Multi-cloud cloud security gaps: what IAM teams need to know

TL;DR: 55% of organisations use two or more cloud providers, 84% use AI in the cloud, and 62% have at least one vulnerable AI package, while nearly a third of cloud assets remain neglected or unpatched, according to Orca Security’s 2025 State of Cloud Security Report. The real constraint is not visibility alone but identity, privilege, and lifecycle control across expanding cloud estates.

NHIMG editorial — based on content published by Orca Security: 2025 State of Cloud Security Report

By the numbers:

• 55% of organizations now use two or more cloud providers.

Questions worth separating out

Q: How should security teams govern access across multi-cloud environments?

A: Security teams should govern multi-cloud access as one entitlement problem, not as separate provider issues.

Q: Why do cloud environments create more identity risk than on-premises systems?

A: Cloud environments create more identity risk because resources are more dynamic, access paths are more interconnected, and privilege can spread across providers quickly.

Q: What do teams get wrong about least privilege in cloud security?

A: Teams often treat least privilege as a provisioning exercise instead of an ongoing control.

Practitioner guidance

• Baseline cloud identities by effective privilege Inventory human users, service accounts, workload identities, and AI-related access together, then compare assigned permissions with actual runtime usage across cloud providers.
• Enforce expiry on elevated access Require JIT access for privileged cloud tasks, with time-bounded approvals, session logging, and explicit revocation at completion.
• Prioritise the assets on the shortest attack paths Use attack-path analysis to identify the cloud assets that connect directly to crown jewels, then remediate those first rather than chasing raw vulnerability volume.

What's in the full article

Orca Security’s full article covers the operational detail this post intentionally leaves for the source:

• The report’s full breakdown of cloud security categories, including how CNAPP, CSPM, CIEM, CDR, and DLP differ in practice.
• The article’s implementation examples for JIT access, least privilege, and runtime prioritisation across cloud environments.
• The vendor’s explanation of cloud security challenges such as shadow IT, multi-tenancy, and lack of visibility in dynamic estates.
• The broader market framing around AI-driven cloud security and where the source expects tooling to evolve next.

👉 Read Orca Security’s 2025 State of Cloud Security Report →

Multi-cloud cloud security gaps: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →