TL;DR: Microsoft’s retirement of Entra Permissions Management leaves a CIEM gap across Azure, AWS, and Google Cloud, with SailPoint positioning its CIEM offering as the replacement path for visibility, least-privilege enforcement, and review workflows. The real issue is not product substitution but whether cloud entitlement governance is mature enough to survive a platform exit without losing control of privilege creep.
At a glance
What this is: Microsoft’s retirement of Entra Permissions Management spotlights a CIEM gap in multi-cloud entitlement governance and the need for continuous access visibility.
Why it matters: IAM, cloud security, and identity teams need a durable way to govern cloud entitlements, or retirement events can quickly turn into privilege creep, audit pain, and weak zero-trust enforcement.
By the numbers:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.
👉 Read SailPoint’s blog on Microsoft ending Entra Permissions Management and CIEM options
Context
Cloud Infrastructure Entitlement Management, or CIEM, is the discipline that maps who and what can access cloud services, subscriptions, accounts, and projects, then right-sizes those entitlements over time. When a dedicated platform is retired, the real risk is not the brand name disappearing, but the control surface disappearing with it, leaving overprovisioned access and privilege creep easier to miss across Azure, AWS, and Google Cloud.
This is a governance problem as much as a tooling problem. Teams that relied on a dedicated CIEM capability still need visibility into effective access, auditable provisioning and removal, and a way to connect cloud permissions back to identity lifecycle events such as job change or departure. For background on the broader NHI control surface, see the Ultimate Guide to NHIs , Key Challenges and Risks and the NHI Lifecycle Management Guide.
Key questions
Q: How should security teams govern cloud entitlements after a CIEM platform retirement?
A: Treat the retirement as a programme test, not a procurement event. Teams should map all cloud entitlements, identify the systems of record for access decisions, and preserve audit evidence for provisioning, review, and removal. If those controls depend on one product, the organisation has a continuity risk, not just a tooling gap.
Q: Why do cloud entitlements drift out of control in multi-cloud environments?
A: Cloud entitlements drift because access is often granted through different native models, inherited roles, and exceptions that are not reconciled against current job need. In multi-cloud environments, that drift grows when ownership is split across teams and no single governance process tracks effective access end to end.
Q: What breaks when access reviews do not include cloud service accounts and projects?
A: Reviews miss the places where overprovisioning often hides. Service accounts, project-level roles, and inherited permissions can retain broad access long after the original reason has expired, so a review that only covers human users gives a false sense of control.
Q: Who is accountable when cloud access removal is not auditable?
A: Accountability sits with the identity governance and cloud security functions that own entitlement evidence, not with the business user alone. If removal cannot be proven, the organisation cannot demonstrate least privilege, effective offboarding, or a defensible review process during audit or incident response.
Technical breakdown
Why ciem matters when cloud access spans multiple providers
CIEM exists because cloud permissions are fragmented across native consoles, projects, roles, subscriptions, and service principals. In a multi-cloud estate, entitlement risk is not only whether access exists, but whether anyone can reconstruct the path from identity to cloud service fast enough to review it. That becomes harder when organisations use one cloud’s control plane as the operational habit for all clouds, because the underlying permission models are not identical. Continuous visibility and normalisation are what turn a pile of permissions into something governable.
Practical implication: map entitlements across all cloud providers before a tool retirement forces manual reconciliation.
How privilege creep and overprovisioning accumulate in cloud estates
Privilege creep in cloud environments usually appears as access that was once legitimate but is no longer justified by the current role, project, or team structure. Overprovisioning often starts with convenience and spreads through reuse of broad roles, inherited permissions, and exceptions that never get cleaned up. CIEM reduces that drift by exposing dormant, excessive, and cross-environment access so reviews can focus on effective entitlement rather than theoretical policy. Without that visibility, zero trust becomes a slogan instead of a control model.
Practical implication: build review processes around effective access, not just assigned roles.
Why access review and removal need identity lifecycle linkage
The article’s strongest operational point is that cloud access must be tied to joiner, mover, and leaver events, not handled as a separate inventory problem. If a person changes jobs or leaves and cloud permissions remain in place, the issue is lifecycle failure, not simply poor monitoring. CIEM should therefore connect entitlement review to identity governance workflows so removal is auditable, timely, and repeatable. That is especially important where cloud access is spread across accounts, subscriptions, and projects that no single admin team fully owns.
Practical implication: connect cloud entitlement review to joiner-mover-leaver processes before audits expose the gap.
NHI Mgmt Group analysis
CIEM retirement exposes a control dependency, not just a product dependency. When a dedicated entitlement platform disappears, organisations do not merely lose a dashboard. They lose a repeatable way to normalise cloud access, detect overprovisioning, and prove that access removal is happening on time. The governance lesson is that cloud entitlement control should not be anchored to a single tooling relationship when the underlying risk is structural.
Cloud privilege creep is a lifecycle failure that CIEM was meant to surface. Access that persists after a role change or departure is the cloud version of standing privilege. That makes entitlement governance inseparable from joiner-mover-leaver discipline, because the control gap is not in the cloud itself but in the failure to keep permissions aligned with current business need. Practitioners should treat this as an access recertification and offboarding issue, not just a visibility issue.
Multi-cloud entitlement management needs evidence, not assumptions. Broad claims about least privilege mean little unless teams can trace identity to service, account, and project level access and show where excess permissions were removed. The NIST Cybersecurity Framework 2.0 and the OWASP Non-Human Identity Top 10 both reinforce the same point: visibility, governance, and access scope are inseparable when entitlements span humans, workloads, and cloud infrastructure.
Platform transitions are a forcing function for governance maturity. When one capability is retired, enterprises must decide whether their cloud access model is resilient enough to survive vendor change without degrading review quality or audit evidence. That question is bigger than CIEM selection. It is about whether cloud identity governance is designed as a durable programme or as a product dependency.
Named concept: entitlement drift debt. Cloud teams accumulate entitlement drift debt when excess permissions, inherited roles, and stale access are allowed to persist across cloud accounts and projects. The longer that debt remains unpaid, the harder it becomes to prove least privilege or support clean offboarding, so practitioners need to treat entitlement cleanup as an ongoing governance obligation.
From our research:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- Only 13% of organisations feel extremely prepared for the reality of agentic AI, even though the majority are already moving toward autonomous adoption.
- For a broader governance lens, see Ultimate Guide to NHIs , Key Challenges and Risks for the visibility and over-privilege patterns that make entitlement drift harder to contain.
What this signals
Entitlement drift debt: when cloud permissions, inherited roles, and stale access are allowed to accumulate, the organisation pays later in audit effort, remediation time, and loss of trust in access evidence. That debt becomes visible fastest when a platform retirement forces a reassessment of who owns cloud entitlement control and how that control is documented.
The 70% access over-grant statistic from The 2026 Infrastructure Identity Survey is a warning for cloud governance teams: broad access is already the default pattern, and retirement events only make that harder to hide. Teams should expect more pressure on identity governance, not less, as cloud control planes and entitlement tools continue to consolidate.
Security leaders should treat cloud entitlement management as an identity programme capability, not a point product dependency. That means aligning access review, provisioning, and offboarding with existing IAM and lifecycle processes, then using the NIST Cybersecurity Framework 2.0 to connect cloud entitlement evidence to govern, protect, detect, and recover outcomes.
For practitioners
- Map cloud entitlement sources end to end Inventory where permissions are assigned across Azure, AWS, and Google Cloud, then document which identity governance process owns each access path. Include accounts, subscriptions, projects, roles, and any inherited permissions so reviews are based on complete access evidence.
- Tie entitlement reviews to lifecycle events Trigger cloud access review and removal when a user changes role or leaves, and retain evidence that the change was completed across all cloud providers. This is the control that prevents stale access from surviving beyond the business need.
- Prioritise effective access over assigned access Focus reviews on what an identity can actually do in the cloud, not just what appears on paper in a directory. Effective access analysis exposes inherited rights, cross-environment exposure, and roles that have outgrown their original purpose.
- Build audit evidence into entitlement operations Make access removal, provisioning, and review auditable by design so audit cycles do not depend on manual reconstruction. Store the evidence in a way that cloud admins, IAM teams, and auditors can all validate without re-querying every platform.
Key takeaways
- Microsoft’s retirement of Entra Permissions Management highlights how quickly cloud entitlement control can become fragmented when CIEM is treated as a point dependency.
- The operational risk is privilege creep, stale access, and weak audit evidence across Azure, AWS, and Google Cloud.
- Practitioners should connect cloud entitlement review to lifecycle events and preserve auditable evidence of provisioning and removal.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Cloud entitlement drift and stale access map directly to NHI credential and access lifecycle risk. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege cloud access and entitlement governance align with access management controls. |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Zero trust requires continuous verification of cloud access scope across providers. |
Review cloud entitlements against NHI-03 and remove access that no longer matches current business need.
Key terms
- Ciem: Cloud Infrastructure Entitlement Management is the practice of discovering, normalising, and right-sizing permissions across cloud platforms. It focuses on effective access rather than just assigned roles, helping organisations reduce overprovisioning, stale entitlements, and audit friction.
- Privilege Creep: Privilege creep is the gradual accumulation of access beyond what an identity currently needs. In cloud environments, it often appears after job changes, project transitions, or inherited permissions are left in place, creating unnecessary exposure and making least privilege harder to prove.
- Effective Access: Effective access is the real permission set an identity can use after role inheritance, policy layering, and group membership are applied. It is the practical view practitioners need for review, because assigned permissions often overstate or obscure the actual exposure.
- Identity Lifecycle: Identity lifecycle is the governance process that ties access to joiner, mover, and leaver events. For cloud entitlements, it means provisioning, review, and removal must follow current business role and separation events, or stale access will persist beyond its justification.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by SailPoint: Microsoft ends Entra Permissions Management and the case for CIEM. Read the original.
Published by the NHIMG editorial team on 2025-12-10.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
