TL;DR: AI model usage in cloud environments rose from 56% of organisations in 2024 to 84% in 2025, and OpenAI models dominate deployment patterns as cloud AI adoption scales, according to Orca Security. The governance problem is no longer AI enthusiasm, but visibility, control, and identity boundaries across expanding model estates.
NHIMG editorial — based on content published by Orca Security: AI model usage in cloud environments and the top 10 models of 2025
By the numbers:
- AI model usage in cloud environments jumped from 56% of organizations in 2024 to 84% in 2025.
Questions worth separating out
Q: How should security teams govern AI model usage across cloud environments?
A: Security teams should govern AI model usage by inventorying every model, mapping the identity behind each call, and checking what data and systems those identities can reach.
Q: Why do managed AI services create identity governance challenges?
A: Managed AI services create identity governance challenges because they hide complexity behind convenient abstractions.
Q: What breaks when AI model sprawl is tracked without identity context?
A: When model sprawl is tracked without identity context, teams can count deployments without understanding exposure.
Practitioner guidance
- Create a full AI model inventory Catalog every model in use across cloud estates, including managed services, embedded copilots, and custom retrieval pipelines.
- Review access paths behind managed AI services Inspect the service accounts, API keys, and workload identities that invoke services such as Azure OpenAI or Azure Machine Learning.
- Connect AI-SPM outputs to identity governance Use AI-SPM findings to trigger entitlement review, secret rotation, and data exposure checks.
What's in the full article
Orca Security's full post covers the operational detail this post intentionally leaves for the source:
- The complete top 10 model ranking with per-model adoption percentages and usage patterns.
- Detailed examples of where each model is used in cloud-native workflows, copilots, and retrieval systems.
- Orca's explanation of how AI-SPM and AI-driven discovery are implemented inside its platform.
- The broader State of Cloud Security findings that frame model adoption alongside other cloud risks.
👉 Read Orca Security's ranking of the most used AI models in cloud environments →
AI model sprawl in cloud estates: what IAM teams need to know?
Explore further
AI model adoption has crossed into identity governance territory. The article's core signal is not simply that AI usage is rising, but that model deployment is now common enough to create governance overhead across cloud estates. Once models are embedded in production, identity teams inherit new access paths, service dependencies, and control gaps that cannot be handled as a point solution. The practitioner conclusion is that model inventories and identity inventories now need to be managed together.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: How can organisations tell whether AI governance is actually working?
A: Organisations can tell AI governance is working when every model has a named owner, a known calling identity, defined data boundaries, and an access review path that reaches the underlying permissions. If model usage is increasing but identity reviews, secret rotation, and exposure checks are not keeping pace, governance is only observational.
👉 Read our full editorial: AI model adoption is reshaping cloud security governance in 2025