AI model sprawl in cloud estates: what IAM teams need to know

TL;DR: AI model usage in cloud environments rose from 56% of organisations in 2024 to 84% in 2025, and OpenAI models dominate deployment patterns as cloud AI adoption scales, according to Orca Security. The governance problem is no longer AI enthusiasm, but visibility, control, and identity boundaries across expanding model estates.

NHIMG editorial — based on content published by Orca Security: AI model usage in cloud environments and the top 10 models of 2025

By the numbers:

• AI model usage in cloud environments jumped from 56% of organizations in 2024 to 84% in 2025.

Questions worth separating out

Q: How should security teams govern AI model usage across cloud environments?

A: Security teams should govern AI model usage by inventorying every model, mapping the identity behind each call, and checking what data and systems those identities can reach.

Q: Why do managed AI services create identity governance challenges?

A: Managed AI services create identity governance challenges because they hide complexity behind convenient abstractions.

Q: What breaks when AI model sprawl is tracked without identity context?

A: When model sprawl is tracked without identity context, teams can count deployments without understanding exposure.

Practitioner guidance

• Create a full AI model inventory Catalog every model in use across cloud estates, including managed services, embedded copilots, and custom retrieval pipelines.
• Review access paths behind managed AI services Inspect the service accounts, API keys, and workload identities that invoke services such as Azure OpenAI or Azure Machine Learning.
• Connect AI-SPM outputs to identity governance Use AI-SPM findings to trigger entitlement review, secret rotation, and data exposure checks.

What's in the full article

Orca Security's full post covers the operational detail this post intentionally leaves for the source:

• The complete top 10 model ranking with per-model adoption percentages and usage patterns.
• Detailed examples of where each model is used in cloud-native workflows, copilots, and retrieval systems.
• Orca's explanation of how AI-SPM and AI-driven discovery are implemented inside its platform.
• The broader State of Cloud Security findings that frame model adoption alongside other cloud risks.

👉 Read Orca Security's ranking of the most used AI models in cloud environments →

AI model sprawl in cloud estates: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →