99% of cloud roles are overly permissive. That single statistic should change how every MSP, MSSP, and security leader thinks about cloud identity risk. The identities most likely to be exploited aren't human ones.
In Q4 2025, global cloud infrastructure service spending hit $119 billion, up 30% year over year. Full-year 2025 revenues exceeded $400 billion for the first time. AWS holds 28% of the worldwide market, followed by Azure at 21% and Google Cloud at 14%. Together, the "Big Three" hyperscalers account for more than 60% of the market, with the rest of the competition stuck in the low single digits.
[alt="Worldwide]
Source: Synergy Research Group / Statista, Q4 2025
Growth rates like these haven't been seen since early 2022, when the market was less than half its current size. The AI boom and its computing requirements are accelerating adoption, with year-over-year growth increasing each of the past nine quarters.
That's the scale. Here's the problem nobody talks about.
Everyone's Watching the Front Door
The cybersecurity industry has spent decades building tools to manage human access. User access reviews. Password policies. MFA enforcement. Identity governance platforms like YouAttest, SailPoint, and Saviynt all focus on the same thing: making sure the right people have the right access.
And there's good reason for it. The Verizon 2023 Data Breach Investigations Report found that stolen credentials remain the number one way attackers get in, ahead of phishing and vulnerability exploitation. Seventy-four percent of all breaches involve the human element. A widely cited report found that 80% of AWS enterprises had inactive human users (defined as no access for 180+ days) still holding active access keys.
These are real problems. But they represent a fraction of the actual identity attack surface.
The Back Door Is Wide Open
For every human identity in a typical enterprise cloud environment, there are now 144 non-human identities: service accounts, API keys, OAuth tokens, Lambda execution roles, managed identities, and bot credentials. That ratio jumped 56% in a single year, up from 92:1 in H1 2024, according to Entro Security's H1 2025 NHI & Secrets Risk Report [https://www.cybersecuritytribe.com/news/research-reveals-44-growth-in-nhis-from-2024-to-2025].
And these machine identities are far less governed than their human counterparts:
97%
of NHIs have excessive privileges
99%
of cloud service accounts are over-permissioned
62%
of AWS machine identities inactive 90+ days
57%
of exposed secrets found in source code
0.01%
of machine identities control 80% of cloud resources
866 days
average age of an AWS IAM Role
CyberArk's 2025 Identity Security Landscape report confirmed the trend across 2,600 organizations globally: machine identities vastly outnumber human ones, nearly half have sensitive or privileged access, and 61% of organizations have no identity security controls for cloud infrastructure workloads. Perhaps most telling: 87% of surveyed organizations experienced at least two identity-centric breaches in the past 12 months.
The Lifecycle Problem
Human identities have natural lifecycle triggers. People get hired, change roles, and eventually leave. HR systems flag departures. Offboarding workflows (when they work) revoke access.
Machine identities have none of this. They persist indefinitely unless someone actively revokes them.
Picture this: A developer creates a service account for a Lambda function. To hit a deadline, they attach overly broad permissions. They move on. That account now has god-mode access to the entire AWS environment for a task that needed read access to one S3 bucket. Nobody revisits it. Nobody owns it.
[alt="Average]
Source: Entro Labs, Average Age of NHIs by Type
This isn't hypothetical. Veza's research tells the story in numbers:
- 824,000 active identities with no associated owner in HR systems, roughly 8% of all identity provider users
- Dormant accounts nearly doubled year over year
- 78,000 former employees still retained active credentials even after HR systems flagged their accounts as inactive
Now layer machine identities on top of that. The OWASP Non-Human Identities Top 10 ranks improper offboarding as the number one NHI risk. When a project gets cancelled, a vendor integration gets deprecated, or a developer leaves, the service accounts they created almost never get cleaned up.
The Compliance Gap
Virtually every IT governance framework requires access reviews:
Financial
SOX, GLB, FFIEC
Healthcare
HIPAA, HITRUST
Retail
PCI-DSS
Defense
CMMC
Cloud
SOC, ISO 27001
Privacy
GDPR, CCPA
All of them reference NIST 800-53 controls: AC-4 for access review requirements and AC-6 for the principle of least privilege. The NSA, FBI, and CISA's Joint Ransomware Task Force #STOPRANSOMWARE guide explicitly calls out cloud and admin accounts. Amazon themselves published a "Blueprint against Ransomware" emphasizing least privilege enforcement.
Here's the gap: traditional identity governance tools audit human users. They send review emails to managers. They generate compliance reports showing that John in accounting still has the right access level. That's necessary work.
What they don't do is inventory the 144 machine identities that exist for every John. The service principals, the API keys, the OAuth tokens, the automation credentials. Most organizations can't even enumerate them, let alone review them.
What MSPs and MSSPs Need to Know
If you're managing client environments, this is your problem at scale. Every client tenant has its own sprawl of machine identities. Every cloud migration creates more. Every automation initiative, every CI/CD pipeline, every SaaS integration spawns credentials that accumulate silently.
The traditional IGA approach (send a quarterly review email and check a compliance box) doesn't work when the ratio is 144:1 and the identities have no human owner to review them.
What's needed is something fundamentally different:
- Continuous, automated discovery of non-human identities across client environments
- Risk scoring that identifies which identities are over-permissioned, dormant, or represent real exposure
- Quantified risk in terms that matter for both security operations and insurance underwriting
That's what we're building at Avistar.AI with Avistar [https://avistar.ai]. We scan cloud environments (AWS, Azure) to discover and risk-score every machine identity: API keys, service accounts, OAuth tokens, Lambda roles. We deliver the kind of identity risk intelligence that existing tools simply weren't designed to provide.
The security industry consensus for 2026 is clear: machine identities will become the primary breach vector in cloud environments. The organizations, and the MSPs serving them, that get ahead of it now will be the ones that aren't explaining to their boards how a forgotten service account brought down the house.
Sources