AI SecurityBlogCloud SecurityIdentity and Access ManagementCloudSecurity
Blog6 minute read

The Cloud Identity Crisis

In 2025, attackers shifted focus to credential harvesting and identity-based attacks, exploiting the surge in non-human identities (NHIs) in cloud environments. As NHIs outnumber human identities, organizations face increased risks. Effective identity governance, including Just-in-Time access and automation, is crucial for robust cloud security and minimizing operational exposure.

In this blog

Throughout 2025, we saw a trend of attackers focusing less on traditional network-layer exploits and gravitating toward credential harvesting and identity-based attacks. Whether through social engineering campaigns or deeper technical man-in-the-middle efforts, attackers are obtaining credentials and simply logging in to their target's accounts. A recent CrowdStrike report states that 35% of cloud incidents in 2025 were caused by valid account abuse. 

This is fueled by a large increase in identities, specifically non-human identities (NHIs). In fact, reports show that NHIs outnumber human identities in large corporations by 50:1, and that number is constantly growing. As an example of what we're dealing with, NHIs range from service accounts, API keys, and machine identities to digital certificates and, most recently, autonomous AI agents. 

 Cloud identity challenges 

Cloud adoption is a major driver of this identity boom. Think about the cloud services your organization uses, whether IaaS, PaaS, or SaaS architectures. Every service requires its own set of credentials, every workload generates machine identities, often ephemeral, and every integration relies on API keys, which are often long-lived. These identities come in all different flavors, each requiring a distinct lifecycle management style, separate from traditional IAM methods. Ultimately, these NHIs are often created and forgotten, leaving a massive attack surface to fester. 

Cloud security entails more than just fixing misconfigurations and exposed assets; it ultimately comes down to who, or what, can exploit them. The reality of today's landscape is that non-human identities are outgrowing human identities at an outstanding rate, and as the number continues to climb, so does organizations' awareness of their controls around those identities. 

Compromised logins remain the most common attack vector for bad actors. So, when roles are overprovisioned, service accounts remain unused or dormant, or access keys are issued for longer than necessary, those minor mistakes can become a major disaster. The principle of least privilege is a solid approach, but it's scarcely achieved in cloud environments. Static roles are prone to privilege creep, and developers and cloud operators often get more access than required just to avoid friction in their day-to-day jobs. Just-in-Time (JIT) access is a great option for managing human identity access, allowing elevated privileges for a brief moment only when requested and revoking access automatically after use. Managing the non-human side is trickier. These machine identities often lack visibility, rotation, and clear ownership. All of that leads to creating several gaps and blind spots in securing them. Without lifecycle management for these machine identities, they become easy targets for attackers to exploit expired certs, forgotten keys, or unmanaged service accounts as stepping stones for lateral movement across the organization.  

 The effect of agentic identities 

With the rise of agentic AI, NHIs are being multiplied constantly. Agentic AI is autonomous, so not only can it process information but also take action, which means much more damage can be done if taken over by an adversary and, as such, requires much more stringent security controls. Oftentimes, AI agents communicate using the Model Context Protocol (MCP), which is a standard framework for connecting AI models to data sources and external tools. MCP uses a secure connection, but many security considerations remain, especially around identity. As these agents integrate into the enterprise, security teams must be able to answer some critical questions: 

  • Who defines the permission boundaries?
  • Are those permissions considered least privilege?
  • What data do these identities have access to?
  • What is monitoring these agents throughout their entire lifecycle?

We need constant visibility into the access these agents have for many reasons. The first is simply the existence of these technologies. Shadow AI is a problem many organizations are facing. Because it's so easy for developers to spin up an AI agent or MCP server, they are appearing across the environment without any indication given to the security team. If API keys are used, another long-lived credential is created for each one, opening another tool against the organization. 

It's important that agents only have access to the data sources they need. A major concern is the risk of lateral movement. The MCP server is essentially a gateway. If an attacker compromises an agent's credentials, they gain a foothold into every data source that the server touches. 

We need to understand the full attack path possible from access, whether we are talking about an AI agent, a service account, or a human identity. It is imperative that we understand the full blast radius to map the lateral movement paths available to an attacker following initial compromise. 

  Key takeaways 

Context is key. Cloud security tools will provide visibility into which resources are exposed, but we also need visibility into who can exploit them. When you tie in an asset-focused approach with an identity-focused approach, it helps teams evaluate and assess risk more effectively. Identity plays a strong role in cloud security, including controls, encryption, segmentation, workload isolation, etc. Identity is a foundational aspect of it all. As organizations aim to adopt a Zero Trust approach in the cloud, it becomes difficult to implement without strong identity governance. It defines who you are, what you can do, when you can do it, and the conditions under which you can do it. Without any of those proper controls in place, it leaves a large gap in your security posture. 

The main goal for CISOs and most security teams is reducing risk, and to do that, they need to manage access in real time for both human and non-human identities. Being able to assess and evaluate the permissions of their developers and operational teams, and asking: Do they need access to all these resources? Is it time we start exploring and migrating to JIT access to those resources? The idea on the human side is to minimize operational risk, and on the machine side, we want to minimize operational exposure by automating those certificates and secrets to keep those systems secure. 

When cloud strategies are built with identity in mind, it helps ensure that access to those resources, policy enforcement and risk monitoring work together harmoniously. Identity is the connective tissue of security controls within your cloud environment. When cloud and identity strategies work in tandem, security becomes not just stronger, but more consistent, measurable and resilient.