Notifications
Clear all
Topic starter
03/06/2026 11:52 am
TL;DR: Sonrai Security says 92% of sensitive cloud permissions in enterprise estates went unused for more than 90 days, with 87% of that inactive access tied to machine identities. That unused privilege expands blast radius, audit exposure, and remediation overhead faster than legacy PAM or visibility tooling can contain it.
NHIMG editorial — based on content published by Sonrai Security: Why 92% of Cloud Permissions Are Never Used, and What That Costs You
By the numbers:
- Sonrai Security says 92% of all identities with access to sensitive permissions did not use them over 90 days.
- Sonrai Security says 87% of that inactive access was tied to machine identities.
- The global average cost of a data breach was $4.44 million in 2025, according to IBM.
Questions worth separating out
Q: How should security teams reduce unused cloud permissions without breaking workloads?
A: Start by identifying permissions that have not been used over a meaningful window, then quarantine them rather than deleting identities outright.
Q: Why do non-human identities accumulate more unused privilege than human users?
A: Non-human identities are often created quickly for pipelines, integrations, and vendors, then left behind after the original work changes.
Q: What breaks when just-in-time access is applied only to users and not permissions?
A: The permission surface stays standing even if the login path is gated.
Practitioner guidance
- Inventory sensitive permissions by actual use Correlate cloud entitlement data with 90-day usage history so you can separate active privilege from standing residue.
- Quarantine unused access before deleting identities Strip permissions through policy while preserving the identity object, then route any legitimate break-glass request through an approval workflow.
- Move JIT controls to the permission layer Grant sensitive capabilities only for the duration of a task, then revoke them automatically when the task closes.
What's in the full article
Sonrai Security's full blog post covers the operational detail this post intentionally leaves for the source:
- The four-dimensional cost model for unused cloud privilege, including attack surface, breach economics, audit liability, and engineering time.
- The mechanics of Permissions-on-Demand and how quarantine workflows preserve production while removing standing access.
- The distinction between dormant identities and over-permissioned identities, and why the overlap matters for remediation.
- The practical cloud-native controls used to enforce least privilege without introducing new agents or jump boxes.
👉 Read Sonrai Security's analysis of why 92% of cloud permissions go unused →
92% unused permissions in cloud estates: what teams miss?
Explore further
03/06/2026 11:54 am
Unused privilege is the identity security debt that cloud teams keep rolling forward. When 92% of sensitive permissions sit unused for 90 days, the environment is not merely noisy. It is accumulating dormant blast radius that survives long after the business justification is gone. That makes access review a lagging signal, not a preventive one, because the estate has already grown beyond what manual governance can reliably rationalise. The practitioner conclusion is simple: unused access must be treated as a standing liability, not a housekeeping task.
A few things that frame the scale:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: How do IAM teams know whether cloud least privilege is actually working?
A: They should look for declining counts of dormant privileges, fewer overprivileged machine identities, and a measurable shift from standing access to task-scoped access. If access reviews keep approving broad roles without evidence of recent use, the programme is documenting risk rather than reducing it.
👉 Read our full editorial: Unused cloud permissions are widening enterprise blast radius
