Cloud IAM is the set of identity primitives each major cloud provider exposes — AWS IAM, Azure (Entra) RBAC, GCP IAM — plus the cross-cloud capabilities that have become tablestakes: federated workforce access, workload identity for service-to-service auth, secrets management, and detective controls (CloudTrail, Entra audit logs, GCP audit logs). Each provider models the same problems differently, and the gap between "permissions configured" and "least privilege actually achieved" is where most cloud breaches happen.

The hardest parts in practice are policy authoring at scale (intent expressed in JSON or Bicep is hard to review), workload identity federation (replacing static keys with short-lived tokens), and detection engineering against IAM-specific attack paths — privilege escalation via PassRole, service-principal abuse, OAuth-token theft, role-trust misconfigurations.

This page tracks our reporting on cloud IAM tooling (Sympatic, Branch, Wiz, Permiso, Common Fate, Okta Identity Threat Protection), real breach analyses, and policy patterns vetted in production.