.
- Tie remediation to engineering workflows Route the highest-priority items into sprint planning or security campaigns, and reserve immediate escalation for issues that combine reach, privilege, and active exposure.
- Separate security debt from urgent risk Create a backlog category for low-risk issues that still need tracking, so teams keep visibility without forcing every finding into the same response channel.
Key takeaways
- CNAPP is being positioned as a decision layer, not just a detection layer, because cloud teams need fewer false priorities and more actionable context.
- The scale of NHI exposure in cloud environments means identity and posture issues must be governed together, not handed off across separate teams.
- Practitioners should validate visibility scope, contextual scoring, and remediation routing before treating any CNAPP workflow as operationally complete.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Cloud identity sprawl and secrets exposure connect directly to NHI governance. |
| NIST CSF 2.0 | PR.AC-4 | Access management is central when prioritising cloud findings tied to privilege. |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Zero trust assumes continuous verification of access and context in dynamic cloud estates. |
Use zero trust principles to evaluate whether cloud access remains justified as conditions change.
Key terms
- Cloud-Native Application Protection Platform: A CNAPP is a cloud security category that combines posture, vulnerability, runtime, and identity-related signals into one operational view. Its value comes from helping teams decide what matters most in fast-changing cloud environments, rather than forcing them to manage separate tools and disconnected findings.
- Dynamic Risk Scoring: Dynamic risk scoring adjusts severity based on real-world context such as exposure, privilege, and business impact. It moves security away from static grades alone and toward decisions that reflect how likely a finding is to create actual operational loss.
- Agentless Visibility: Agentless visibility is a way of observing cloud assets without installing software on each workload. It reduces deployment overhead and can speed up coverage, but it also requires teams to understand exactly what the platform can and cannot observe from outside the workload.
- Security Debt: Security debt is the backlog of lower-priority issues that are tracked but not fixed immediately. It is a governance construct that preserves visibility without forcing every finding into urgent remediation, which helps teams focus on risks that actually change business exposure.
Deepen your knowledge
Cloud security prioritisation and workload identity governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are aligning cloud findings with identity controls, it is worth exploring.
This post draws on content published by Orca Security: CNAPP prioritization and the move from noise to action. Read the original.
Published by the NHIMG editorial team on 2026-02-03.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
