Identity threats across AWS and Azure need continuous NHI controls

At a glance

What this is: This guide argues that multi-cloud identity security fails when teams rely on periodic reviews, fragmented IAM tooling, and static credentials instead of continuous detection and posture management.

Why it matters: For IAM and NHI practitioners, the issue is that AWS and Azure identity sprawl creates attack paths that traditional approval-based controls do not close fast enough.

By the numbers:

• 80% of breaches involve credential misuse.
• 70% of cloud security failures will be caused by identity mismanagement by 2025.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 5.7% of organisations have full visibility into their service accounts.

👉 Read Unosecur's practical guide to ITDR and ISPM for AWS and Azure identities

Context

Identity is the control plane for cloud access, and that makes NHI governance a first-order problem in AWS and Azure environments. When service accounts, API keys, roles, and tokens proliferate across two clouds, periodic review processes miss the live risk created by stale entitlements and hard-coded credentials.

The article focuses on the gap between compliance-oriented IAM and continuous identity defense. That framing is broadly typical for multi-cloud guidance, but the NHI angle is stronger here because machine identities often outnumber human users and are harder to monitor consistently.

Key questions

Q: How should security teams handle identity risk across AWS and Azure?

A: Security teams should treat AWS and Azure identities as one governance problem, not two separate admin tasks. The priority is continuous visibility into service accounts, roles, and tokens, plus fast detection of unusual authentication and privilege use. Static credentials, stale trust paths, and periodic reviews leave too much time for abuse. Short-lived access and real-time correlation reduce that gap.

Q: What is the difference between ITDR and ISPM?

A: ITDR focuses on detecting and responding to identity abuse in motion, such as unusual logins, token misuse, or lateral movement. ISPM focuses on the underlying posture, including stale permissions, orphaned identities, and excessive access. Used together, they cover both the live attack and the conditions that make it possible.

Q: When does just-in-time access reduce more risk than it adds?

A: Just-in-time access reduces more risk when the organisation can reliably automate approval, scope the privilege to a task, and revoke it immediately after use. It adds risk when teams keep broad base roles, weak review processes, or manual workflows that delay revocation. JIT is most effective as part of a broader zero-standing-privilege model.

Q: Why do non-human identities complicate zero trust architecture?

A: Non-human identities complicate zero trust because machines authenticate constantly, often through tokens, service accounts, and automated trust relationships that users never see. Zero trust works best when identities are continuously verified and permissions are minimal. If NHI lifecycle controls are weak, the architecture can still grant persistent access through long-lived credentials.

Technical breakdown

Why static credentials fail across AWS and Azure

Static credentials create durable trust links between systems, which means a leaked key can remain valid long after the original workflow changed. In multi-cloud environments, teams often mix AWS IAM roles, Azure Managed Identities, and legacy API keys, then inherit inconsistent expiration and revocation behavior. That combination expands the attack surface because the identity itself becomes the perimeter, not the network. Continuous rotation and short-lived authentication reduce dwell time, but only if workloads are designed to avoid persistent secrets in the first place.

Practical implication: remove hard-coded secrets from cross-cloud workflows and replace them with short-lived, workload-bound identities.

How ITDR changes identity monitoring

Identity Threat Detection and Response shifts monitoring from permission review to behavior analysis. Instead of asking whether an account is approved, ITDR looks for impossible travel, brute-force patterns, unusual token use, and lateral movement from valid identities. That matters because attackers increasingly authenticate rather than exploit perimeter flaws. In AWS and Azure, this requires correlation across cloud logs, identity providers, and detection tooling so that suspicious use of a legitimate account is treated as an active incident, not an audit finding.

Practical implication: correlate cloud identity telemetry in real time so abnormal authentication and token activity triggers response.

ISPM and zero standing privilege for non-human identities

Identity Security Posture Management identifies where access is excessive, stale, or misaligned with current workload needs. For non-human identities, this pairs naturally with Zero Standing Privilege and Just-in-Time access, which remove always-on permissions and provision access only when a task requires it. The architecture is not just about tightening policy. It is about reducing the blast radius when a token, role, or service account is abused. That is especially important when service accounts live longer than the applications they support.

Practical implication: enforce task-scoped access for service accounts and audit privilege drift continuously.

Threat narrative

Attacker objective: The attacker aims to turn a valid identity into durable access that can be used for lateral movement, data theft, or cloud resource abuse.

1. Entry via leaked or hard-coded API keys and service account credentials in multi-cloud workflows.
2. Escalation through excessive roles, stale privileges, or AssumeRole-style trust paths that were not revalidated.
3. Impact through lateral movement, token abuse, and unauthorized access to cloud resources and data.

Breaches seen in the wild

• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity security in multi-cloud environments is now an NHI governance problem, not just an IAM configuration problem. AWS and Azure expose different identity primitives, but the operational failure mode is the same: too much standing access, too many stale credentials, and too little continuous oversight. Periodic reviews can document risk, but they cannot contain it. Practitioners need governance that treats service accounts, tokens, and roles as first-class identities with lifecycle controls.

