NHI & AI
Sysdig 2024: 98% of Permissions on Cloud Identities Are Unused
Sysdig's analysis of customer cloud environments found that 98% of granted permissions on cloud identities are never used. Of those, the bulk sit on non-human identities — service accounts and workload identities with broad, static grants.
Key Finding
Cloud over-permissioning is not a privilege problem in the abstract. It is a measurable, removable, attack-surface problem — and the tools to right-size it exist before any new product is bought.
Sysdig's 2024 Cloud-Native Security and Usage Report analysed permissions and runtime behaviour across customer cloud workloads. The headline finding was that 98% of permissions granted to cloud identities — humans and non-humans combined — are never exercised in runtime. The overwhelming majority of those unused permissions sit on non-human identities: service accounts that started with broad, role-template grants and never had the unused half removed.
Two architectural implications follow from this dataset:
Least privilege is achievable in cloud. The data the cloud provider already produces — IAM access analyser output, CloudTrail or audit logs, runtime telemetry — is sufficient to identify and remove unused permissions on every identity in the environment. The barrier is governance, not visibility.
Over-permissioned NHIs are the asset attackers most want. When the ADT, Rockstar, Cloudflare, and Storm-0558 incidents all turned on stolen NHI credentials with broad scope, the underlying control failure was the scope, not the theft. Right-sizing is the defence that survives credential theft.
Need help with your identity architecture?
Every incident on this page was preventable with the right architecture. Let's talk about yours.
Book a Conversation