Your last least-privilege audit was thorough. Then a developer spun up a Lambda. An S3 bucket stayed public through a policy merge. A service account inherited admin via a wildcard. None of that is in your IAM dashboard now, but it is in the attacker's.
TL;DR: Cloud IAM drift is the silent gap between the policy you wrote and the permissions an identity can actually use. It builds for months while attackers map it in seconds. The fix is an effective-permission inventory that runs as a build check, not a quarterly review.
Key Takeaways: - Assigned permissions are policy text. Effective permissions are what runs at request time. Privilege escalation lives in the delta. - Roughly 46% of enterprise identity activity sits outside centralized IAM visibility, the "Identity Dark Matter" driving drift. - A 4-step containment sequence (baseline, rank, tighten, automate) compresses remediation timelines by replacing quarterly reviews with continuous checks. - Drift becomes a CI failure instead of an audit finding once effective-permission diffs run nightly.
12+ Months of Drift Compounds in Silence

The timeline is asymmetric. Internal teams often take 12 or more months to detect a meaningful drift in cloud identity. Adversaries find the same gaps in seconds, using the same SDKs your developers use.
The IAM console still shows the policy you wrote last quarter. It does not show what evaluates at request time today. A private GitHub access token with sensitive repository access sat exposed for nearly a year before discovery.
The same pattern plays out in cloud IAM every day. The console never tells you. Drift is invisible because the dashboard reflects intent, not outcome.
This is the trap cloud security teams fall into. They review the policy document, sign off on it, and move on. The actual permission graph has already moved. The console is a photograph, not a video.
What that photograph hides is the exact path an attacker is mapping right now.
Why Least-Privilege Erodes Faster Than You Write It
Three structural drivers push every least-privilege program off course. First, over-privileged roles get created to unblock a team, then never get tightened. Second, policies diverge across accounts and OUs because no one standardizes them. Third, resource-based policies grant access the identity policy never intended. That grant is invisible from the principal's side.
Machine identities multiply the surface. A typical engineering org carries far more machine identities than human engineers. CI runners, Lambda execution roles, cross-account assume-role chains, and GitHub Actions OIDC tokens each add a path.
Humans rarely audit any of them because they aren't humans.
Policy reviews fail for a specific reason. You read the IAM policy document and see a tidy list of actions. Effective permissions are the union of five layers: identity policy, resource-based policy, SCPs, permission boundaries, and session tags.
No console view exposes that 5-layer resolution. You have to compute it. That's the gap between what you wrote and what runs.
It's exactly where zero trust architecture breaks down. The identity layer gets treated as a checkbox instead of a control plane. If drift is structural, the fix can't be a quarterly review. It has to start with what you actually have, not what you think you wrote.
The first question is: how much of your identity activity is even visible to you?
The 46% of Identity Activity You Can't See
Roughly 46% of enterprise identity activity sits outside centralized IAM visibility. This is what Orchid Security calls "Identity Dark Matter": the shadow integrations, decentralized team-owned service accounts, autonomous agents, and SaaS-to-SaaS grants that no one catalogs.
The number is large because modern identity is fragmented. Fragmentation is the default state of any organization that has scaled.
Gartner's response was to define a new category: the Identity Visibility and Intelligence Platform (IVIP). Within the Identity Fabric framework, IVIPs sit as a "System of Systems" layer. They aggregate identity activity across cloud, SaaS, on-prem, and machine identities. The category exists because perimeter-style IAM inventories miss the gaps that produce privilege escalation.
The standard IAM console is not built for this. It was built for human users with one account. It was not built for a multi-account AWS Organization with roles at scale and a service account per Lambda.
This is also why cloud infrastructure security programs that focus on network controls keep missing identity-based incidents. The attacker path doesn't traverse a subnet. It traverses a role assumption.
Visibility alone isn't the goal. The question is what you do with the inventory once you have it. That requires separating two concepts the IAM console blurs.
Effective Permissions vs. Assigned Permissions

Assigned permissions are what the policy document says. Effective permissions are what an identity can actually do at request time. They resolve identity policy, resource policy, SCPs, permission boundaries, and session context together.
The IAM console shows you the first. The attacker maps the second.
Privilege escalation lives in the delta. A common pattern: a role has `iam:PassRole` on `` and `lambda:CreateFunction` on ``. That role can pass a high-privilege role into a Lambda it controls, then run code under it.
Policy text says "Lambda deployer." Effective permission says "data exfiltration in seconds." Tools like `enumerate-iam` and `pacu` find these chains automatically. Your developer does the same thing during a routine `aws sts assume-role` test. They just don't know they're walking through an attack path.
The remediation sequence:
- Inventory effective permissions across every principal.
- Rank by blast radius.
- Tighten from highest blast radius downward.
- Automate the comparison so the next drift fails a check, not an audit.
A focused rollout using existing platforms lands faster than building the parsers, simulators, and CI hooks from scratch. The difference is tooling, not effort.
A baseline of effective permissions per principal is the artifact your remediation, audit, and detection all read from. Without it, every privilege-escalation investigation starts with a screenshot and ends with a guess. The IAM layer needs its own source of truth, separate from policy text.
Theory is settled. The question for a Cloud Security Lead is what to actually do this week, and how long the remediation arc should realistically take. The playbook is four steps.
A 4-Step Drift Containment Playbook
Step 1 - Baseline effective permissions. Query every role, user, and service account across AWS, Azure, and GCP. Export the resolved action set per principal, not the policy text. This snapshot is your drift-freeze point. Tools like AWS IAM Access Analyzer, Azure's Authorization Management, and GCP's IAM Analyzer can each return a partial view. Stitch them into one graph.
Step 2 - Rank by privilege-escalation potential. Prioritize principals that can assume other roles, modify IAM itself, or reach sensitive data stores like S3, BigQuery, Key Vault, and KMS. A single `iam:PassRole` + `lambda:CreateFunction` chain is a takeover in seconds. A principal with `iam:CreatePolicyVersion` and `iam:SetDefaultPolicyVersion` is faster. Score on blast radius, not on count of actions.
Step 3 - Tighten from the top. Replace wildcard actions with resource-scoped equivalents. Add permission boundaries for break-glass roles. Convert long-lived access keys to short-lived STS sessions via OIDC federation. Treat each change as a PR against the effective-permission baseline, not a meeting outcome. Reviewers should see the action delta, not the policy diff.
Step 4 - Automate the regression. Run effective-permission diffs nightly in devops pipelines. Fail CI when a new principal exceeds its baseline, when a wildcard action appears, or when a previously-scoped principal gains a new service. Drift becomes a build break, not a quarterly surprise. Effective-permission graphs also become your observability signal. Any change in the resolved action set is a security event worth paging on.
Regulated-industry note: HIPAA-mapped workloads (PHI storage, clinical-data pipelines) get the same playbook. PHI buckets and KMS keys go to the top of the blast-radius ranking. Securing cloud environments for healthcare requires treating identity as the control plane, not a layer in it.
Once drift becomes a build break instead of a quarterly surprise, three things change at once. They're the reason this work compounds rather than decays.
What Changes When Identity Becomes Observable
Detection of privilege-escalation paths shifts from manual quarterly review to automated continuous monitoring. The effective-permission inventory is the detector. Any change to the resolved action set is a signal.
The baseline is the comparison point. Audit evidence shifts from screenshots of policy documents to queryable effective-permission graphs. The same artifact satisfies ISO 27001 access-control evidence, SOC 2 CC6.1, and HIPAA 164.308(a)(4).
One source of truth covers multiple compliance frameworks. Auditors stop asking for the policy. They query the graph.
Developer velocity increases. When least-privilege is enforced by automation rather than ticket review, the path from request to access collapses. Teams get scoped, monitored credentials through PR-level checks instead of multi-day ticket cycles.
The PR flow does the work the security team used to do. Teams running kubernetes workloads with workload identity see the same pattern. Pods get federated, scoped credentials at startup.
The previous "service account with admin" pattern disappears. Observability of effective permissions is the single highest-leverage control in a cloud security program.
It also requires the least behavior change from developers. Enforcement happens before merge, not after deploy. Map effective permissions for a single account this week.
Frequently Asked Questions
Q: What is cloud IAM drift and why does it matter?
A: Cloud IAM drift is the gap between the access policies you wrote and the permissions an identity can actually use at runtime. It matters because that gap is the attacker's privilege-escalation path. Gaps like these can persist for long periods before internal teams notice. Adversaries find them in seconds.
Q: How is effective permission different from assigned permission?
A: Assigned permission is what an IAM policy document grants. Effective permission is what an identity can actually do after identity policies, resource policies, service control policies, permission boundaries, and session tags all resolve together. Privilege escalation lives in the delta between the two. That delta is rarely visible in the standard IAM console.
Q: What is an Identity Visibility and Intelligence Platform (IVIP)?
A: IVIP is the Gartner-defined category for tools that aggregate identity activity across decentralized systems: cloud, SaaS, on-prem, and machine identities. It exists because roughly 46% of enterprise identity activity occurs outside centralized IAM tools. That activity creates the "Identity Dark Matter" that drives drift.
Q: How long does it take to remediate IAM drift in a large cloud estate?
A: Organizations building effective-permission inventory and remediation tooling in-house face a longer path than those using existing platforms with proven playbooks. The gap comes down to tooling maturity and platform coverage.
Q: What is the fastest privilege escalation path in AWS IAM?
A: The most common short paths combine `iam:PassRole` with `lambda:CreateFunction` or `ec2:RunInstances`. A principal that can pass a higher-privileged role into a compute service it controls can execute code under that role in seconds. Effective-permission inventory surfaces these chains because it models the action graph, not just the policy text.
Sources
Research and references cited in this article:
- Detecting and Remediating IAM Configuration Drift - ThinkCloudly
- Cloud least privilege and effective access drift: what teams...
- What Is Privilege Escalation? Types and Prevention Strategies
- Why Companies Still Struggle with Least Privilege in the Cloud | Sysdig
- What Is Cloud Identity Security? - Palo Alto Networks
- implementing least privilege controls in multi-cloud environments
- Automating Least Privilege Access in the Cloud | Entitle
- Cloud Least Privilege: Best Practices Guide | Orca Security
- SuperTokens 💫 - Open Source Auth
- How to stop IAM drift and secure your cloud - LinkedIn
- Exploiting IAM security misconfigurations | Sysdig
- Exploring Common Identity Access Management Risks
About the author
Mayank Singh is a software developer at Levitation Infotech, where he builds web and AI-powered applications across the company’s fintech, healthcare, and enterprise projects.
