IAM best practices for cloud sprawl: what teams are missing

TL;DR: IAM best practices still matter, but cloud sprawl, standing privileges, and weak offboarding processes continue to undermine them, according to Zluri’s analysis. The real issue is not policy intent, it is whether access is continuously verified, time-bound, and revoked at the same speed identities are created.

NHIMG editorial — based on content published by Zluri: Best Practices 11 Identity and Access Management Best Practices

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should security teams implement least privilege in cloud IAM environments?

A: Start by defining the minimum access needed for each role, then restrict higher-risk actions with attributes such as environment, time, and resource sensitivity.

Q: Why do service accounts and API keys create more IAM risk than many teams expect?

A: They often operate outside human review cycles, remain valid for long periods, and are reused across systems without clear ownership.

Q: How do organisations know whether access reviews are actually working?

A: Look for declining numbers of stale entitlements, fewer exceptions, and faster revocation after role changes or offboarding events.

Practitioner guidance

• Shorten the access lifecycle Automate provisioning, modification, and deprovisioning as one connected workflow so access cannot remain active after the business need has ended.
• Replace static trust with continuous verification Require re-authentication or step-up checks for sensitive resources instead of assuming that a previous approval still holds.
• Make least privilege measurable Review role design and entitlement scope against actual task requirements, then remove permissions that are rarely used or inherited by default.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step explanations of the 11 IAM practices the vendor recommends for enterprise environments.
• Practical examples of password policy, MFA, RBAC, ABAC, and JIT access usage across common business roles.
• Guidance on automating provisioning, access requests, and offboarding in a single IAM workflow.
• Feature-level detail on Zluri's access management capabilities beyond SCIM and contractor access handling.

👉 Read Zluri's IAM best practices guide for cloud access control →

IAM best practices for cloud sprawl: what teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →