Privileged MFA gaps in cloud estates: what IAM teams need now

TL;DR: 94% of organisations had at least one high-severity identity control gap, with 68% failing privileged-account multifactor authentication and four recurring gap families driving 70% of findings, according to Unosecur’s Cloud Compliance Pulse H1 2025. The scale of exposure shows why cloud identity governance now has audit, insurance, and breach implications beyond traditional access reviews.

NHIMG editorial — based on content published by Unosecur: Cloud Compliance Pulse H1 2025

By the numbers:

• 94% of participating organisations exhibited at least one high-severity gap.
• 68% of tenants failed this control.
• Four recurring gap families together accounted for 70% of all high-severity findings.

Questions worth separating out

Q: How should security teams reduce cloud identity risk without overcomplicating access management?

A: Start with the controls that remove the most exposure first: privileged MFA, short-lived access, and a complete inventory of service-account secrets.

Q: Why do stale credentials and unmanaged service-account keys matter so much in cloud environments?

A: They matter because they create invisible, durable access that may outlive the people or systems that created it.

Q: What breaks when privileged roles remain permanent instead of time-bound?

A: Permanent privileged roles break containment.

Practitioner guidance

• Measure privileged MFA coverage monthly Track the percentage of privileged identities protected by multifactor authentication across cloud tenants, then investigate every exception by owner, platform, and role type.
• Inventory access keys by age and ownership Build a living register for service-account secrets that includes creation date, last use, business owner, and rotation status so dormant credentials can be retired before review cycles.
• Replace permanent admin roles with elevation paths Shift standing administrator access to just-in-time elevation for tasks that truly require it, and require a separate approval or control point for high-risk actions.

What's in the full report

Unosecur's full report covers the operational detail this post intentionally leaves for the source:

• The full control-by-control benchmark across ISO 27001/27002, PCI DSS v4, SOC 2, CIS v8, and GDPR mappings.
• The stratified sample methodology and margin-of-error notes behind the H1 2025 cloud estate results.
• The sector-specific remediation playbooks that map the four recurring gap families to board-level risk dashboards.
• The incident-response and insurance implications of privileged MFA and key-rotation failures across cloud tenants.

👉 Read Unosecur's Cloud Compliance Pulse H1 2025 findings →

Privileged MFA gaps in cloud estates: what IAM teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →