Most organizations still miss basic identity security controls in the cloud, leaving them exposed to breaches, audit failures, and compliance violations. A new midyear benchmark from Unosecur found that nearly every company scanned had at least one high-risk issue, with an average of 40 control failures per organization.
Top compliance violations and business impact (Source: Unosecur)
The report analyzed diagnostic scan data from 50 enterprises across industries and regions between January and June 2025. Unlike survey-based studies, the findings are based on direct control checks aligned with standards like ISO 27001/27002, PCI DSS, and SOC 2. The goal: provide a reproducible view of where cloud identity practices fall short and how to fix them.
“The changing percentage share may partly reflect less scanning coverage. What the data tells us is simple: if your company runs on any of these three platforms, you have a ready reckoner of the most common compliance violations. For multi-cloud businesses, this data reinforces that not all environments carry the same risk. Assuming they do could leave serious gaps unaddressed,” said Santhosh Jayaprakash, CEO at Unosecur.
The data shows that many organizations continue to overlook foundational protections. The most common issue was missing MFA on admin accounts. Other frequent gaps included over-privileged roles, long-lived service account keys, and poor separation of duties. Just four categories of issues, including missing MFA, excessive access, stale credentials, and unmanaged machine keys, made up 70 percent of high-severity findings.
“Missing MFA and excessive privilege aren’t bleeding-edge threats,” the report notes. “They’re unlocked doors that ransomware crews and auditors spot first.”
Each of the top ten failures identified in the benchmark has a clear security consequence. For example, a lack of MFA on admin accounts could allow a single phished password to compromise an entire cloud environment. Keys that are not rotated, and service accounts with broad permissions, can provide long-term unauthorized access.
Cloud specific trends also stood out. In AWS, many users still operate without MFA. Google Cloud tenants often rely on project wide TokenCreator roles, which allow broad token creation. Azure customers were found to leave “Owner” or “Contributor” roles open across entire subscriptions, increasing the risk of misuse.
Weak identity hygiene not only increases security risk but also creates challenges during audits and raises cyber insurance costs. In contrast, organizations that enforce four key controls, including privileged MFA, just in time access elevation, short lived keys, and vaulted machine credentials, see fewer audit findings and benefit from stronger positioning in enterprise sales.
Regulatory pressure is also growing. In early 2025, new requirements from the EU’s DORA and eIDAS 2.0 frameworks, India’s Digital Personal Data Protection Act, and U.S. zero trust policies all pushed for stronger identity governance. Some laws now also address AI identity misuse, including deepfakes used for fraud.
“If your competitors are showing high cholesterol (weak MFA, stale keys),” the report says, “you need to know where you stand before the next breach or audit hits the headlines.”
