Workload federation across clouds: what IAM teams need to know

TL;DR: Workload identity federation replaces copied secrets with runtime identity assertions, letting workloads prove who they are across clouds and receive short-lived access instead of persistent credentials, according to Aembit. That shifts the core risk from secret distribution to trust configuration, and it makes federation design a governance problem, not just an integration exercise.

NHIMG editorial — based on content published by Aembit: workload federation and access management across cloud providers

By the numbers:

• GitGuardian’s 2026 report found roughly 29 million secrets detected on public GitHub in 2025, a 34 percent year-over-year increase.
• The 2026 Infrastructure Identity Survey found that 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.

Questions worth separating out

Q: How should security teams replace static workload secrets with federation across clouds?

A: Start with the workloads that already cross trust boundaries, then replace copied secrets with runtime identity assertions issued by the native cloud or a federation layer.

Q: Why do workload identities complicate zero trust architecture in multi-cloud environments?

A: Because zero trust assumes every access request is continuously evaluated against context, but multi-cloud workloads create many more trust edges than human users do.

Q: What breaks when service accounts still rely on long-lived secrets?

A: Revocation becomes slow, audit trails fragment, and the secret often turns into the real identity because it can be copied anywhere.

Practitioner guidance

• Inventory every static credential used by workloads Map CI/CD pipelines, containers, serverless functions, and cross-cloud services to the secrets they still depend on, then prioritise the highest-blast-radius paths first.
• Define trust policies before enabling federation at scale Document which issuer, claims, namespaces, and runtime contexts are acceptable for each target service, then test those policies end to end before rollout.
• Centralise review of federation edges and token scopes Create an owner for every cross-cloud trust relationship, then review the token exchange path, expiration window, and claim set on a fixed governance cycle.

What's in the full article

Aembit's full research covers the operational detail this post intentionally leaves for the source:

• Native cloud-by-cloud federation configuration details for AWS, Azure, and Google Cloud
• Runtime token exchange flow examples for workloads, pipelines, and service-to-service access
• Implementation patterns for centralised policy enforcement across SaaS, cloud, and on-premises environments
• How the Edge component abstracts token injection without custom application authentication code

👉 Read Aembit's analysis of workload federation across clouds →

Workload federation across clouds: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →