TL;DR: Cloud least privilege means giving each identity only the permissions it needs, yet in cloud environments most access is unused and effective permissions drift faster than manual review can keep up, according to Orca Security. That makes continuous inventory, just-in-time elevation, and non-human identity governance the decisive controls rather than annual recertification.
NHIMG editorial — based on content published by Orca Security: Cloud least privilege and effective access drift
By the numbers:
- In its 2023 State of Cloud Permissions Risks report, Microsoft found that workload identities use less than 5% of the permissions granted to them.
Questions worth separating out
Q: How should security teams enforce least privilege in cloud IAM?
A: Start by inventorying effective permissions, not just the policies that look correct on paper.
Q: Why do service accounts and workload identities create so much least-privilege risk?
A: They usually outnumber human accounts, change more often, and are frequently granted broad access for convenience.
Q: What breaks when organisations rely on annual access reviews for cloud privilege?
A: Annual reviews are too slow for cloud environments where roles, services, and permissions change continuously.
Practitioner guidance
- Inventory effective permissions first Map what each identity can actually reach across policies, trust relationships, and resource controls before attempting any role cleanup.
- Replace standing elevation with task-scoped access Move high-risk operations to just-in-time approval flows with automatic expiry, and remove persistent admin grants from routine workflows wherever possible.
- Right-size machine identities on the same cycle as human access Review service accounts, pipeline roles, and workload identities on a continuous basis because they often drift faster than human accounts and accumulate permissions through exceptions.
What's in the full article
Orca Security's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step guidance for mapping effective permissions across AWS, Azure, and GCP.
- Examples of least-privilege controls for IAM roles, service accounts, and CI/CD pipelines.
- Practical use of cloud entitlement analysis to find unused permissions and over-broad trust.
- Cloud-native control examples for teams moving from broad access to just-in-time elevation.
👉 Read Orca Security's guide to cloud least privilege and effective permissions →
Cloud least privilege and effective access drift: what teams miss?
Explore further
Effective access has become the real security boundary in cloud IAM. Granted permissions tell you what was approved, but effective permissions tell you what can actually be reached after policy composition and trust chaining. That gap is where over-provisioning survives reviews and where attackers find reachable paths. Practitioners should treat entitlement analysis as the authoritative view of privilege.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: How do you know if least privilege is actually working?
A: Look for a shrinking gap between granted and used permissions, fewer standing elevated grants, and rapid removal of exceptions. If identities still carry broad access that they never exercise, the programme is documenting privilege rather than reducing it.
👉 Read our full editorial: Cloud least privilege is hard because effective access drifts