Identity Security: Cloud’s Weakest Link in 2025

Identity security has officially overtaken all other risks as the top concern in cloud environments. According to CSA’s State of Cloud and AI Security 2025 survey report, insecure identities and risky permissions are the top cloud security risk. Hybrid and multi-cloud settings are now the norm and identity is the connective tissue across everything. This also makes it the weak point attackers target first.

 

Identity-Driven Breaches Are Now the Norm

The breach data underscores how central identity has become. Among organizations that experienced a cloud-related breach, three of the top four causes were identity-related:

• Excessive permissions (31%)
• Inconsistent access controls (27%)
• Weak identity hygiene (27%)

“Weak identity hygiene” includes unrotated keys, unused credentials, orphaned accounts, or the absence of MFA. These everyday operational gaps turn small slips into major incidents.

CSA's Top Threats to Cloud Computing 2024 report also found identity and access issues to be the #2 top threat to the cloud. Examples of identity-related breaches include:

• MOVEit Campaign (May 2023): A series of breaches linked to the MOVEit file transfer tool impacted several organizations. For instance, the Oregon Department of Transportation experienced a breach affecting approximately 3.5 million individuals. Attackers gained access to sensitive personal information because of over-permissioned accounts and poor separation of duties.
• JumpCloud Data Breach (June 2023): JumpCloud, an IAM firm, suffered a breach by a sophisticated nation-state actor. The attack targeted specific customer accounts by injecting data into JumpCloud’s commands framework. The breach was initially traced back to a spear-phishing campaign and non-expiring credentials.
• Okta Data Breach (October 2023): Okta, a provider of identity services and authentication management, experienced a data breach where an unauthorized actor accessed its support case management system using stolen credentials. This incident compromised customer support case information, highlighting the risks of storing service accounts and sensitive information within accessible systems.

To be clear, cloud misconfigurations (the #1 top threat identified in CSA's Top Threats to Cloud Computing 2024) still matter. Misconfigured cloud services or infrastructure contributed to 33% of breaches. However, the signal from this year’s data is clear: identity problems now drive outcomes. If you only chase configuration drift without fixing entitlement sprawl, you’re leaving your front door unlocked.

 

The Zero Trust Promise vs. Reality

The good news: organizations are prioritizing Zero Trust principles. Implementing least privilege for identities was the most selected cloud security priority for the next 12 months (44%).

The less-good news: measurement still skews toward checkbox metrics. The most common IAM KPI is tracking multifactor authentication (MFA) or single sign-on (SSO) adoption rates (42%). Few organizations track deeper indicators such as privilege misuse, access anomalies, or non-human identity abuse.

 

Why Identity Security Remains Immature

CSA’s findings point to a layered, systemic problem, not just a handful of bad accounts. You can see how governance and operations haven’t kept pace with adoption:

• Team silos: 28% cite lack of alignment between cloud security and IAM teams as a top challenge.
• Least-privilege friction: 21% report difficulty enforcing least privilege at scale.
• Reactive KPIs: Organizations still emphasize security incident frequency/severity (43%) over forward-looking risk reduction.

Add in hybrid/multi-cloud complexity and it’s clear why identity remains the weakest link.

 

Practical Moves You Can Make Now

Instrument for effectiveness, not just presence. Keep measuring MFA/SSO, but augment with signals that expose identity risk in real time, including:

• Frequency of privilege escalation events or abuse of high-risk roles.
• Access anomalies (time, geography, and resource patterns) tied to incident follow-through.
• Lifecycle hygiene for human and non-human identities, such as dormant accounts, stale keys, and orphaned roles.

Operationalize least privilege with context and time:

• Replace standing admin rights with just-in-time elevation and time-bound access.
• Enforce policy-as-code to keep entitlements drift-free across cloud providers.
• Review high-risk permissions on a recurring cadence. Treat exceptions as incidents-in-waiting.

Unify governance across clouds:

• Align IAM and cloud teams on a common Zero Trust roadmap and tooling.
• Standardize policy enforcement, identity federation, and centralized authentication across environments.
• Build shared dashboards that merge IAM and cloud posture signals so teams prioritize the same risks.

Tie identity controls to breach realities:

• The most common AI-breach causes look familiar: exploited software vulnerabilities (21%), AI model flaws (19%), insider threats (18%), and misconfigured cloud settings (16%). Do not over-rotate on novel “AI-native” fears while overlooking identity basics. Apply proven cloud and identity safeguards to AI workloads first.

Find more detailed guidance in CSA's Zero Trust Advancement Center.

 

Why It Matters Even More for AI

AI is moving fast from “experimental” to business-critical: a combined 55% are using AI for active business needs. At the same time, 34% of organizations with AI workloads have already experienced an AI-related breach. Identity risks now extend to service accounts, APIs, and machine identities that wire up data pipelines, model training, and inference.

Yet many programs remain compliance-heavy but technically shallow. More than half rely on frameworks to guide AI security, but only 26% conduct AI security testing, 22% classify and encrypt AI data, and 15% implement MLOps security practices. Compliance is the baseline, not the ceiling. Treat identity, data, and workload protections for AI with the same rigor you expect for cloud.

Without deeper technical investment and risk-informed strategies, organizations are in danger of overlooking foundational security practices that already exist in other domains. Furthermore, this accounts only for sanctioned use. With shadow AI on the rise, the unmonitored portion of the AI landscape may pose even greater risk.

 

Executive Alignment: Move from Reactive to Risk-Reducing

A recurring theme in the report is leadership alignment. 31% of respondents say executive leadership lacks sufficient understanding of cloud security risks. Some leaders assume built-in cloud tools are “good enough” or that providers are primarily responsible. That misunderstanding fuels reactive KPIs and underinvestment in the very identity controls that would prevent breaches.

Security leaders can bridge this gap by reporting preventive outcomes. For example, the number of standing admin roles reduced, percentage of high-risk entitlements remediated, or mean time to revoke orphaned credentials. This re-frames identity security as a measurable, cost-reducing risk program rather than a control checklist.

Leadership must also invest in platforms and processes that provide integrated visibility, reduce complexity, and enable forward-looking risk management. This shift is especially urgent as AI adoption accelerates, introducing new risks that require both foundational security maturity and the agility to respond to emerging threats. Until that reset occurs, even the most capable security teams will remain locked in reactive operations.

 

Bottom Line

Identity security is cloud security. The State of Cloud and AI Security 2025 survey report shows identity and cloud misconfigurations are the twin drivers of risk. Organizations say Zero Trust and least privilege are priorities, but governance, measurement, and cross-team operations must catch up for those strategies to work.

If you’re ready to go deeper, including benchmarks, charts, and practical next steps, download the full report here.