CSPM and identity governance: what teams are missing

TL;DR: Cloud security posture management centralises visibility, continuous monitoring, compliance checks, and automated remediation across multi-cloud estates, helping teams spot misconfigurations before they become breaches, according to Zluri. The deeper issue is that CSPM is only effective when cloud configuration control is matched with identity governance for accounts, permissions, and access paths.

NHIMG editorial — based on content published by Zluri: What is Cloud Security Posture Management (CSPM)?

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 73% of vaults are misconfigured, leading to unauthorised access and exposure of sensitive data.

Questions worth separating out

Q: How should security teams use CSPM to reduce cloud identity risk?

A: Security teams should use CSPM to identify which cloud misconfigurations are reachable through specific accounts, roles, or secrets, then route those findings into IAM or NHI governance.

Q: Why do misconfigurations become more dangerous when identities are over-permissioned?

A: Misconfigurations become more dangerous when identities are over-permissioned because the attacker can move from finding a weak setting to using it at scale.

Q: What do security teams get wrong about cloud posture management?

A: Teams often treat CSPM as a configuration-only control and miss the identity layer underneath it.

Practitioner guidance

• Map posture findings to identity owners Tie each high-severity CSPM alert to the account, role, or service identity that created or can exploit the condition.
• Prioritise drift that changes blast radius Focus on misconfigurations that expose data, widen network reach, or increase privileged access paths.
• Link CSPM to secrets and service-account hygiene Verify that exposed resources are not paired with long-lived secrets, unmanaged API keys, or service accounts that outlive the workload.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step CSPM implementation guidance for multi-cloud environments, including how to sequence visibility, policy, and remediation.
• Expanded discussion of compliance mappings and reporting workflows for organisations tracking CSPM against standards such as GDPR, HIPAA, and CIS.
• Practical examples of automated remediation and alerting setups that show how posture findings move through operational teams.
• The article's comparison between CSPM and SSPM for teams deciding where infrastructure security ends and SaaS governance begins.

👉 Read Zluri's CSPM guide for implementation and compliance details →

CSPM and identity governance: what teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →