Workload IAM fragmentation: what security teams need to fix

TL;DR: Machine identity management still lags human IAM, with fragmented authentication methods, overprivileged static credentials, and weak observability creating audit and security gaps across cloud and hybrid estates, according to Aembit. The real issue is not tooling variety but the governance model: workload access needs policy, lifecycle control, and runtime visibility to match modern infrastructure.

NHIMG editorial — based on content published by Aembit: machine identity governance and modern workload IAM

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should security teams govern workload identities across hybrid and multi-cloud estates?

A: They should standardise ownership, policy enforcement, and telemetry across every environment rather than letting each cloud or team define its own pattern.

Q: Why do static secrets and shared service accounts create so much risk?

A: Because they turn access into persistent exposure.

Q: How do organisations know if workload IAM controls are actually working?

A: They should look for complete decision logs, clear identity ownership, and evidence that unused or overbroad access is being removed over time.

Practitioner guidance

• Inventory every workload identity and its owner Build a complete register of service accounts, API keys, tokens, certificates, and workload identities across clouds, CI/CD systems, and SaaS integrations.
• Eliminate static credentials from application paths Replace embedded secrets and shared service accounts with runtime-issued credentials where possible, and enforce short-lived access for service-to-service calls.
• Constrain service account privilege to task scope Review permissions for every workload and remove broad access that spans unrelated environments or data sets.

What's in the full article

Aembit’s full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step workload IAM migration guidance for teams moving from legacy secrets and service accounts.
• Practical patterns for injecting workload identity at the infrastructure layer without custom application logic.
• Examples of observability and telemetry fields to capture for access review, auditing, and incident response.
• Implementation guidance for integrating credential issuance and revocation into CI/CD pipelines.

👉 Read Aembit’s analysis of legacy machine IAM and modern workload access →

Workload IAM fragmentation: what security teams need to fix?

Explore further

View Full Forum →  |  NHI Foundation Course →