Cloud identity compliance gaps: what IAM teams need to fix first

TL;DR: An average of 40 identity and access control failures per tenant was found, with 94% of organisations showing at least one high-severity gap and 68% failing privileged MFA, based on scans of 50 companies, according to Unosecur’s Cloud Compliance Pulse H1 2025. The pattern shows cloud identity governance is still failing at the control-layer basics, not just at the edges.

NHIMG editorial — based on content published by Unosecur: Cloud Compliance Pulse H1 2025

By the numbers:

• 94% of participating organisations exhibited at least one high-severity gap.
• The single most frequently violated requirement was ISO 27002 - 5.17, which mandates multifactor authentication for privileged accounts; 68% of tenants failed this control.
• Four recurring gap families, missing multifactor authentication, over-privileged roles, stale or duplicate credentials, and unmanaged service-account keys, together accounted for 70% of all high-severity findings.

Questions worth separating out

Q: How should security teams reduce privileged access risk in cloud environments?

A: Start with privileged MFA, then remove standing administrative access that does not have a time-bound business purpose.

Q: Why do stale service-account keys create so much cloud identity risk?

A: Because one old key can preserve trust long after the original workload, owner, or approval path has changed.

Q: What do security teams get wrong about cloud identity compliance?

A: They often treat compliance as evidence collection instead of access containment.

Practitioner guidance

• Enforce privileged MFA everywhere admin access exists Verify that every cloud administrative path inherits identity provider MFA, including break-glass accounts, cross-account roles, and console access used by platform teams.
• Eliminate permanent high-privilege assignments Review standing administrator grants and replace any role that does not have a defined business trigger, expiry condition, and documented owner.
• Inventory and age-track service-account keys Build a live register of every service-account secret, then flag keys older than thirty days, duplicated keys, and any secret outside a managed vault.

What's in the full report

Unosecur's full research covers the operational detail this post intentionally leaves for the source:

• The full 70-page benchmark methodology, including how the sample was stratified and pseudonymised across sectors and cloud providers.
• Control-by-control mappings to ISO 27001/27002, PCI DSS v4, SOC 2, CIS v8, and GDPR for audit and remediation planning.
• The four recurring gap families broken down into practical remediation priorities for privileged MFA, role scope, secret age, and vaulting.
• The incident-response and insurance implications that link identity gaps to breach likelihood and premium calculations.

👉 Read Unosecur's Cloud Compliance Pulse H1 2025 on cloud identity gaps →

Cloud identity compliance gaps: what IAM teams need to fix first?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →