TL;DR: 94% of organisations had at least one high-severity identity control gap, with 68% failing privileged-account multifactor authentication and four recurring gap families driving 70% of findings, according to Unosecur’s Cloud Compliance Pulse H1 2025. The scale of exposure shows why cloud identity governance now has audit, insurance, and breach implications beyond traditional access reviews.
NHIMG editorial — based on content published by Unosecur: Cloud Compliance Pulse H1 2025
By the numbers:
- 94% of participating organisations exhibited at least one high-severity gap.
- 68% of tenants failed this control.
- Four recurring gap families together accounted for 70% of all high-severity findings.
Questions worth separating out
Q: How should security teams reduce cloud identity risk without overcomplicating access management?
A: Start with the controls that remove the most exposure first: privileged MFA, short-lived access, and a complete inventory of service-account secrets.
Q: Why do stale credentials and unmanaged service-account keys matter so much in cloud environments?
A: They matter because they create invisible, durable access that may outlive the people or systems that created it.
Q: What breaks when privileged roles remain permanent instead of time-bound?
A: Permanent privileged roles break containment.
Practitioner guidance
- Measure privileged MFA coverage monthly Track the percentage of privileged identities protected by multifactor authentication across cloud tenants, then investigate every exception by owner, platform, and role type.
- Inventory access keys by age and ownership Build a living register for service-account secrets that includes creation date, last use, business owner, and rotation status so dormant credentials can be retired before review cycles.
- Replace permanent admin roles with elevation paths Shift standing administrator access to just-in-time elevation for tasks that truly require it, and require a separate approval or control point for high-risk actions.
What's in the full report
Unosecur's full report covers the operational detail this post intentionally leaves for the source:
- The full control-by-control benchmark across ISO 27001/27002, PCI DSS v4, SOC 2, CIS v8, and GDPR mappings.
- The stratified sample methodology and margin-of-error notes behind the H1 2025 cloud estate results.
- The sector-specific remediation playbooks that map the four recurring gap families to board-level risk dashboards.
- The incident-response and insurance implications of privileged MFA and key-rotation failures across cloud tenants.
👉 Read Unosecur's Cloud Compliance Pulse H1 2025 findings →
Privileged MFA gaps in cloud estates: what IAM teams need now?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
Cloud identity governance is still failing at the level of basic trust assumptions, not just implementation quality. A programme that cannot keep privileged MFA, key age, and role scope under control is not dealing with edge cases. It is showing that cloud identity is being treated as durable access rather than continuously governed risk. The practitioner takeaway is that audit evidence, incident exposure, and lifecycle hygiene now need to be managed as one control plane.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, according to the same Astrix Security & CSA report.
A question worth separating out:
Q: Who is accountable when cloud identity gaps lead to audit findings or breaches?
A: Accountability sits with the team that owns the identity control plane, not only the application or cloud platform owner. Security, IAM, and cloud operations must share responsibility for MFA coverage, key rotation, and privilege scope, because these failures cross technical and governance boundaries.
👉 Read our full editorial: Cloud compliance pulse shows privileged MFA gaps are still widespread