Cloud

CLOUD-02

Non-Human Identity (NHI) Governance

This control asks one thing: How are non-human identities (service accounts, workloads, bots, CI/CD pipelines) authenticated, governed, and monitored across cloud and SaaS environments?

Low Maturity

What Failure Looks Like

The documented failure mode at level 0 (Absent) on the 0 to 4 maturity scale:

Credential leakage leads to silent, persistent access. Breaches go undetected because activity appears 'legitimate.'

High Maturity

What Good Looks Like

The business value the methodology documents at level 4 (Optimized):

Closes the fastest-growing attack surface in modern cloud environments.

Next Step

A Typical Next Move

For programs sitting around level 0 (Absent), the methodology recommends this as the next rational step:

Inventory all non-human identities and migrate secrets into a centralized vault.

What reaching level 2 (Developing) unlocks

Identity-native cloud security

Evidence

Evidence Assessors Ask For

A sample of the artifacts an assessor expects to see around level 2 (Developing):

  • Role-based policies for service accounts
  • Rotation intervals <30 days
  • Separation of dev/test/prod identities

Breach Radar

Seen in Real Breaches

These teardowns of public incidents cite CLOUD-02 as one of the controls that failed. Each one reconstructs the attack chain from public disclosures.

Compliance

Compliance Frameworks That Cite This Control

The bank's regulatory mapping for CLOUD-02 resolves to 4 frameworks with a researched compliance threshold. Weakness here shows up in audits, not only in incidents.

Where Does Your Program Land on CLOUD-02?

This page is the teaser layer. The full rubric behind CLOUD-02 defines 5 scored maturity levels, 0 to 4, each with its own operating model, evidence expectations, and regulatory citations. That rubric is the scoring instrument, so it ships inside the assessment rather than on a marketing page. Running the assessment takes about 20 minutes and no signup is required to start.