TL;DR: Enterprises have accelerated into multi-cloud environments while identity governance, access control, and visibility struggle to keep up, according to Strata Identity’s State of Multi-Cloud Identity report. The real issue is not cloud adoption itself but the assumption that identity controls built for a single environment will still hold across distributed platforms and workloads.
At a glance
What this is: This is Strata Identity’s analysis of how multi-cloud adoption is stressing identity governance, with the central finding that identity controls are lagging the complexity of distributed environments.
Why it matters: It matters because IAM, IGA, PAM, and NHI programmes all inherit the same fragmentation problem once identities span multiple clouds, tools, and access models.
👉 Read Strata Identity's report on multi-cloud identity governance
Context
Multi-cloud identity governance is the discipline of keeping identity, access, and accountability consistent when the same organisation operates across more than one cloud platform. Strata Identity’s report points to a familiar pattern: enterprises have moved faster into distributed infrastructure than their identity controls have adapted, leaving governance fragmented across environments and teams.
For IAM and NHI programmes, the problem is not simply more accounts or more applications. It is that policy, visibility, and lifecycle processes become harder to apply consistently when access is split across platforms, identity providers, and workload models. That is why multi-cloud identity has become a control-plane issue, not just an infrastructure one.
Key questions
Q: How should security teams govern identities across multiple cloud platforms?
A: Security teams should define one governance model for entitlement ownership, review cadence, and lifecycle state, then map it to each cloud’s native controls. Federation alone is not enough. The goal is to make access decisions comparable across platforms so that inconsistent privilege, stale credentials, and orphaned identities do not hide inside local administration.
Q: Why do non-human identities become harder to control in multi-cloud environments?
A: Non-human identities become harder to control because they are created and reused across different platforms with different entitlement semantics, logging, and review mechanisms. That fragmentation makes it easy for standing privilege and ownership gaps to persist. The more clouds involved, the more likely identity state will drift away from business intent.
Q: What breaks when identity governance is handled cloud by cloud?
A: Cloud-by-cloud governance breaks when no one can reconcile ownership, privilege, and offboarding across the whole environment. A local control may look correct while the same identity remains active elsewhere with broader rights. That creates false confidence and leaves review processes blind to distributed access paths.
Q: How should organisations decide whether their multi-cloud identity model is working?
A: They should test whether they can answer four questions consistently: who owns the identity, where it is active, what it can access, and when it should be removed. If those answers differ by platform or depend on manual reconciliation, governance is not yet reliable enough for multi-cloud operations.
Technical breakdown
Why multi-cloud identity becomes a control-plane problem
In a single-cloud or tightly standardised environment, identity policy can be enforced through one dominant control plane. Multi-cloud breaks that assumption because each platform brings its own authentication flow, role model, logging layer, and entitlement semantics. The result is not just more administration, but inconsistent trust boundaries. A permission that is obvious in one cloud may be opaque in another, especially when organisations stitch together federation, local roles, and workload credentials. The governance challenge is therefore architectural: if identity decisions are made differently in each cloud, assurance also becomes uneven.
Practical implication: Treat multi-cloud identity as a control-plane design issue and map where policy decisions diverge across platforms.
Distributed entitlements and the visibility gap in NHI governance
Non-human identities are often the first place multi-cloud inconsistency shows up because service accounts, tokens, and workload identities proliferate faster than human accounts. When those identities are used across multiple environments, teams lose a single view of ownership, privilege, and lifecycle state. This creates hidden standing access, stale entitlements, and weak accountability. The issue is not only volume, but distribution: the same identity can have different meanings in different clouds, which makes recertification and offboarding harder to trust.
Practical implication: Build a unified inventory of non-human identities and tie each one to ownership, purpose, and environment-specific entitlement scope.
Identity federation is not the same as governance
Federation solves authentication across boundaries, but it does not automatically solve access governance, entitlement hygiene, or lifecycle control. Organisations often assume that once identities can authenticate into multiple clouds, the hard part is done. In practice, federation only moves the question upstream: who approved the access, how long should it last, and who is responsible for removing it later? Multi-cloud identity maturity depends on answers to those questions being enforceable across every cloud, not just technically possible.
Practical implication: Separate sign-in architecture from entitlement governance and verify that federation does not hide unmanaged access paths.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Salt Typhoon US telecoms breach — Salt Typhoon APT used stolen credentials and Cisco CVE to breach US telecoms.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Multi-cloud identity exposes the limit of environment-specific governance. Identity controls designed around one cloud provider assume a stable control surface, but multi-cloud environments fragment that surface into multiple policy domains. The practical effect is that ownership, review, and enforcement become harder to reconcile across platforms. Practitioners should read this as a governance design constraint, not a tooling inconvenience.
Non-human identity sprawl is the most visible symptom of multi-cloud fragmentation. Service accounts, API keys, tokens, and workload identities multiply quickly when teams move applications across clouds. Without one authoritative view of purpose, privilege, and expiry, NHI governance turns into a set of local exceptions. The field lesson is clear: distributed infrastructure magnifies identity drift faster than manual oversight can absorb it.
Identity federation without entitlement governance creates a false sense of control. Authentication across clouds can look mature while access remains overbroad, stale, or inconsistently reviewed. That is why lifecycle processes matter as much as login flows. Practitioners should assume that cross-cloud trust must be measured by entitlement quality, not by whether users and workloads can sign in.
Multi-cloud forces IAM, PAM, and NHI programmes to converge on one operating model. The separate treatment of human users, service identities, and privileged access no longer maps cleanly onto distributed platforms. Governance has to follow the identity wherever it runs, not where the team prefers to manage it. The practical conclusion is that siloed access administration is no longer sustainable at cloud scale.
Runtime identity decisions are becoming a control-assurance problem, not just an access problem. As cloud estates expand, organisations need to know which identities are active, what they can reach, and whether those rights still match the business purpose. That shifts the emphasis from static approval records to continuous governance evidence. Practitioners should prioritise measurable identity state over policy intent alone.
From our research:
- 35.6% of organisations cite managing consistent access across hybrid and multi-cloud environments as their top NHI security challenge, according to the 2024 Non-Human Identity Security Report.
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities.
- For a broader control baseline, see 52 NHI Breaches Analysis for the patterns that turn governance gaps into incidents.
What this signals
Multi-cloud identity is now a governance maturity test, not an architecture preference. As teams expand across platforms, the real question is whether entitlement state, ownership, and offboarding can still be governed coherently. The organisations that treat federation as the finish line will keep discovering that access drift outpaces manual oversight. For a control baseline, the NHI Lifecycle Management Guide remains the most practical reference point.
Identity fragmentation will keep pushing IAM and NHI programmes toward shared operating standards. The more clouds an enterprise runs, the less useful platform-local exceptions become. Practitioners should expect lifecycle governance, recertification, and privileged access review to converge on a single measurement model even when enforcement remains distributed. That is where OWASP Non-Human Identity Top 10 becomes useful as a common language for risk.
For practitioners
- Map identity control planes across every cloud Document where authentication, authorisation, logging, and entitlement review are enforced in each cloud so gaps do not hide behind federation. Use that map to identify duplicate policy paths and unmanaged exceptions.
- Create one inventory for non-human identities Track service accounts, tokens, keys, and workload identities in a single register with owner, purpose, expiry, and cloud scope. Tie recertification and offboarding to that inventory rather than to platform-local records.
- Separate federation from governance checks Verify that cross-cloud sign-in does not mask over-privileged entitlements, stale access, or missing lifecycle controls. Test whether access still exists after the original business purpose ends.
- Standardise privilege review across clouds Use common review criteria for entitlement scope, standing access, and privileged role assignment even when the underlying cloud models differ. Align the review workflow with the highest-risk identity type first, then extend it outward.
Key takeaways
- Multi-cloud adoption exposes a control gap between where identities are used and where they are governed.
- The evidence points to persistent confidence and visibility problems, especially for non-human identities that span multiple environments.
- Practitioners need one operating model for ownership, privilege review, and lifecycle control if they want multi-cloud identity to remain governable.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Multi-cloud identity sprawl makes credential governance and rotation harder across platforms. |
| NIST CSF 2.0 | PR.AC-4 | Cross-cloud access review depends on controlled permissions and least-privilege enforcement. |
| NIST Zero Trust (SP 800-207) | AC-4 | Distributed identity requires policy enforcement independent of cloud boundary assumptions. |
Inventory and rotate NHI credentials consistently across clouds, with expiry tied to ownership and purpose.
Key terms
- Multi-cloud identity: Multi-cloud identity is the practice of managing authentication, authorisation, and lifecycle control for the same people, workloads, and services across more than one cloud platform. The governance challenge is consistency: policy has to remain understandable and enforceable even when each cloud uses different native identity constructs.
- Non-human identity: A non-human identity is any machine- or workload-based identity such as a service account, token, API key, certificate, or agent identity. In multi-cloud environments, these identities often create the sharpest governance gaps because they are easy to duplicate, hard to track, and frequently under-owned.
- Identity federation: Identity federation lets one system authenticate users or workloads across another trust domain. It solves access routing, not access governance. In practice, federation can make multi-cloud sign-in easier while still leaving entitlement scope, review, and offboarding unresolved.
- Entitlement drift: Entitlement drift is the slow divergence between approved access and actual access over time. In distributed cloud environments, drift happens when local platform changes, exceptions, or orphaned identities accumulate faster than governance processes can reconcile them.
Deepen your knowledge
Multi-cloud identity governance and lifecycle control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a cross-cloud identity programme from the same starting point, it is worth exploring.
This post draws on content published by Strata Identity: Identity & Access Management State of Multi-cloud Identity 2023 Report. Read the original.
Published by the NHIMG editorial team on 2026-04-06.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
