Notifications
Clear all
Topic starter
24/06/2026 5:47 pm
TL;DR: An average of 40 identity-related control failures per tenant emerged from Unosecur’s H1 2025 scan of 50 multi-cloud environments, with 68% of companies violating ISO 27001 privileged MFA guidance and two-thirds of identity-driven breaches beginning with routine gaps, according to Unosecur. The real problem is not complexity alone, but unmanaged identity hygiene that leaves compliance and attack exposure aligned.
NHIMG editorial — based on content published by Unosecur: Forty unlocked doors, hidden compliance risks in every cloud
By the numbers:
- Between January 1st and June 30th 2025, Unosecur scanned 50 multi-cloud environments.
- The team logged an average of 40 identity-related control failures per cloud tenant.
- In Unosecur’s data set, ISO 27001 clause 5.17 was violated by 68% of companies.
Questions worth separating out
Q: What breaks when privileged MFA is missing in multi-cloud environments?
A: Without privileged MFA, cloud access control loses its strongest checkpoint for high-risk accounts.
Q: Why do standing admin roles make cloud risk harder to contain?
A: Standing admin roles extend access beyond the moment it is needed, so any credential compromise has immediate reach.
Q: How can security teams know if cloud identity governance is actually working?
A: The clearest signals are fewer unresolved access findings, shorter evidence-collection cycles, lower counts of stale keys, and reduced reliance on manual review.
Practitioner guidance
- Map identity controls to a single cloud governance baseline Align privileged MFA, role assignment, key rotation, and evidence collection to one control model across AWS, Azure, and Google Cloud.
- Eliminate standing admin access wherever it is still enabled Review cloud roles for persistent elevation, remove always-on administrator assignments, and require task-scoped elevation for high-risk actions.
- Rotate stale keys and retire duplicate machine credentials Inventory machine keys, identify keys older than 30 days, and remove duplicate or shared secrets that cannot be traced to a clear owner.
What's in the full article
Unosecur's full blog covers the operational detail this post intentionally leaves for the source:
- The per-sector breakdown of cloud identity control failures across finance, healthcare, manufacturing, and SaaS
- The exact IAM gap families behind the 70% of high-severity findings
- The article's audit and insurance observations tied to unresolved access gaps
- The practical remediation checklist for privileged MFA, role removal, and key rotation
👉 Read Unosecur's analysis of hidden cloud compliance risks across multi-cloud environments →
Cloud identity control failures: what IAM teams are missing?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
25/06/2026 3:43 am
Cloud compliance is an identity governance failure before it is an audit failure. The article’s 40 identity-related control failures per tenant show that cloud risk is being created at the access layer, not the reporting layer. Privileged MFA, role scope, and key hygiene are governance controls first, audit controls second. The practitioner conclusion is that compliance remediation has to start where identities are granted and maintained.
A few things that frame the scale:
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to the 2024 Non-Human Identity Security Report.
- Our research also found that 35.6% of organisations cite managing consistent access across hybrid and multi-cloud environments as their top NHI security challenge.
A question worth separating out:
Q: Who is accountable when cloud identity failures trigger audit or breach exposure?
A: Accountability should sit with the identity and cloud governance owners who define access policy, not only with audit teams who report on outcomes. When service keys, admin roles, and MFA coverage are managed separately, no single team owns the full control loop. Clear ownership across IAM, PAM, and cloud platform teams is essential.
👉 Read our full editorial: Forty cloud identity control failures expose hidden compliance risk
