← BlogIdentity Risk Intelligence

Why Cloud Identity Risk Goes Far Beyond Human Users

99% of cloud roles are overly permissive. Learn why non-human identities like API keys, service accounts, and OAuth tokens are the fastest-growing attack surface in enterprise cloud environments.

99% of cloud roles are overly permissive. That single statistic should change how every MSP, MSSP, and security leader thinks about cloud identity risk. The identities most likely to be exploited aren't human ones.

In Q4 2025, global cloud infrastructure service spending hit $119 billion, up 30% year over year. Full-year 2025 revenues exceeded $400 billion for the first time. AWS holds 28% of the worldwide market, followed by Azure at 21% and Google Cloud at 14%. Together, the "Big Three" hyperscalers account for more than 60% of the market, with the rest of the competition stuck in the low single digits.

[alt="Worldwide]

Source: Synergy Research Group / Statista, Q4 2025

Growth rates like these haven't been seen since early 2022, when the market was less than half its current size. The AI boom and its computing requirements are accelerating adoption, with year-over-year growth increasing each of the past nine quarters.

That's the scale. Here's the problem nobody talks about.


Everyone's Watching the Front Door

The cybersecurity industry has spent decades building tools to manage human access. User access reviews. Password policies. MFA enforcement. Identity governance platforms like YouAttest, SailPoint, and Saviynt all focus on the same thing: making sure the right people have the right access.

And there's good reason for it. The Verizon 2023 Data Breach Investigations Report found that stolen credentials remain the number one way attackers get in, ahead of phishing and vulnerability exploitation. Seventy-four percent of all breaches involve the human element. A widely cited report found that 80% of AWS enterprises had inactive human users (defined as no access for 180+ days) still holding active access keys.

These are real problems. But they represent a fraction of the actual identity attack surface.


The Back Door Is Wide Open

For every human identity in a typical enterprise cloud environment, there are now 144 non-human identities: service accounts, API keys, OAuth tokens, Lambda execution roles, managed identities, and bot credentials. That ratio jumped 56% in a single year, up from 92:1 in H1 2024, according to Entro Security's H1 2025 NHI & Secrets Risk Report [https://www.cybersecuritytribe.com/news/research-reveals-44-growth-in-nhis-from-2024-to-2025].

And these machine identities are far less governed than their human counterparts:

97%

of NHIs have excessive privileges

99%

of cloud service accounts are over-permissioned

62%

of AWS machine identities inactive 90+ days

57%

of exposed secrets found in source code

0.01%

of machine identities control 80% of cloud resources

866 days

average age of an AWS IAM Role

CyberArk's 2025 Identity Security Landscape report confirmed the trend across 2,600 organizations globally: machine identities vastly outnumber human ones, nearly half have sensitive or privileged access, and 61% of organizations have no identity security controls for cloud infrastructure workloads. Perhaps most telling: 87% of surveyed organizations experienced at least two identity-centric breaches in the past 12 months.


The Lifecycle Problem

Human identities have natural lifecycle triggers. People get hired, change roles, and eventually leave. HR systems flag departures. Offboarding workflows (when they work) revoke access.

Machine identities have none of this. They persist indefinitely unless someone actively revokes them.

Picture this: A developer creates a service account for a Lambda function. To hit a deadline, they attach overly broad permissions. They move on. That account now has god-mode access to the entire AWS environment for a task that needed read access to one S3 bucket. Nobody revisits it. Nobody owns it.

[alt="Average]

Source: Entro Labs, Average Age of NHIs by Type

This isn't hypothetical. Veza's research tells the story in numbers:

  • 824,000 active identities with no associated owner in HR systems, roughly 8% of all identity provider users
  • Dormant accounts nearly doubled year over year
  • 78,000 former employees still retained active credentials even after HR systems flagged their accounts as inactive

Now layer machine identities on top of that. The OWASP Non-Human Identities Top 10 ranks improper offboarding as the number one NHI risk. When a project gets cancelled, a vendor integration gets deprecated, or a developer leaves, the service accounts they created almost never get cleaned up.


The Compliance Gap

Virtually every IT governance framework requires access reviews:

Financial

SOX, GLB, FFIEC

Healthcare

HIPAA, HITRUST

Retail

PCI-DSS

Defense

CMMC

Cloud

SOC, ISO 27001

Privacy

GDPR, CCPA

All of them reference NIST 800-53 controls: AC-4 for access review requirements and AC-6 for the principle of least privilege. The NSA, FBI, and CISA's Joint Ransomware Task Force #STOPRANSOMWARE guide explicitly calls out cloud and admin accounts. Amazon themselves published a "Blueprint against Ransomware" emphasizing least privilege enforcement.

Here's the gap: traditional identity governance tools audit human users. They send review emails to managers. They generate compliance reports showing that John in accounting still has the right access level. That's necessary work.

What they don't do is inventory the 144 machine identities that exist for every John. The service principals, the API keys, the OAuth tokens, the automation credentials. Most organizations can't even enumerate them, let alone review them.


What MSPs and MSSPs Need to Know

If you're managing client environments, this is your problem at scale. Every client tenant has its own sprawl of machine identities. Every cloud migration creates more. Every automation initiative, every CI/CD pipeline, every SaaS integration spawns credentials that accumulate silently.

The traditional IGA approach (send a quarterly review email and check a compliance box) doesn't work when the ratio is 144:1 and the identities have no human owner to review them.

What's needed is something fundamentally different:

  • Continuous, automated discovery of non-human identities across client environments
  • Risk scoring that identifies which identities are over-permissioned, dormant, or represent real exposure
  • Quantified risk in terms that matter for both security operations and insurance underwriting

That's what we're building at Avistar.AI with Avistar [https://avistar.ai]. We scan cloud environments (AWS, Azure) to discover and risk-score every machine identity: API keys, service accounts, OAuth tokens, Lambda roles. We deliver the kind of identity risk intelligence that existing tools simply weren't designed to provide.

The security industry consensus for 2026 is clear: machine identities will become the primary breach vector in cloud environments. The organizations, and the MSPs serving them, that get ahead of it now will be the ones that aren't explaining to their boards how a forgotten service account brought down the house.


Sources

Keep reading

More from the team.

Ready to see your machine identity risk?

Get a free assessment of your clients' non-human identity exposure.