Identity risk rises as digital identities multiply across cloud and systems

At a glance

What this is: This is a practitioner-focused analysis of why cloud-delivered MFA and PKI still demand strong identity enablement, lifecycle attention, and inventory discipline as enterprise digital identities multiply.

Why it matters: It matters because IAM teams have to govern users, machines, and applications together, or cloud simplification turns into unmanaged identity sprawl across NHI, autonomous, and human programmes.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.

👉 Read Axiad's analysis of identity risk in cloud-based MFA and PKI rollouts

Context

Cloud-based identity delivery reduces implementation friction, but it does not reduce the governance burden. As environments add more devices, processes, systems, and automated interactions, identity risk shifts from project setup to ongoing inventory, verification, and lifecycle control across both human and non-human access.

The core issue is not whether MFA or PKI can be delivered faster, but whether the enterprise can still map who and what is authenticated, who owns it, and when it should be retired. That problem spans service accounts, application identities, and human access paths, so IAM teams need a shared governance model rather than a point-solution view.

Key questions

Q: How should security teams govern digital identities in cloud environments?

A: Security teams should govern digital identities by classifying every identity object, assigning ownership, and tying credential issuance to retirement. Cloud delivery makes access easier to deploy, but governance only works when human, machine, and application identities are inventoried and reviewed as part of one control model.

Q: Why do service accounts and other machine identities increase identity risk?

A: Service accounts increase identity risk because they often persist longer than the systems or workflows they support, and they are frequently under-inventoried. Once a machine identity is left unowned or over-privileged, it becomes a durable trust path that attackers can abuse even when human access is well controlled.

Q: How do organisations know if cloud identity enablement is actually working?

A: They know it is working when every identity has a named owner, a documented purpose, and a clear retirement path, and when exceptions are rare enough to be managed. If users, machines, and applications cannot be reconciled back to policy, the programme is only partially controlled.

Q: What should teams do when cloud authentication expands faster than governance?

A: Teams should pause broad expansion and stabilise the control plane around inventory, ownership, and lifecycle management first. If authentication coverage grows while offboarding, certification, and exception handling lag behind, the result is identity sprawl with a false sense of security.

Technical breakdown

Digital identity inventory across users, machines, and applications

The article points to a common enterprise failure mode: once cloud identity services are in place, teams assume the hard part is over. In reality, the technical challenge moves to inventory and classification. Digital identities include human users, service accounts, device identities, application credentials, and automated interactions. If those identities are not catalogued, you cannot apply consistent authentication policy, ownership, or retirement logic. The operational problem is not only scale, but ambiguity about what needs protection and who is accountable for each identity object.

Practical implication: build a governed inventory that distinguishes human, NHI, and machine identities before expanding cloud authentication coverage.

MFA and PKI enablement without lifecycle control

Cloud delivery can reduce deployment time, but it does not eliminate lifecycle governance. MFA and PKI both depend on enrolment, change management, and eventual deprovisioning. When those steps are handled informally, organisations create durable identity objects that remain trusted long after their business purpose changes. This is especially risky for non-human identities, where a certificate or token may be reused by systems that no one is actively reviewing. Security architecture only works when enablement and offboarding are treated as a single control chain.

Practical implication: tie onboarding, credential issuance, and retirement together so cloud identity enablement does not create standing access.

Identity assurance as an ecosystem problem

Axiad frames the real challenge as ecosystem enablement, not just authentication rollout. That is an accurate read of how modern identity programmes fail: controls break when user experience, application integration, and operational ownership are not designed together. For IAM and PAM teams, the technical question is how assurance scales when access paths are distributed across cloud services, legacy systems, and automated workflows. The answer is not more isolated tooling, but a consistent control model that can govern every access path with the same accountability.

Practical implication: standardise assurance and ownership requirements across integrated services instead of treating each environment as a separate exception.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Codefinger AWS S3 ransomware attack — Codefinger used compromised AWS credentials to encrypt S3 buckets via SSE-C.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity sprawl is the real risk hidden inside cloud simplification. Faster deployment does not remove the need to know what identities exist, who owns them, and how they are retired. As more systems, devices, and applications come into scope, the control problem becomes governance at scale. Practitioners should treat identity inventory as a security control, not an administrative task.

Lifecycle gaps are where cloud identity programmes quietly fail. MFA and PKI are only effective when enrolment, change, and offboarding are managed as one continuous process. If credentials or certificates outlive their business purpose, trust becomes durable without justification. Practitioners should align identity lifecycle governance with the actual retirement point of each user, machine, or application.

Digital identity enablement is a cross-domain governance issue, not a product feature. The article correctly observes that users, machines, and interactions all need protection, but those groups cannot be governed with the same assumptions. Human access, NHI access, and automated access each create different ownership and review problems. Practitioners should design one operating model with differentiated controls, not three disconnected programmes.

Service account visibility remains the best indicator of whether identity governance is keeping pace. NHI programmes often claim coverage while leaving machine identities under inventoried and over-privileged. The Ultimate Guide to NHIs shows only 5.7% of organisations have full visibility into their service accounts, which makes the gap structural rather than anecdotal. Practitioners should use visibility as the first test of whether cloud identity enablement is actually controlled.

Enterprise identity resilience depends on reducing trust drift over time. The deeper lesson here is that cloud delivery can accelerate rollout while still increasing the number of trust relationships that must be managed. Every additional identity, certificate, and integration adds review burden. Practitioners should treat trust drift as a programme-level metric, not a local implementation concern.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 97% of NHIs carry excessive privileges, which means inventory gaps quickly become privilege gaps as well.
• That same 52 NHI Breaches Analysis shows how visibility failures turn into repeated control breakdowns, not isolated events.

What this signals

Identity programme maturity now depends on whether teams can see and classify every non-human identity. Cloud delivery makes authentication easier to consume, but it also expands the set of access paths that must be owned, reviewed, and retired. The practical test is whether IAM, PAM, and platform teams are working from one authoritative inventory or three disconnected views.

Trust drift is the better metric than deployment speed for judging cloud identity success. A fast rollout that leaves service accounts, certificates, and application identities unmanaged creates a larger control burden later. Practitioners should expect more audit pressure on lifecycle evidence, not less, as automation increases the number of identities that need accountability.

Digital identity governance now sits at the intersection of NHI hygiene and human access policy. Many programmes still separate user access, machine access, and application enablement, even though the operational risk comes from their interaction. That boundary is where exceptions accumulate, and where recertification work is most likely to miss the identities that matter most.

For practitioners

• Create a governed digital identity inventory Map every human, service account, device, application, and automated identity to an owner, purpose, and retirement condition. Reconcile this inventory against authentication logs and provisioning systems so shadow identities are not left outside governance.
• Link enablement to offboarding and rotation Treat enrolment, credential issuance, certificate renewal, and retirement as one workflow. If a digital identity cannot be formally revoked or rotated, it should not be allowed to persist as a trusted access path.
• Standardise assurance controls across environments Apply consistent identity assurance rules across cloud, on-premises, and automated workflows so exceptions do not become the default operating model. Use the same control intent even when the technical implementation differs.
• Review machine identity ownership separately from user access Assign explicit ownership for service accounts and application identities, then recertify them on a schedule that reflects system change, not human employee cadence. This reduces the chance that machine access becomes invisible.

Key takeaways

• Cloud identity delivery reduces implementation friction, but it does not reduce the governance burden of growing identity populations.
• The most material risk is not authentication speed, but whether users, machines, and applications can all be inventoried and retired cleanly.
• IAM teams should treat lifecycle control and identity ownership as foundational requirements for any scalable cloud-based identity programme.

Key terms

• Digital Identity Inventory: A governed record of every identity object that can authenticate or receive access, including users, service accounts, devices, applications, and automation. In practice, the value is not counting identities once, but maintaining ownership, purpose, and retirement status so the inventory stays security-relevant.
• Lifecycle Governance: The set of controls that manage an identity from creation through change, review, and retirement. For cloud and non-human identities, lifecycle governance is the control that prevents credentials and certificates from surviving the business purpose they were created for.
• Identity Assurance: The confidence an organisation has that the right identity is being authenticated and granted the right level of access. It depends on policy, enrolment quality, and ongoing review, not just on the authentication method used at login.

Deepen your knowledge

Identity inventory, lifecycle governance, and machine identity control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are extending cloud identity services across users and systems, it is a practical next step.

This post draws on content published by Axiad: Are You Doing Everything You Can to Mitigate Your Cyber Security Risks? Read the original.