Cloud security in 2025: what IAM teams need to fix first

TL;DR: 93% of organisations have overprivileged service accounts, 85% embed plaintext secrets in source code, and 40% allow automatic pull request approvals in GitHub Actions, according to Orca Security’s 2025 cloud security report, showing how identity, secrets, and pipeline control failures compound at scale. Least privilege and secret hygiene are no longer separate problems.

NHIMG editorial — based on content published by Orca Security: 2025 State of Cloud Security Report

By the numbers:

• 93% of organizations have at least one overprivileged service account.
• 85% of organizations have plaintext secrets embedded in their source code repositories.

Questions worth separating out

Q: How should security teams reduce cloud attack paths without slowing delivery?

A: Start with the paths that lead directly to sensitive data, cross-account access, or internet-facing workloads.

Q: Why do overprivileged service accounts create such a large cloud risk?

A: Because a service account is often reusable, persistent, and able to reach many systems at once.

Q: What do security teams get wrong about secrets found in source code?

A: They often treat removal from the current branch as the end of the problem.

Practitioner guidance

• Reduce service account blast radius Review every service account and remove permissions that are not required for the current workload.
• Eliminate secrets from repositories Block plaintext secrets from entering source control, then rotate any secret already found in Git history or the main branch.
• Prioritise attack-path remediation Rank cloud findings by reachable paths to sensitive data, not by severity alone.

What's in the full report

Orca Security’s full report covers the operational detail this post intentionally leaves for the source:

• The full per-category breakdown of cloud findings across identity, secrets, assets, and pipelines
• The methodology behind attack-path analysis and how individual misconfigurations were chained together
• The underlying asset-scanning evidence drawn from billions of cloud objects and code repositories
• The report’s complete remediation framing for teams that need to move from prioritisation to implementation

👉 Read Orca Security’s 2025 cloud security report on identity, secrets, and attack paths →

Cloud security in 2025: what IAM teams need to fix first?

Explore further

View Full Forum →  |  NHI Foundation Course →