TL;DR: Nearly 40% of organisations reported security or compliance incidents tied to governance gaps introduced during cloud migration, according to Pathlock’s 2025 Digital Transformation & Access Risk Report. The findings show that transformation programmes are still outpacing GRC planning, leaving access reviews, SoD checks, and deprovisioning too manual to contain risk.
NHIMG editorial — based on content published by Pathlock: 2025 Digital Transformation & Access Risk Report
By the numbers:
- 40% of organisations experienced security or compliance incidents, cidents directly linked to governance gaps introduced during cloud migration.
- Only 7% updated GRC controls prior to migration.
- Over 70% lack automated access risk analysis, user access reviews, and provisioning and de-provisioning processes.
Questions worth separating out
Q: How should organisations govern access during cloud migration?
A: Organisations should design access governance before migration cutover, not after systems move.
Q: Why do manual user access reviews fail during modernisation programmes?
A: Manual reviews fail because hybrid environments change faster than human reviewers can interpret them.
Q: What breaks when deprovisioning is slow after termination?
A: When access revocation is slow, the account remains usable after the business relationship has ended.
Practitioner guidance
- Build GRC into migration gates Require access design, SoD mapping, and control ownership to be approved before application cutover, not after the target state is live.
- Automate access risk analysis Replace spreadsheet-led reviews with automated entitlement collection, role grouping, and risk scoring across cloud and on-premises systems.
- Shorten deprovisioning latency Measure time to revoke access after termination and remove manual approvals that allow accounts to remain active beyond business need.
What's in the full report
Pathlock's full report covers the operational detail this post intentionally leaves for the source:
- Survey breakdowns by industry sector, including manufacturing, financial services, healthcare, and government.
- The report’s migration-stage governance findings, including when organisations updated GRC controls and how often SoD checks were skipped.
- Access governance and offboarding detail that helps teams compare their current controls against the survey benchmarks.
- The full benchmark context behind the reported compliance violations and insider-fraud outcomes.
👉 Read Pathlock’s 2025 report on digital transformation and access risk →
Cloud migration governance gaps: what IAM teams need to fix now?
Explore further
Governance lag is becoming the primary transformation risk, not a back-office follow-on. When only a small minority of organisations update GRC controls before migration, the programme is effectively designing access first and governing it later. That sequencing creates structural exposure because privilege, SoD, and audit requirements are being reconciled after business processes have already moved. Practitioners should treat delayed governance as a transformation defect, not a compliance nuisance.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when governance gaps surface after cloud migration?
A: Accountability sits with the transformation owners and the identity governance function together, because the control failure comes from sequencing, not just execution. If migration proceeds without GRC design, the organisation has accepted the risk of incomplete SoD checks, delayed offboarding, and weak audit evidence. Frameworks such as the NIST Cybersecurity Framework 2.0 reinforce that access governance must be managed as an operational control.
👉 Read our full editorial: Digital transformation is widening governance gaps during cloud migration