Continuous detection is becoming the dividing line between policy and control. If an organisation can only assess access during review cycles, it is effectively blind to how identities behave between checkpoints. That gap is where attackers operate, because legitimate authentication still looks normal at the approval layer. The practical standard is moving toward runtime visibility, response, and revocation tied to identity behavior.

Ephemeral access is not enough unless trust assumptions are also shortened. JIT and Zero Standing Privilege reduce exposure, but they do not solve overbroad role design or weak workload attestation. Ephemeral credential trust debt: the longer an organisation relies on temporary access while leaving underlying identity relationships unchanged, the more risk accumulates outside the access window. Teams should treat short-lived credentials as one control in a wider governance model, not the finish line.

ISPM is emerging as the control layer that turns identity hygiene into operational evidence. Visibility into orphaned accounts, unused permissions, and dormant tokens helps teams prioritise remediation based on actual blast radius, not administrative convenience. For NHI-heavy estates, that is a more realistic control model than trying to manually certify every entitlement. The practitioner conclusion is straightforward: posture management has to feed enforcement, or it becomes reporting without reduction.

Multi-cloud identity defence will increasingly converge around workload identity standards and least-privilege automation. The more environments teams connect, the less sustainable static secrets become. Mature programmes will lean on short-lived authentication patterns, stronger attestation, and automated revocation so that machine identities do not outlive their business purpose. Practitioners should assume the operational burden is increasing and design for automation first.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
• For the lifecycle view behind this risk, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.

What this signals

Ephemeral credential trust debt: multi-cloud teams are increasingly swapping permanent secrets for temporary access, but the governance debt remains if role design, revocation, and attestation are not automated. That means the programme should be measured on how quickly it can remove access, not only how quickly it can grant it.

With 91.6% of secrets still valid five days after notification, according to the Ultimate Guide to NHIs, identity response is often slower than attacker dwell time. Practitioners should assume remediation lag is part of the threat model and design monitoring around that window.

A mature programme will connect detection to revocation, not leave them as separate processes. For teams using AWS and Azure together, that means an inventory-led approach to non-human identities, automated review of trust paths, and explicit ownership for every service account and token.

For practitioners

• Replace static cross-cloud credentials Migrate hard-coded API keys and shared secrets out of AWS and Azure workflows, then enforce short-lived authentication for workloads that need cross-cloud access.
• Centralize identity telemetry Stream AWS, Azure, and identity provider logs into one detection pipeline so unusual token use, impossible travel, and lateral movement can be correlated quickly.
• Inventory and right-size non-human identities Build a live inventory of service accounts, roles, and tokens, then remove unused permissions and stale trust relationships before they become persistent exposure.
• Adopt just-in-time privileged workflows Use just-in-time access for high-risk roles and require explicit approval or automation triggers before elevation, especially for operational accounts.
• Tie posture findings to enforcement Treat identity security posture management findings as remediation tasks with owners and deadlines, not as reporting artifacts for the next audit cycle.

Key takeaways

• Multi-cloud identity security fails when teams rely on periodic reviews instead of continuous control over human and non-human identities.
• Credential misuse remains the dominant risk path because stale secrets, excess privilege, and weak revocation create long-lived attack opportunities.
• Practical defence means combining ITDR, ISPM, short-lived access, and lifecycle governance so identity exposure shrinks between reviews.

Key terms

• Non-Human Identity: A non-human identity is any machine or workload credential used to authenticate and authorize access, including service accounts, API keys, tokens, certificates, and AI agents. These identities often outnumber human users and can carry persistent privilege if lifecycle controls are weak.
• Identity Threat Detection and Response: Identity Threat Detection and Response is the practice of monitoring identities for suspicious behavior and responding quickly when credentials, tokens, or roles are misused. It focuses on live abuse patterns such as token theft, unusual access, and lateral movement rather than only on policy compliance.
• Identity Security Posture Management: Identity Security Posture Management is the ongoing discovery and analysis of identity risk across users, service accounts, roles, and permissions. It finds excessive access, stale entitlements, and orphaned identities so teams can reduce exposure before an attacker uses the gap.
• Zero Standing Privilege: Zero Standing Privilege is a control model where elevated access is not kept permanently available. Privileges are provisioned only when needed, scoped to the task, and removed after use, which lowers blast radius and reduces the value of stolen credentials.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step guidance on using AWS GuardDuty, Security Hub, and Detective for identity threat detection
• Microsoft Entra Access Reviews and Defender for Identity workflows for multi-cloud monitoring
• Practical examples of how Unosecur maps NHI protection, Zero Standing Privilege, and automated compliance into one workflow
• Control-by-control examples for hard-coded secrets, orphaned accounts, and stale privileged roles

👉 The full Unosecur post covers the monitoring stack, NHI controls, and remediation examples in more detail.

Deepen your knowledge

Identity Threat Detection and Response and Identity Security Posture Management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building continuous controls for AWS and Azure identities, it is worth exploring.