The tension between widespread, rapid adoption of cloud technology and the slower, more deliberate work of establishing governance creates a concerning gap that must be addressed. Advancements like multi-cloud, hybrid application environments multiply identity and access complexity to create a landscape that governance and security cannot keep up with, leading to a lack of adequate management of newer tools and platforms, even as they are widely implemented by organizations.
Cloud Maturity Isn’t Uniform — And That Matters
A recent publication from identity governance platform provider Pathlock, the 2025 Digital Transformation & Access Risk Report, explores governance and access control alignment trends as organizations adopt cloud tools for core functions. The study shows an imbalance in adoption patterns across organizations, with human resources and customer relationship management departments already largely cloud-native.
Areas like supply chain and procurement remain in active transition toward cloud adoption. When data and workflows begin to span both cloud and on-premises systems, cross-functional processes can lose oversight. Visibility is reduced, and tool sprawl can quickly become a problem for managing cloud governance and security.
When Migration Moves Faster Than Governance
The most revealing—and concerning—statistic in the report is the fact that only 7% of organizations updated their Governance, Risk, and Compliance (GRC) controls prior to migration, highlighting a dangerous gap. An additional quarter of organizations in the study implemented GRC controls after going live, and 14% failed to do so at all.
Over half (52%) of organizations did not embed GRC strategies from the beginning of cloud migration, and half skipped Segregation of Duties (SoD) checks when redesigning roles. These are all crucial parts of ensuring resilience and proper governance when migrating to cloud platforms. This failure is not an isolated, one-off oversight, but a systemic issue in how organizations approach cloud migration.
The Automation Deficit
With cloud adoption rapidly expanding attack surfaces and causing visibility issues, a lack of automation fuels operational risk. More than 70% of organizations lack automated access risk analysis, and user access reviews continue to be carried out manually and infrequently. This leads to major gaps in management and control of user access as these processes are not tended to in a timely manner by human teams.
Critical actions like provisioning and de-provisioning still highly depend on human intervention, which can be impossible to manage in sprawling multi-cloud environments. The larger and more complex the landscape becomes, the harder it is to oversee and manage without automation of key functions. Automating these functions is not just a nice-to-have convenience—it’s a requirement to maintain control at cloud scale.
Off-Boarding: The Slow Leak That Becomes a Flood
The report reveals that 51% of organizations fail to revoke access immediately after a user is terminated, illustrating how even basic cybersecurity hygiene breaks down during transformation. Stale access becomes a primary enabler of several types of security incidents. It can lead to insider fraud when users exploit outdated access, as well as accounts being compromised by malicious external actors. This can also create compliance violations, potentially leading to regulatory penalties.
The report’s statistics on off-boarding reveal that these are not issues of the past, but ongoing concerns that organizations should address. “This research shows that insider threats and delayed off-boarding continue to be common and preventable problems,” according to Teresa Rothaar, Governance, Risk and Compliance Analyst at Keeper Security, a Chicago-based provider of zero-trust and zero-knowledge cybersecurity software.
Incidents Become Inevitable Without Governance
If complex multi-cloud environments are not overseen with proper governance, it is impossible to effectively protect systems and prevent incidents. Of the organizations in the study, 39% faced security or compliance incidents caused by governance gaps during cloud migration, 21% reported compliance violations in the past year, and 17% experienced insider fraud. Compared to before cloud migration, insider-related incidents spiked up to 23% occurring during or after the process.
Insider risk rises during periods of organizational flux, taking advantage of distracted attention and large changes to hide suspicious and malicious behaviors. This is especially true where disconnected controls create gaps in visibility, enabling this activity by reducing the chance of detection and prevention.
Why Governance Remains an Afterthought
Organizations tend to deprioritize governance for a variety of reasons. There is pressure to make adoptions and implementations move quickly, disincentivizing slowing down to account for crucial questions of governance. Many also assume that cloud technology is automatically secure. Governance is difficult to establish and manage with ownership fragmented between IT, security, and business units, and many allow legacy roles to drift into modern systems without re-evaluation.
Despite these challenges, it is more important than ever to ensure that governance is given sufficient attention. “Governance shouldn’t be treated as an afterthought or a roadblock to innovation,” says Rothaar. “It’s the foundation for secure, compliant, and resilient modernization.”
The Strategic Imperative Moving Forward
Looking ahead, it is critical to prioritize governance in cloud migration. Digital transformation only succeeds when governance transforms alongside it. Moving functionality to the cloud doesn’t remove the need for controls—it multiplies the places in which controls must exist. Organizations that treat governance as a foundational, rather than supplemental, factor in migration face dramatically reduced risk during modernization. Security leaders, CIOs, and transformation owners hoping to avoid the pitfalls in cloud migration now being documented at scale should look to data like the statistics provided in the Pathlock report.
