Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Cloud migration governance gaps: what IAM teams need to fix now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Nearly 40% of organisations reported security or compliance incidents tied to governance gaps introduced during cloud migration, according to Pathlock’s 2025 Digital Transformation & Access Risk Report. The findings show that transformation programmes are still outpacing GRC planning, leaving access reviews, SoD checks, and deprovisioning too manual to contain risk.

NHIMG editorial — based on content published by Pathlock: 2025 Digital Transformation & Access Risk Report

By the numbers:

Questions worth separating out

Q: How should organisations govern access during cloud migration?

A: Organisations should design access governance before migration cutover, not after systems move.

Q: Why do manual user access reviews fail during modernisation programmes?

A: Manual reviews fail because hybrid environments change faster than human reviewers can interpret them.

Q: What breaks when deprovisioning is slow after termination?

A: When access revocation is slow, the account remains usable after the business relationship has ended.

Practitioner guidance

  • Build GRC into migration gates Require access design, SoD mapping, and control ownership to be approved before application cutover, not after the target state is live.
  • Automate access risk analysis Replace spreadsheet-led reviews with automated entitlement collection, role grouping, and risk scoring across cloud and on-premises systems.
  • Shorten deprovisioning latency Measure time to revoke access after termination and remove manual approvals that allow accounts to remain active beyond business need.

What's in the full report

Pathlock's full report covers the operational detail this post intentionally leaves for the source:

  • Survey breakdowns by industry sector, including manufacturing, financial services, healthcare, and government.
  • The report’s migration-stage governance findings, including when organisations updated GRC controls and how often SoD checks were skipped.
  • Access governance and offboarding detail that helps teams compare their current controls against the survey benchmarks.
  • The full benchmark context behind the reported compliance violations and insider-fraud outcomes.

👉 Read Pathlock’s 2025 report on digital transformation and access risk →

Cloud migration governance gaps: what IAM teams need to fix now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Governance lag is becoming the primary transformation risk, not a back-office follow-on. When only a small minority of organisations update GRC controls before migration, the programme is effectively designing access first and governing it later. That sequencing creates structural exposure because privilege, SoD, and audit requirements are being reconciled after business processes have already moved. Practitioners should treat delayed governance as a transformation defect, not a compliance nuisance.

A few things that frame the scale:

  • 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.

A question worth separating out:

Q: Who is accountable when governance gaps surface after cloud migration?

A: Accountability sits with the transformation owners and the identity governance function together, because the control failure comes from sequencing, not just execution. If migration proceeds without GRC design, the organisation has accepted the risk of incomplete SoD checks, delayed offboarding, and weak audit evidence. Frameworks such as the NIST Cybersecurity Framework 2.0 reinforce that access governance must be managed as an operational control.

👉 Read our full editorial: Digital transformation is widening governance gaps during cloud migration



   
ReplyQuote
Share: