TL;DR: 55% of organisations use two or more cloud providers, 84% use AI in the cloud, and 62% have at least one vulnerable AI package, while nearly a third of cloud assets remain neglected or unpatched, according to Orca Security’s 2025 State of Cloud Security Report. The real constraint is not visibility alone but identity, privilege, and lifecycle control across expanding cloud estates.
NHIMG editorial — based on content published by Orca Security: 2025 State of Cloud Security Report
By the numbers:
Questions worth separating out
Q: How should security teams govern access across multi-cloud environments?
A: Security teams should govern multi-cloud access as one entitlement problem, not as separate provider issues.
Q: Why do cloud environments create more identity risk than on-premises systems?
A: Cloud environments create more identity risk because resources are more dynamic, access paths are more interconnected, and privilege can spread across providers quickly.
Q: What do teams get wrong about least privilege in cloud security?
A: Teams often treat least privilege as a provisioning exercise instead of an ongoing control.
Practitioner guidance
- Baseline cloud identities by effective privilege Inventory human users, service accounts, workload identities, and AI-related access together, then compare assigned permissions with actual runtime usage across cloud providers.
- Enforce expiry on elevated access Require JIT access for privileged cloud tasks, with time-bounded approvals, session logging, and explicit revocation at completion.
- Prioritise the assets on the shortest attack paths Use attack-path analysis to identify the cloud assets that connect directly to crown jewels, then remediate those first rather than chasing raw vulnerability volume.
What's in the full article
Orca Security’s full article covers the operational detail this post intentionally leaves for the source:
- The report’s full breakdown of cloud security categories, including how CNAPP, CSPM, CIEM, CDR, and DLP differ in practice.
- The article’s implementation examples for JIT access, least privilege, and runtime prioritisation across cloud environments.
- The vendor’s explanation of cloud security challenges such as shadow IT, multi-tenancy, and lack of visibility in dynamic estates.
- The broader market framing around AI-driven cloud security and where the source expects tooling to evolve next.
👉 Read Orca Security’s 2025 State of Cloud Security Report →
Multi-cloud cloud security gaps: what IAM teams need to know?
Explore further
Cloud security is now an identity governance problem, not just a posture problem. The report shows that cloud estates are spreading across providers, AI workloads, and ephemeral resources faster than access governance can keep up. That means the real control gap is not only misconfiguration detection but whether IAM, NHI, and lifecycle controls can still answer who or what should have access at any moment. Practitioners should treat cloud security as a cross-domain identity discipline, not a siloed operations task.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities.
A question worth separating out:
Q: How do organisations reduce attack paths in cloud security?
A: Organisations reduce attack paths by identifying the cloud assets and identities that connect directly to high-value data or control-plane functions, then removing unnecessary privilege and exposure first. This is more effective than broad remediation because it targets the routes most likely to produce real impact.
👉 Read our full editorial: Cloud security is exposing identity gaps across multi-cloud estates