Subscribe to the Non-Human & AI Identity Journal

Forums
The Non-Human & AI ...
NHI, AI & IAM Suppo...
Multi-account cloud...
 
Notifications
Clear all

Multi-account cloud sprawl: what IAM teams are missing

 
    Last Post
  RSS

 NHI Mgmt Group
(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 5324
Topic starter 12/06/2026 12:20 am  

TL;DR: As cloud estates expand from a few accounts to dozens across environments, business units, and tools, visibility, compliance, and change control break down unless every change is forced through code, according to ControlMonkey. The governance problem is not account count itself but the lack of enforceable automation, resilience, and auditability across the full infrastructure lifecycle.

NHIMG editorial — based on content published by ControlMonkey: multi-account cloud governance and the limits of IaC

Questions worth separating out

Q: How should security teams govern cloud accounts when estates keep growing?

A: They should treat account growth as a control-design problem, not a provisioning problem.

Q: Why does multi-account cloud create risk even when the architecture is intentional?

A: Because separation improves isolation only if governance keeps pace.

Q: What do teams get wrong about infrastructure as code?

A: They often treat IaC as a tool purchase instead of a control boundary.

Practitioner guidance

  • Measure real IaC coverage by environment Separate code-managed changes from console-driven and ticket-driven changes across dev, staging, and production, then track bypasses as governance exceptions.
  • Eliminate direct-change paths for production accounts Restrict manual edits to emergency break-glass workflows with logging, review, and post-change reconciliation so the pipeline remains the default control point.
  • Create a single account and resource inventory Consolidate account metadata, resource ownership, and policy state so security, compliance, and engineering teams work from the same control view.

What's in the full article

ControlMonkey's full blog post covers the operational detail this post intentionally leaves for the source:

  • Practical questions for assessing real IaC coverage across environments and teams
  • Operational guidance on detecting manual change paths that bypass Terraform or OpenTofu
  • A working model for visibility, automation, and resilience across multi-account cloud estates
  • The article's own framing for reducing toil, audit friction, and production drift

👉 Read ControlMonkey's analysis of multi-account cloud governance and IaC enforcement →

Multi-account cloud sprawl: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
Topic Tags
controlmonkey cloud-governance infrastructure-as-code multi-account identity-controls
Forum Jump:
  Previous Topic
Next Topic  
Related Topics
Topic Tags:  controlmonkey (35) , cloud-governance (28) , infrastructure-as-code (21) , multi-account (1) , identity-controls (18) ,
Share:

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.