Why access risk is outpacing cloud security controls

At a glance

What this is: This is an analysis of why access risk is moving faster than cloud security controls, with the core finding that identity creation and privilege changes now outpace manual governance.

Why it matters: It matters because IAM and NHI teams need controls that govern ephemeral, machine-generated access in real time, not after the fact.

By the numbers:

• 45 to 1.

👉 Read Token Security's analysis of why access risk is moving faster than cloud security controls

Context

Cloud security control breaks down when identities and permissions change faster than humans can review them. In practice, access risk is a governance problem, because infrastructure-as-code, CI/CD pipelines, and autonomous agents can create or modify Non-Human Identities faster than quarterly IAM processes can react.

The article argues that the old model of static policy, manual access review, and standing privilege no longer matches how cloud environments operate. That is a familiar pattern for NHI governance: the attack surface is now generated by software, while the control surface still depends on human bandwidth.

Key questions

Q: How should security teams govern Non-Human Identities in fast-moving cloud environments?

A: Treat NHI governance as a runtime control problem, not a quarterly review problem. Discover identities continuously, scope access to the task, expire credentials automatically, and revoke permissions when the workload or agent no longer needs them. The goal is to keep governance close to the moment access is created and used.

Q: When does just-in-time access reduce risk, and when does it not?

A: Just-in-time access reduces risk when the main problem is standing privilege and long-lived credentials. It is less effective if identity creation is uncontrolled, policy is too broad, or revocation is slow. JIT works best when paired with least privilege, tight task scoping, and continuous logging.

Q: What is the difference between access review and access governance?

A: Access review is a periodic check of who has what. Access governance is the continuous control of how access is created, scoped, used, and removed. In cloud and NHI environments, review alone is too slow because identities can appear, act, and disappear before the next audit cycle.

Q: Why do AI agents make IAM and NHI risk harder to manage?

A: AI agents can request tools, call APIs, and even create new infrastructure at machine speed, which multiplies identity events and privilege decisions. That means the control plane must handle autonomous access as a normal workload pattern, not as an exception that can wait for manual approval.

Technical breakdown

Why static IAM policies fail in ephemeral cloud environments

Static IAM policies assume a durable environment, but cloud workloads are often short-lived and context-dependent. A Kubernetes pod, serverless function, or temporary workload can exist for minutes, which means access decisions must follow the workload’s cryptographic identity and current state, not a fixed asset list. When policy is written against IPs, static groups, or delayed scans, it lags behind the environment it is meant to protect. That creates drift, where the approved state and actual state diverge almost immediately. For NHI governance, the practical issue is not just policy design, but policy freshness and enforcement timing.

Practical implication: Security teams should move access enforcement to runtime and shorten the time between identity creation, authorization, and revocation.

How machine-created identities change the NHI risk model

Automation changes who creates access and how quickly it appears. Developers, pipelines, and AI agents can create service accounts, tokens, and permissions without a traditional ticket workflow, which makes identity sprawl a by-product of normal delivery. The result is not simply more access, but access with weaker review, looser scoping, and shorter detection windows. This is why NHI governance cannot rely on periodic attestations alone. If the identity can be created and used before the next review cycle, the control failed even if the spreadsheet is accurate. Governance must therefore track identity creation events, privilege scope, and usage together.

Practical implication: Inventory, rightsizing, and revocation need to be event-driven so that newly created NHI access is evaluated before it becomes exposure.

Why just-in-time access is a better fit than standing privilege

Just-in-time access reduces the lifetime of credentials and aligns authorization with a specific task window. Instead of issuing permanent access, the system grants a short-lived token after policy checks, then invalidates it when the task ends. That is materially different from rotation alone, because rotation still leaves standing privilege in place between changes. In cloud and agentic environments, the primary security value is blast-radius reduction. If a token is stolen or misused, the window for lateral movement is far smaller. For NHI programs, JIT is a control pattern, not a feature, and it only works when issuance, scoping, and expiry are automated.

Practical implication: Teams should pair JIT with least-privilege scoping and automated revocation so temporary access remains temporary.

Threat narrative

Attacker objective: The attacker objective is to exploit valid machine access before governance catches up, then move through cloud and SaaS resources using legitimate credentials.

1. Entry occurs when a developer script, pipeline, or agent creates access faster than central IAM can inventory it.
2. Escalation follows when that access is over-scoped, allowing the identity to read, write, or administer resources beyond its task.
3. Impact occurs when a stolen or unused credential remains valid long enough for exfiltration or lateral movement before detection and revocation.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Access velocity is now a governance problem, not just an engineering one. The article correctly identifies the mismatch between machine-speed identity creation and human-speed review. That is the central NHI challenge for modern enterprises, because the access lifecycle now begins and ends inside automated systems. Practitioners should treat speed as a control dimension, not just an operational metric.

Ephemeral credential trust debt: when credentials are short-lived but issuance is broad, organisations accumulate a hidden trust burden that looks temporary on paper and persistent in practice. Short TTLs do not compensate for weak scoping, poor inventory, or delayed revocation. The discipline must shift from asking how long the credential lives to asking whether its issuance was justified at all.

Standing privilege is the real legacy risk surface. The article makes a strong case that enduring access is the wrong default for cloud and agentic systems. In NHI governance, persistent access should be treated as an exception with explicit business justification, not as the starting assumption. That is where Zero Standing Privilege becomes the right target state.

AI agents intensify the same failure mode rather than creating a separate one. Agentic systems multiply identity creation, access requests, and policy decisions at machine speed, which exposes any IAM process that still depends on manual approval. The field should stop treating agentic AI as a special case and start treating it as the fastest expression of NHI sprawl.

Operational drift now outruns audit cadence. Quarterly review cycles, spreadsheet attestations, and delayed drift detection cannot protect environments where permissions change in minutes. Governance programs need continuous discovery, usage-based rightsizing, and automated revocation as default operating assumptions. If those controls are not machine-enforced, the review process is mostly evidence of delay.

From our research:

• 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to The State of Secrets Sprawl 2026.
• 28% of secrets incidents now originate outside code repositories, in Slack, Jira, and Confluence, and they are 13% more likely to be categorised as critical than code-based leaks.
• If you are mapping this access-risk problem to identity and secret hygiene, compare it with Guide to the Secret Sprawl Challenge for a practical remediation lens.

What this signals

Access governance is becoming a continuous control plane problem. For practitioners, the programme implication is straightforward: if identity creation is event-driven, access governance must be event-driven too. That means continuous inventory, automated expiry, and policy enforcement that is tied to runtime context rather than periodic review.

With 70% of organisations granting AI systems more access than they would give a human employee doing the same job, per the 2026 Infrastructure Identity Survey, the NHI risk model is already being rewritten by practice, not policy. Teams should expect pressure to formalise agent ownership, approval boundaries, and revocation paths.

Identity blast radius: the key programme question is no longer how many identities exist, but how far one compromised identity can move before controls intervene. Security teams should prepare for access reviews to become evidence, while runtime controls become the actual enforcement layer.

For practitioners

• Implement event-driven NHI discovery Inventory service accounts, tokens, API keys, and workload identities as they are created, not on a fixed review schedule. Tie discovery to pipeline events, cloud control plane changes, and SaaS authorization events so the access catalogue reflects reality faster than quarterly attestation cycles.
• Replace standing access with short-lived authorization Use just-in-time access for privileged cloud and workload actions, with automatic expiry and scope limited to the task. Keep the issuance path policy-based and log every token grant for later review, especially for identities that touch production data or deployment systems.
• Automate rightsizing after access is used Measure actual permission usage and downscope identities that only perform read operations, limited administrative tasks, or narrow API calls. Pair this with continuous revocation so dormant permissions do not remain available after the operational need has passed.
• Review AI agent access as NHI access Treat autonomous agents as identities with tool access, not as applications with broad trust. Require explicit ownership, task-scoped permissions, and kill switches for agents that can create infrastructure or call sensitive APIs.

Key takeaways

• Cloud access risk now moves at machine speed, which makes quarterly IAM governance too slow for real control.
• Over-privileged NHIs and standing access create the conditions for fast lateral movement, especially when identities are created automatically.
• Practical defence means continuous discovery, short-lived authorization, and automated revocation, not more manual review cycles.

Key terms

• Non-Human Identity: A Non-Human Identity is any machine, workload, service account, token, certificate, or agent that can authenticate and request access. In practice, these identities often outnumber human users and create a larger, faster-moving access surface than traditional employee accounts.
• Just-in-Time Access: Just-in-Time access is a provisioning pattern that grants access only for the duration of a specific task or session. It reduces standing privilege by issuing short-lived credentials on demand, which shrinks the window in which stolen or misused access can be exploited.
• Identity Drift: Identity drift is the gap between approved access and actual access in a changing environment. It appears when permissions, group membership, or workload context change faster than governance processes can update policy, leaving stale or excessive access in place.
• Ephemeral Workload: An ephemeral workload is a short-lived application instance such as a container, function, or transient service that may exist only briefly. Because its identity and network location change quickly, its access decisions must be made dynamically rather than through static perimeter rules.

What's in the full article

Token Security's full blog covers the operational detail this post intentionally leaves for the source:

• The article's full control comparison table for static policy, manual review, and machine-first governance.
• The specific examples of cloud, SaaS, and AI-driven access creation that illustrate where drift appears first.
• The practical explanation of why just-in-time access is positioned as the operational response to access velocity.
• The source's own framing of how security teams should think about real-time visibility, rightsizing, and automated remediation.

👉 The full Token Security post expands the static-versus-dynamic control comparison and the JIT access model.

Deepen your knowledge

Access velocity, just-in-time authorization, and NHI governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is trying to replace standing privilege with runtime control, it is worth exploring.