TL;DR: Microsoft’s retirement of Entra Permissions Management leaves a CIEM gap across Azure, AWS, and Google Cloud, with SailPoint positioning its CIEM offering as the replacement path for visibility, least-privilege enforcement, and review workflows. The real issue is not product substitution but whether cloud entitlement governance is mature enough to survive a platform exit without losing control of privilege creep.
NHIMG editorial — based on content published by SailPoint: Microsoft ends Entra Permissions Management and the case for CIEM
By the numbers:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.
Questions worth separating out
Q: How should security teams govern cloud entitlements after a CIEM platform retirement?
A: Treat the retirement as a programme test, not a procurement event.
Q: Why do cloud entitlements drift out of control in multi-cloud environments?
A: Cloud entitlements drift because access is often granted through different native models, inherited roles, and exceptions that are not reconciled against current job need.
Q: What breaks when access reviews do not include cloud service accounts and projects?
A: Reviews miss the places where overprovisioning often hides.
Practitioner guidance
- Map cloud entitlement sources end to end Inventory where permissions are assigned across Azure, AWS, and Google Cloud, then document which identity governance process owns each access path.
- Tie entitlement reviews to lifecycle events Trigger cloud access review and removal when a user changes role or leaves, and retain evidence that the change was completed across all cloud providers.
- Prioritise effective access over assigned access Focus reviews on what an identity can actually do in the cloud, not just what appears on paper in a directory.
What's in the full article
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- The product-specific CIEM capability set for Azure, AWS, and Google Cloud entitlement management
- The customer example showing audit-cycle effort reduction and how reporting was centralised
- The article's own positioning on SailPoint Identity Security Cloud integration and migration path from Microsoft Entra
- The vendor's commentary on why its CIEM features are framed as the replacement option
👉 Read SailPoint’s blog on Microsoft ending Entra Permissions Management and CIEM options →
Entra Permissions Management retirement: what IAM teams should do now?
Explore further
CIEM retirement exposes a control dependency, not just a product dependency. When a dedicated entitlement platform disappears, organisations do not merely lose a dashboard. They lose a repeatable way to normalise cloud access, detect overprovisioning, and prove that access removal is happening on time. The governance lesson is that cloud entitlement control should not be anchored to a single tooling relationship when the underlying risk is structural.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- Only 13% of organisations feel extremely prepared for the reality of agentic AI, even though the majority are already moving toward autonomous adoption.
A question worth separating out:
Q: Who is accountable when cloud access removal is not auditable?
A: Accountability sits with the identity governance and cloud security functions that own entitlement evidence, not with the business user alone. If removal cannot be proven, the organisation cannot demonstrate least privilege, effective offboarding, or a defensible review process during audit or incident response.
👉 Read our full editorial: Entra Permissions Management retirement raises the bar for ciem