Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Multi-cloud identity governance: what IAM teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Multi-cloud adoption is now mainstream, with 55% of organisations operating in multi-cloud by design and some spanning five providers, according to Orca Security’s analysis of a Cloud Security Live session. The central finding is that identity, not infrastructure, becomes the control plane that determines whether attackers can move laterally across clouds.

NHIMG editorial — based on content published by Orca Security: multi-cloud security lessons from Cloud Security Live

By the numbers:

Questions worth separating out

Q: How should security teams govern identities across multiple cloud providers?

A: Treat multi-cloud as one identity problem with several control planes.

Q: Why do service accounts increase risk in multi-cloud environments?

A: Service accounts often carry the permissions that matter most, yet they are reviewed less consistently than human accounts.

Q: What breaks when cloud-native security tools are used in isolation?

A: Investigation quality breaks first.

Practitioner guidance

  • Build a cross-cloud identity inventory Map every human, service, and workload identity to a named owner, business purpose, and privilege scope across AWS, Azure, and GCP so investigators can trace action to principal without guessing.
  • Normalise identity telemetry into one workflow Ingest authentication, authorisation, and privilege-change events into a single investigation path so analysts can correlate activity across providers instead of toggling between consoles.
  • Prioritise reachable identity risk Rank exposed roles, misconfigurations, and over-permissioned service identities by whether they can reach crown jewels or move laterally, rather than by CVE count alone.

What's in the full article

Orca Security's full post covers the operational detail this analysis intentionally leaves for the source:

  • How Ben Godard translates multi-cloud experience into day-to-day security decisions across AWS, Azure, and GCP.
  • The practical reasoning behind unified visibility in incident response, including how to correlate identities, logs, and events.
  • Examples of how teams can prioritise exploitable weaknesses over theoretical findings in vulnerability management.
  • The session context from Cloud Security Live, including the discussion format and practitioner takeaways.

👉 Read Orca Security's analysis of multi-cloud identity governance and cloud security →

Multi-cloud identity governance: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Identity sprawl is the real multi-cloud blast-radius multiplier. Multi-cloud itself is not the root problem; inconsistent identity ownership is. When the same organisation runs AWS, Azure, and GCP with different access models and different review cadences, the effective blast radius becomes a function of the weakest identity control chain. That means IAM, NHI governance, and PAM can no longer be treated as separate workstreams. The practitioner conclusion is that cross-cloud identity mapping is now a baseline control, not an optimisation.

A few things that frame the scale:

  • 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
  • Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.

A question worth separating out:

Q: Who should own multi-cloud identity governance?

A: Ownership should sit with the identity and cloud security functions together, because the issue is both access design and operational visibility. If platform teams manage cloud posture without identity governance, or IAM teams ignore provider-specific control planes, the organisation will keep missing cross-cloud attack paths.

👉 Read our full editorial: Multi-cloud identity governance is the real security control plane



   
ReplyQuote
Share: