Shift Left Is Dead For Cloud PAM
Security Boulevard, Monday, February 2nd, 2026
I first tried to 'shift left' cloud identity in early 2020. We were building a greenfield AWS environment with a strong cloud team and leadership support to do things properly. The idea was familiar: push security decisions earlier, give developers autonomy, and avoid becoming the bottleneck later.
We accepted early that perfect least privilege was unrealistic. The goal was not precision. The goal was to reduce risk without slowing teams down.
In practice, shift left for identity turned into IaC scanning, service control policies, and cleanup controls meant to catch whatever slipped through.
The failure was consistent.
Trying to anticipate permissions ahead of time did not work. After two or three rounds of back-and-forth, policies almost always ended up with a wildcard. Developers were not careless. They were being asked to predict access needs months in advance while still shipping.