Digital transformation is widening governance gaps during cloud migration

At a glance

What this is: This report benchmarks access and GRC readiness during cloud migration and finds that governance lag is directly contributing to security, compliance, and insider-risk incidents.

Why it matters: It matters because modernisation changes access paths faster than IAM, IGA, and PAM teams can manually review them, so governance has to move from afterthought to design input.

By the numbers:

• 40% of organisations experienced security or compliance incidents, cidents directly linked to governance gaps introduced during cloud migration.
• Only 7% updated GRC controls prior to migration.
• Over 70% lack automated access risk analysis, user access reviews, and provisioning and de-provisioning processes.
• 51% of organisations take more than 24 hours to revoke access after termination.

👉 Read Pathlock’s 2025 report on digital transformation and access risk

Context

Cloud migration changes how access is created, approved, reviewed, and removed. When enterprise systems move across hybrid environments, legacy governance assumptions break down because role design, SoD checks, and deprovisioning are often still tied to manual processes that were built for slower change.

The primary identity problem here is not the migration itself. It is the gap between modernisation speed and governance readiness, especially where regulated data, finance, HR, supply chain, and procurement workflows now span both cloud and on-premises systems. That is exactly the kind of transition that exposes weaknesses in IAM, IGA, and PAM operating models.

Key questions

Q: How should organisations govern access during cloud migration?

A: Organisations should design access governance before migration cutover, not after systems move. That means defining target roles, segregation of duties, approval flows, and deprovisioning ownership as part of the transformation plan. If controls are added later, teams inherit stale privileges, inconsistent reviews, and audit gaps that are harder and more expensive to fix.

Q: Why do manual user access reviews fail during modernisation programmes?

A: Manual reviews fail because hybrid environments change faster than human reviewers can interpret them. A reviewer may see an entitlement but not the business process, technical dependency, or temporary exception behind it. Automated entitlement grouping and risk scoring give reviewers the context they need to make decisions that are both faster and more defensible.

Q: What breaks when deprovisioning is slow after termination?

A: When access revocation is slow, the account remains usable after the business relationship has ended. That creates unnecessary exposure to misuse, insider activity, and compliance failure, especially where regulated data is involved. The control problem is lifecycle latency: access outlives need, and auditors can see that as a governance weakness.

Q: Who is accountable when governance gaps surface after cloud migration?

A: Accountability sits with the transformation owners and the identity governance function together, because the control failure comes from sequencing, not just execution. If migration proceeds without GRC design, the organisation has accepted the risk of incomplete SoD checks, delayed offboarding, and weak audit evidence. Frameworks such as the NIST Cybersecurity Framework 2.0 reinforce that access governance must be managed as an operational control.

Technical breakdown

Why cloud migration breaks access governance assumptions

Cloud migration changes the timing and shape of access decisions. Traditional governance often assumes roles are stable long enough for manual review, but migration projects recompose applications, permissions, and business processes at the same time. That creates an access model that changes faster than certification cycles, SoD analysis, or approval workflows can keep up. When GRC is deferred until after migration, organisations inherit temporary access paths that quickly become permanent exceptions. Practical implication: treat governance design as part of migration architecture, not as a post-cutover cleanup task.

Practical implication: Build GRC requirements into migration planning before target-state roles, entitlements, and approval flows are finalised.

Why manual user access reviews fail in hybrid environments

Manual user access reviews are too slow for environments where identities span SaaS, on-premises ERP, and newly migrated workloads. Reviewers may see a role but not the business process changes behind it, which makes access recertification descriptive rather than preventive. The result is review fatigue, inconsistent judgments, and missed excess privilege. This is especially acute when systems are modernised in waves and entitlement inventories are incomplete. Practical implication: automate evidence collection and entitlement grouping so reviewers assess business access patterns, not raw account lists.

Practical implication: Automate access review inputs and entitlement mapping before hybrid complexity turns recertification into a checkbox exercise.

How delayed deprovisioning increases insider and compliance exposure

Deprovisioning is the last line of governance, and the report shows it is still heavily manual in many organisations. If termination access revocation takes more than 24 hours, then the account remains active across enough time to support misuse, accidental access, or policy breach. In regulated environments, that delay also weakens audit defensibility because access outlives employment or role need. The governance failure is not only technical. It is a lifecycle control gap that allows privilege to persist beyond legitimate use. Practical implication: reduce revocation latency and measure offboarding as a control outcome, not an administrative task.

Practical implication: Track revocation latency as a control metric and remove manual handoffs from termination workflows.

NHI Mgmt Group analysis

Governance lag is becoming the primary transformation risk, not a back-office follow-on. When only a small minority of organisations update GRC controls before migration, the programme is effectively designing access first and governing it later. That sequencing creates structural exposure because privilege, SoD, and audit requirements are being reconciled after business processes have already moved. Practitioners should treat delayed governance as a transformation defect, not a compliance nuisance.

Manual access governance does not scale to hybrid ERP and cloud estates. The report’s findings show that access reviews, risk analysis, and provisioning still depend on handoffs that cannot keep pace with modernisation. That is not just inefficient. It means governance decisions are made with stale context, incomplete entitlement visibility, and uneven enforcement across platforms. Practitioners need to recognise that hybrid identity governance now requires machine-assisted control execution, not only policy intent.

Insider fraud and compliance violations are the predictable outcome of unfinished governance design. Once access persists through migration, business users can retain privileges that no longer match role need, and auditors inherit control evidence that was assembled after the fact. This is a classic failure of lifecycle control, where offboarding and role redesign lag operational change. The implication for practitioners is that governance maturity must be measured by control timing, not by policy existence.

Identity blast radius expands when business modernisation outruns entitlement governance. The report makes clear that finance, HR, procurement, and supply chain migrations are not isolated IT events. They reshape who can approve, post, move, and terminate inside core systems, which means a single unmanaged entitlement can affect financial reporting, compliance, and operational continuity. Practitioners should use this as a signal to align transformation roadmaps with access control redesign.

GRC must be treated as a design constraint for hybrid identity, not a retrospective audit layer. The organisations that wait until migration is complete are choosing the hardest possible remediation path, because access models, SoD rules, and review workflows are already embedded in live operations. The discipline now is to govern change at the point of design, where entitlements, approvals, and deprovisioning can still be shaped. Practitioners should align governance checkpoints to migration gates, not to audit deadlines.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
• For a broader control lens, see NIST Cybersecurity Framework 2.0 for govern, identify, protect, detect, respond, and recover alignment.

What this signals

Identity blast radius: when migration moves business-critical workflows across cloud and on-premises systems, the control problem is no longer just access assignment. It becomes the distance between a changed business role and the last time governance caught up, which is why modernisation programmes need continuous entitlement visibility and lifecycle metrics.

The report’s 39% incident rate tied to governance gaps is a reminder that transformation risk is now an identity operations issue, not only a project management issue. Teams that still rely on manual review cycles should expect delayed detection of privilege creep, slower exception closure, and weaker audit evidence across hybrid estates.

As organisations move finance, HR, procurement, and supply chain to newer platforms, access governance has to follow the workflow rather than the system boundary. That means integrating recertification, SoD analysis, and offboarding into the same programme rhythm that drives cutover planning, with the Ultimate Guide to NHIs providing a useful lifecycle reference point.

For practitioners

• Build GRC into migration gates Require access design, SoD mapping, and control ownership to be approved before application cutover, not after the target state is live.
• Automate access risk analysis Replace spreadsheet-led reviews with automated entitlement collection, role grouping, and risk scoring across cloud and on-premises systems.
• Shorten deprovisioning latency Measure time to revoke access after termination and remove manual approvals that allow accounts to remain active beyond business need.
• Redesign hybrid user access reviews Focus reviewers on business access patterns and SoD conflicts across ERP, SaaS, and legacy platforms instead of individual account lists.
• Link modernisation to control evidence Capture migration-stage evidence for approval, recertification, and revocation so audit teams can trace governance decisions back to the cutover plan.

Key takeaways

• Cloud migration is exposing governance lag as an operational risk, not just a compliance issue.
• Manual access reviews and delayed deprovisioning are the two control weaknesses most likely to turn modernisation into audit exposure.
• Practitioners should build GRC, SoD, and lifecycle controls into migration design before cutover, not after exceptions accumulate.

Key terms

• Governance gap: A governance gap is the distance between a policy that exists on paper and a control that is actually enforced in operation. In identity programmes, it shows up when approvals, reviews, SoD checks, or deprovisioning happen too late to constrain real access risk.
• Segregation of duties: Segregation of duties is the practice of preventing a single identity from holding conflicting access that could enable fraud or unauthorised change. In transformation programmes, it must be reassessed whenever roles, workflows, or application boundaries change, otherwise historic conflicts move into the new environment unchanged.
• Deprovisioning latency: Deprovisioning latency is the time between a termination or role change and the actual removal of access. The longer that window stays open, the more likely an identity can be misused, accidentally retained, or exposed during audit, especially in hybrid estates with multiple systems of record.
• Hybrid identity governance: Hybrid identity governance is the management of access, reviews, approvals, and lifecycle controls across cloud and on-premises systems as one operating model. It matters because modernisation usually fragments responsibility across platforms, which makes stale access and inconsistent enforcement easier to miss.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance maturity in your organisation, it is worth exploring.

This post draws on content published by Pathlock: 2025 Digital Transformation & Access Risk Report. Read the original.