Shaping the Future of Identity in the Cloud

Read full article here: https://www.p0.dev/blog/access-granted-the-future-of-identity-in-the-cloud/?source=nhimg

P0 Security first in a series of articles on identity and access in the cloud era. We’re at a turning point, one where organizations aren’t just upgrading a tool, they’re being handed a rare chance to rethink how identity should work in a world dominated by machines, APIs, and multi-cloud environments.

Identity Is the New Perimeter

The firewall is no longer your first line of defense, identity is. And attackers aren’t just targeting human accounts anymore. They’re exploiting every container, service, bot, and background task that requests access, often thousands of times a day.

Every breach headline you read? Almost all of them begin with compromised credentials or excessive permissions. The real issue? Most organizations don’t even know who (or what) has access to what. When every microservice, script, and test environment can spin up access to production data, you’re playing defense against an invisible opponent.

As the Cloud Security Alliance warns:

“IAM platforms are increasingly fragmented across IaaS, PaaS, and SaaS ecosystems, resulting in inconsistent access policies and gaps in oversight.”
– CSA, Top IAM Priorities for 2025

That fragmentation is exactly what makes identity such a massive risk and why it’s time to stop managing identity and start mastering it.

The Cloud Changed Everything—So Should Your Identity Strategy

During my time at Splunk, I watched cloud adoption force every part of the security stack to evolve, except identity. We kept duct-taping legacy IAM, PAM, IGA, and CIEM together, assuming “more tools” equaled better control. But cloud identity isn’t just “identity, but in the cloud.” It’s fundamentally different.

You’re not managing a few hundred employees with badge access anymore. You’re managing thousands of non-human identities—workloads, bots, pipelines, containers, each with potential access to sensitive data across multiple clouds, spinning up and down in real time.

Many CISOs will tell you: “We have a solid IAM program… except for the bots, the functions, the engineers with standing admin rights, and the third-party pipelines.” Those aren’t exceptions. Those are blind spots waiting to be exploited.

A Rare Opportunity

The recent sunsetting of Microsoft Entra Permissions Management is more than just product news—it’s a signal. The legacy identity stack is cracking under the weight of cloud.

And if your response is to “swap in another acronym,” you’re missing the bigger picture. This isn’t about buying another tool. It’s about recognizing that identity is the new perimeter—and that perimeter now includes every service, workload, and automation bot.

This is the opportunity to pause, reset, and reimagine how identity should actually work in an API-first, multi-cloud world. Instead of carrying four different compasses—IAM, PAM, IGA, CIEM—all pointing in slightly different directions, you can finally consolidate, simplify, and take control.

Four Pillars of Cloud-Native Identity

A modern cloud identity platform isn’t about adding another acronym. It must do four things—things no single legacy tool was built to do:

1. Discover and monitor every identity across clouds (human, machine, ephemeral, permanent).
2. Prioritize and reduce risk in real time by exposing toxic combinations, over-privileged accounts, and unused credentials.
3. Automate access orchestration, just-in-time, credential rotation, auto-deprovisioning, without slowing down developers.
4. Enforce unified governance across IAM, PAM, and IGA with continuous compliance evidence.

The Moment to Rethink

This isn’t just another upgrade cycle. It’s a reset button. You can eliminate silos, clean up access, reduce risk, and simplify operations all at once.

Access should be granted but only to the right things, at the right time, for the right reasons. That starts with rethinking identity from the cloud down.