Multi-cloud identity governance: what IAM teams are missing

TL;DR: Multi-cloud adoption is now mainstream, with 55% of organisations operating in multi-cloud by design and some spanning five providers, according to Orca Security’s analysis of a Cloud Security Live session. The central finding is that identity, not infrastructure, becomes the control plane that determines whether attackers can move laterally across clouds.

NHIMG editorial — based on content published by Orca Security: multi-cloud security lessons from Cloud Security Live

By the numbers:

• 55% of organizations are now multi-cloud by design, with some managing deployments across as many as five cloud providers.
• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems.

Questions worth separating out

Q: How should security teams govern identities across multiple cloud providers?

A: Treat multi-cloud as one identity problem with several control planes.

Q: Why do service accounts increase risk in multi-cloud environments?

A: Service accounts often carry the permissions that matter most, yet they are reviewed less consistently than human accounts.

Q: What breaks when cloud-native security tools are used in isolation?

A: Investigation quality breaks first.

Practitioner guidance

• Build a cross-cloud identity inventory Map every human, service, and workload identity to a named owner, business purpose, and privilege scope across AWS, Azure, and GCP so investigators can trace action to principal without guessing.
• Normalise identity telemetry into one workflow Ingest authentication, authorisation, and privilege-change events into a single investigation path so analysts can correlate activity across providers instead of toggling between consoles.
• Prioritise reachable identity risk Rank exposed roles, misconfigurations, and over-permissioned service identities by whether they can reach crown jewels or move laterally, rather than by CVE count alone.

What's in the full article

Orca Security's full post covers the operational detail this analysis intentionally leaves for the source:

• How Ben Godard translates multi-cloud experience into day-to-day security decisions across AWS, Azure, and GCP.
• The practical reasoning behind unified visibility in incident response, including how to correlate identities, logs, and events.
• Examples of how teams can prioritise exploitable weaknesses over theoretical findings in vulnerability management.
• The session context from Cloud Security Live, including the discussion format and practitioner takeaways.

👉 Read Orca Security's analysis of multi-cloud identity governance and cloud security →

Multi-cloud identity governance: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →