Cloud infrastructure RBAC hierarchy: what IAM teams are missing

TL;DR: Cloud infrastructure governance breaks when identity tools flatten hierarchical RBAC into SaaS-style rows, because role and scope combinations can explode into tens of millions and make reviews, sync, and least-privilege access unworkable, according to ConductorOne. The real issue is not access volume alone, but whether governance can preserve hierarchy well enough to keep human and agent access precise.

NHIMG editorial — based on content published by ConductorOne: Governing Cloud Infrastructure Access at Scale

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• NHIs outnumber human identities by 25x to 50x in modern enterprises.

Questions worth separating out

Q: How should security teams govern cloud RBAC across subscriptions and resource groups?

A: Treat cloud RBAC as a hierarchy of role, scope, and inheritance rather than as a flat entitlement list.

Q: Why do flat entitlement models create risk in cloud infrastructure?

A: Flat models hide the real meaning of a grant because they strip away scope inheritance.

Q: What do IAM teams get wrong about reviewing cloud access at scale?

A: They often assume more rows means more visibility, but in cloud environments the opposite can happen.

Practitioner guidance

• Preserve the cloud hierarchy in your governance model Track principal, role, scope, inheritance, and conditions as one binding so reviewers can see what a grant means at each level of the tree.
• Compute effective access on demand Avoid pre-materialising millions of role-and-scope rows.
• Reduce review volume to scoped bindings Present reviewers with the smallest decision unit that still shows downstream effect, because bulk approval becomes inevitable when flat lists reach tens of thousands of entries.

What's in the full article

ConductorOne's full blog covers the operational detail this post intentionally leaves for the source:

• How its hierarchy-aware access bindings model represents cloud roles, scopes, and inheritance without flattening.
• How C1 MCP is used to request, review, and expire access across cloud infrastructure and agent workflows.
• How the platform handles joiner-mover-leaver changes for both human users and AI agents.
• How the resource tree is preserved across management groups, subscriptions, resource groups, and resources.

👉 Read ConductorOne's analysis of governing cloud infrastructure access at scale →

Cloud infrastructure RBAC hierarchy: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →