Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Cloud identity compliance gaps: what IAM teams need to fix first


(@unosecur)
Honorable Member
Joined: 1 year ago
Posts: 188
Topic starter  

TL;DR: An average of 40 identity and access control failures per tenant was found, with 94% of organisations showing at least one high-severity gap and 68% failing privileged MFA, based on scans of 50 companies, according to Unosecur’s Cloud Compliance Pulse H1 2025. The pattern shows cloud identity governance is still failing at the control-layer basics, not just at the edges.

NHIMG editorial — based on content published by Unosecur: Cloud Compliance Pulse H1 2025

By the numbers:

Questions worth separating out

Q: How should security teams reduce privileged access risk in cloud environments?

A: Start with privileged MFA, then remove standing administrative access that does not have a time-bound business purpose.

Q: Why do stale service-account keys create so much cloud identity risk?

A: Because one old key can preserve trust long after the original workload, owner, or approval path has changed.

Q: What do security teams get wrong about cloud identity compliance?

A: They often treat compliance as evidence collection instead of access containment.

Practitioner guidance

  • Enforce privileged MFA everywhere admin access exists Verify that every cloud administrative path inherits identity provider MFA, including break-glass accounts, cross-account roles, and console access used by platform teams.
  • Eliminate permanent high-privilege assignments Review standing administrator grants and replace any role that does not have a defined business trigger, expiry condition, and documented owner.
  • Inventory and age-track service-account keys Build a live register of every service-account secret, then flag keys older than thirty days, duplicated keys, and any secret outside a managed vault.

What's in the full report

Unosecur's full research covers the operational detail this post intentionally leaves for the source:

  • The full 70-page benchmark methodology, including how the sample was stratified and pseudonymised across sectors and cloud providers.
  • Control-by-control mappings to ISO 27001/27002, PCI DSS v4, SOC 2, CIS v8, and GDPR for audit and remediation planning.
  • The four recurring gap families broken down into practical remediation priorities for privileged MFA, role scope, secret age, and vaulting.
  • The incident-response and insurance implications that link identity gaps to breach likelihood and premium calculations.

👉 Read Unosecur's Cloud Compliance Pulse H1 2025 on cloud identity gaps →

Cloud identity compliance gaps: what IAM teams need to fix first?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

Cloud identity compliance is really a control aggregation problem, not a checklist problem. The report’s average of forty identity and access failures per tenant shows that organisations are accumulating separate but related weaknesses across privileged MFA, roles, keys, and service accounts. When those failures cluster, audit pain and security risk rise together. The practical conclusion is that cloud identity programmes need control-level ownership, not just periodic review.

A few things that frame the scale:

  • 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
  • Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.

A question worth separating out:

Q: Who is accountable when privileged access controls fail in cloud environments?

A: Accountability usually sits with the identity, platform, and cloud operations teams together, because the failure spans authentication, role design, and secret handling. Governance frameworks such as the NIST Cybersecurity Framework 2.0 expect control ownership to be explicit. If no team owns the full path from grant to revocation, the gap persists.

👉 Read our full editorial: Cloud identity compliance gaps persist across most enterprise tenants



   
ReplyQuote
Share: