TL;DR: IDQL and Hexa propose a vendor-neutral way to express, translate, and orchestrate access policy across cloud platforms and the wider stack, addressing the fragmentation that makes multi-cloud governance hard to see and harder to enforce, according to Strata Identity. The architectural shift matters because policy consistency, not another enforcement silo, is what identity teams need to regain control.
NHIMG editorial — based on content published by Strata Identity: What is IDQL? A guide to Hexa Policy Orchestration Governance & Standards
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Questions worth separating out
Q: How should security teams manage policy consistency across multi-cloud environments?
A: Security teams should centralise policy intent, then translate it into each platform only where necessary.
Q: Why do fragmented cloud policies create identity governance risk?
A: Fragmented policies create governance risk because the same access rule can be written differently in each cloud, application, or network layer.
Q: What should organisations check before adopting policy orchestration?
A: Organisations should check whether their entitlement data, role models, and cloud access rules are already clean enough to translate without distortion.
Practitioner guidance
- Inventory every current policy source Map native policy locations across cloud platforms, identity providers, apps, and network layers before introducing orchestration so you know where drift begins.
- Define policy ownership boundaries Assign one system to own policy intent and separate that from systems that enforce or mirror it, especially where cloud teams and identity teams both edit access rules.
- Pilot translation on a narrow entitlement set Test policy translation on a single app, workload, or cloud account set first, then compare the translated output against native policy to catch semantic loss.
What's in the full article
Strata Identity's full article covers the operational detail this post intentionally leaves for the source:
- A plain-language walkthrough of how IDQL maps into native policy formats across different systems.
- Details on Hexa connectors and how the reference implementation reaches cloud platforms through public APIs.
- The project roles available to supporters, contributors, authors, reviewers, and adopters.
- The working-group rationale for creating a policy standard and reference software.
👉 Read Strata Identity's guide to IDQL and Hexa policy orchestration →
IDQL and Hexa: can policy orchestration close the cloud gap?
Explore further
Policy fragmentation is now a governance failure, not just an operational inconvenience. The article describes a world where each cloud and stack layer exposes its own policy syntax, creating a multiplying effect that makes governance difficult to verify. That is exactly the condition where access intent and effective enforcement drift apart. For practitioners, the problem is not too few policies but too many incompatible ones.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- Only 97% of NHIs carry excessive privileges, which is why policy orchestration must be paired with entitlement cleanup rather than treated as a pure translation layer.
A question worth separating out:
Q: How does policy as code affect Zero Trust architecture?
A: Policy as code can support Zero Trust by making access intent more portable and consistent across systems, but only if the translated policies preserve the original decision logic. It does not replace runtime enforcement or continuous verification. Teams should use it to reduce policy divergence, not as a shortcut around local enforcement controls.
👉 Read our full editorial: IDQL and Hexa aim to unify policy across fragmented cloud estates