TL;DR: As enterprises spread identities across AWS, Oracle Cloud, Entra ID and SaaS, fragmented administration makes toxic access combinations, orphaned permissions and weak de-provisioning far harder to detect, according to SafePaaS. Centralised policy-based access control and privileged identity management become the practical response, not optional tooling.
NHIMG editorial — based on content published by SafePaaS: multi-cloud identity management and privileged access governance
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should security teams govern access across multi-cloud environments?
A: Security teams should govern multi-cloud access through a single entitlement model that spans cloud platforms, SaaS applications and identity providers.
Q: Why does identity fragmentation increase breach risk in cloud and SaaS estates?
A: Identity fragmentation increases breach risk because it hides where access actually accumulates.
Q: What breaks when de-provisioning is handled separately in each cloud?
A: When de-provisioning is handled separately in each cloud, organisations lose assurance that access is truly removed everywhere.
Practitioner guidance
- Build a unified entitlement inventory Create one authoritative view of user, privileged and service access across cloud, SaaS and ERP systems so cross-platform SoD checks can run against the full picture.
- Tie de-provisioning to every connected platform Require leaver and mover events to revoke access in all linked systems, not just the primary identity provider, and verify completion with audit evidence.
- Review toxic combinations across systems Run periodic analysis for combinations such as create-and-approve, provision-and-pay, or administer-and-consume access across separate platforms.
What's in the full article
SafePaaS's full article covers the operational detail this post intentionally leaves for the source:
- Specific examples of how Policy-Based Access Control is applied across ERP, cloud and identity stacks.
- The product's approach to automated segregation of duties monitoring across multiple systems.
- How the platform frames audit-ready evidence collection for SOX, GDPR and HIPAA reporting.
- The vendor's implementation context for privileged identity management in multi-cloud environments.
👉 Read SafePaaS's analysis of multi-cloud identity fragmentation and access governance →
Multi-cloud identity fragmentation: what IAM teams are missing?
Explore further
Identity fragmentation is a governance failure before it is a tooling problem. When access is split across cloud providers, identity providers and SaaS tools, no single team can reliably answer who has standing access, who can approve exceptions, or where toxic combinations exist. That creates blind spots in both human IAM and NHI governance. Practitioners should treat fragmented visibility as an architectural defect, not an operations issue.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Which frameworks apply to multi-cloud identity governance and privileged access?
A: NIST Cybersecurity Framework 2.0, Zero Trust Architecture and NHI governance guidance all apply when access spans multiple platforms. They help teams structure visibility, least privilege and continuous verification across users, privileged roles and non-human identities. The practical test is whether governance still works when identities move outside a single cloud boundary.
👉 Read our full editorial: Multi-cloud identity fragmentation is exposing access governance gaps