Cloud IAM Is the New Perimeter
In on-premises environments, network access was the primary control boundary. In cloud environments, identity is. Every significant cloud breach in the last three years involved credential compromise, privilege escalation through misconfigured roles, or abuse of legitimate access patterns that security teams could not distinguish from normal operations.
If your cloud security program is not centered on IAM visibility and control, it is not centered on the right thing.
The Least Privilege Problem
Least privilege in cloud IAM is significantly harder than the principle suggests. Role proliferation, service account sprawl, and the operational pressure to give developers broad access to move fast create IAM environments that no one fully understands.
- Average enterprise AWS environment: 40,000+ IAM policies, most never reviewed
- Service accounts with administrator privileges: common in environments with poor IAM hygiene
- Cross-account trust relationships: often undocumented and broader than intended
- Human accounts with permanent credentials: still the norm, even where SSO is available
Starting a Remediation Program
The first step is visibility. You cannot fix what you cannot see. Deploy a cloud infrastructure entitlement management tool and run your first entitlement review before you make any changes. The output of that review should be a prioritized list of high-risk permissions, not a comprehensive cleanup backlog that will never be completed.
Detection Strategy for IAM Threats
Log all IAM API calls in CloudTrail or equivalent. Build detections for the highest-risk patterns: new role assumption from previously unseen source, policy attachment to high-privilege roles, and cross-account access from unexpected principals. These detections catch real attacker behavior and have low false positive rates in well-managed environments.
The Governance Model That Sustains Progress
IAM hygiene degrades faster than almost any other security control because every new deployment creates new entitlements. Build IAM review into your deployment pipeline, not your quarterly security review. Permissions that cannot be justified at deployment time should not be granted.