Cloud migration governance gaps: what IAM teams need to fix now

TL;DR: Nearly 40% of organisations reported security or compliance incidents tied to governance gaps introduced during cloud migration, according to Pathlock’s 2025 Digital Transformation & Access Risk Report. The findings show that transformation programmes are still outpacing GRC planning, leaving access reviews, SoD checks, and deprovisioning too manual to contain risk.

NHIMG editorial — based on content published by Pathlock: 2025 Digital Transformation & Access Risk Report

By the numbers:

• 40% of organisations experienced security or compliance incidents, cidents directly linked to governance gaps introduced during cloud migration.
• Only 7% updated GRC controls prior to migration.
• Over 70% lack automated access risk analysis, user access reviews, and provisioning and de-provisioning processes.

Questions worth separating out

Q: How should organisations govern access during cloud migration?

A: Organisations should design access governance before migration cutover, not after systems move.

Q: Why do manual user access reviews fail during modernisation programmes?

A: Manual reviews fail because hybrid environments change faster than human reviewers can interpret them.

Q: What breaks when deprovisioning is slow after termination?

A: When access revocation is slow, the account remains usable after the business relationship has ended.

Practitioner guidance

• Build GRC into migration gates Require access design, SoD mapping, and control ownership to be approved before application cutover, not after the target state is live.
• Automate access risk analysis Replace spreadsheet-led reviews with automated entitlement collection, role grouping, and risk scoring across cloud and on-premises systems.
• Shorten deprovisioning latency Measure time to revoke access after termination and remove manual approvals that allow accounts to remain active beyond business need.

What's in the full report

Pathlock's full report covers the operational detail this post intentionally leaves for the source:

• Survey breakdowns by industry sector, including manufacturing, financial services, healthcare, and government.
• The report’s migration-stage governance findings, including when organisations updated GRC controls and how often SoD checks were skipped.
• Access governance and offboarding detail that helps teams compare their current controls against the survey benchmarks.
• The full benchmark context behind the reported compliance violations and insider-fraud outcomes.

👉 Read Pathlock’s 2025 report on digital transformation and access risk →

Cloud migration governance gaps: what IAM teams need to fix now?

Explore further

View Full Forum →  |  NHI Foundation Course →