Notifications
Clear all
Topic starter
08/06/2026 4:28 pm
TL;DR: Identity sprawl across multi-cloud, SaaS, and hybrid environments is pushing IAM and IGA into the centre of security operations, while overprivileged service accounts remain a leading cloud risk, with Google Cloud reporting they drove 46.4% of cloud security alerts in H2 2024 and 62.2% of lateral movement incidents. The governance problem is no longer perimeter control but continuous visibility, lifecycle enforcement, and least-privilege drift across human and machine identities.
NHIMG editorial — based on content published by Bravura Security: mitigating identity-related access risks in hybrid and multi-cloud environments
By the numbers:
- Overprivileged service accounts triggered 46.4% of cloud security alerts in H2 2024 and enabled 62.2% of lateral movement incidents.
Questions worth separating out
Q: How should security teams govern access across multi-cloud and SaaS environments?
A: Security teams should govern access with a single entitlement view that spans cloud platforms, SaaS applications, on-premises systems, and machine identities.
Q: Why do overprivileged service accounts create such persistent cloud risk?
A: Overprivileged service accounts create persistent risk because they combine standing access, weak ownership, and broad lateral movement potential.
Q: What breaks when IGA is not tightly connected to IAM?
A: When IGA is disconnected from IAM, organisations can provision access correctly and still fail governance.
Practitioner guidance
- Build a unified identity inventory across cloud and SaaS estates Map human accounts, service accounts, API credentials, and workload identities into one entitlement view so you can see where access is duplicated, orphaned, or excessive across AWS, Azure, Google Cloud, and critical SaaS platforms.
- Separate IAM execution from IGA certification Use IAM to provision and enforce access, then use IGA to review whether that access still matches role, policy, and compliance requirements after joiner-mover-leaver events or cloud changes.
- Treat service accounts as governed privileged assets Assign every machine identity an owner, purpose, expiry or review date, and a revocation path.
What's in the full article
Bravura Security's full article covers the operational detail this post intentionally leaves for the source:
- Platform-specific IAM and IGA distinctions across AWS, Azure, Google Cloud, and SaaS environments
- Examples of how Bravura Identity models human and machine identities using different attribute sets
- The article's explanation of how Zero Trust changes access revocation and certification workflows
- A vendor-framed walkthrough of automation for provisioning, role assignment, and compliance audits
👉 Read Bravura Security's analysis of IAM, IGA, and hybrid identity risk →
Hybrid identity sprawl and IGA gaps: what IAM teams need now?
Explore further
08/06/2026 6:07 pm
Identity sprawl is now the primary governance failure, not a side effect of cloud growth. The article shows that IAM and IGA are no longer confined to one domain or one platform. When access is split across AWS, Azure, Google Cloud, SaaS, on-premises systems, and machine identities, the governing assumption of a bounded identity estate no longer holds. Practitioners must treat inventory and entitlement visibility as the first control, not the last report.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to the 2024 Non-Human Identity Security Report.
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, which underscores how immature the control environment still is.
A question worth separating out:
Q: How can teams reduce identity sprawl without losing operational speed?
A: Teams should automate provisioning and revocation, but only within a governance model that also includes periodic review, ownership assignment, and exception handling. Speed without lifecycle control creates more drift, not less. The balance is fast execution with evidence that access still serves a current business purpose.
👉 Read our full editorial: IAM and IGA are converging around hybrid identity risk
