What Cloud IAM Gets Right and How LastPass Business Max Delivers it for Small and Scaling Companies

Here's a number that should stop you cold: 165,142.

That's how many attack paths just one cloud asset created, according to Orca Security's 2025 research on public cloud vulnerabilities.

This means one misconfigured resource, unmanaged credential, or neglected permission gave attackers 165,142 routes to sensitive data.

Now, consider this: Organizations without centralized control over their SaaS lifecycles are 5X more likely to be attacked. And they also pay more when attacked, from $200,000 to $760,000.

If your business uses SaaS apps (and which business doesn't), the question isn't if you'll be attacked, but when.

What's the biggest cloud identity security risk for SMBs right now?

The biggest cloud identity security risk for SMBs is persistent access.

Orca Security, which analyzed billions of production cloud assets across AWS, Alibaba Cloud, Azure, Oracle Cloud, and Google Cloud Platform (GCP), found 78% of organizations have at least one IAM role that has remained unused for 90+ days.

Here's why this matters.

The average cloud asset has 115 vulnerabilities.

So, the IAM role that grants access to this asset – especially if it's a dormant role – becomes a critical risk.

This is because an attacker who assumes this unused role to access the cloud asset can exploit one of its 115 flaws for remote code execution (RCE) or data exfiltration.

Yet poor cloud identity security isn't just about cloud assets.

Orca Security reports that we have a non human identity (NHI)^* problem: NHIs outnumber their human counterparts by an average of 50:1.

And when NHIs aren't monitored, it can lead to unauthorized access, lateral movement, and data exfiltration.

It's a growing risk, but for most SMBs, it's the second problem to solve, not the first (more on this below).

*Non human identities include Google Cloud Platform (GCP) service accounts, IAM roles (AWS), API keys, and OAuth tokens used for M2M (machine-to-machine communications)

Has the cloud threat outpaced the small business cloud acces management strategy?

Yes, and for most of your peers, the gap is wider than they realize.

In 2026, we've entered the era of AI-orchestrated attacks and PhaaS (phishing-as-a-service), which makes the old security playbooks obsolete.

PhaaS kits like EvilProxy are bypassing SMS-based 2FA, and demand for these tools has surged 200% YoY (year-over-year).

Meanwhile, the infrastructures these attacks are targeting are riddled with cloud access management gaps.

Orca reports that 76% of organizations have at least one public-facing cloud asset that enables lateral movement, meaning a single successful login with one stale or weak credential can give attackers a pathway to your entire system.

Meanwhile, 85% of organizations still have plain-text secrets embedded in their source code repositories. If a dormant IAM role provides read or write access to one of those repositories, the attacker doesn't just get in. They get the key to everything connected to those repositories.

Is Shadow IT undermining your cloud asset management strategy without you knowing?

Almost certainly, and the scale of the issue is staggering.

Your employees are signing up for AI-powered productivity apps. And they're using corporate emails to sign into apps linked to AI agents like OpenClaw (formerly Moltbot).

You've likely heard that downloading OpenClaw is risky because the entire ecosystem is an open attack surface.

In February 2026, Trend Micro reported on OpenClaw skills being used as distribution channels for Atomic macOS Stealer (AMOS).

Here's how attackers are weaponizing the AI agent supply chain:

• First, OpenClaw "skills" are natural language instructions built around a SKILL.md file. When an agent chooses a skill, it follows the instructions inside the file, whether it's running a shell command or calling an API.
• AMOS is a known macOS infostealer that grabs credentials from iCloud KeyChain, browsers, crypto wallets, and files.
• Here's how the infection chain works: Users copy skills from ClawHub's GitHub repository to local folders or install skills via ClawHub CLI.
• OpenClaw skills with malicious instructions exploit your AI agent as a trusted intermediary, presenting you with setup steps you're conditioned to trust. This social engineering via agent prompts invites you to manually override macOS warnings and input your credentials.

And that's not all: Almost none of the apps your employees may be linking to OpenClaw are visible to your cloud asset management stack.

As Gartner has noted, 75% of employees are projected to use technology entirely outside of IT's visibility.

Meanwhile, 30% of IT leaders themselves say they use between 51 and 100 SaaS tools, with more than a quarter adding new SaaS tools every two to three weeks.

Every one of those apps is a potential entry point.

And every credential which isn't managed won't have the right security policies applied to it and won't appear on any audit trail: 86% of IT leaders now admit SaaS sprawl is leading to financial strain and security risks.

Why is LastPass Business Max the right cloud access management solution for SMBs?

Because it's the only solution that combines credential management, SaaS app visibility, and real-time access controls in a single plan.

It's also built specifically for lean teams, without the enterprise complexity that makes other tools impractical.

Here's the trap your peers fall into: they assume that solving cloud access management problems requires a 10-person IT team and a $300,000 budget.

LastPass Business Max is purpose-built for teams who don't have hours in the day to manage multiple consoles or deploy integration-heavy tools.

It's everything your business needs to close the gap between today's threat environment and the resources you have, delivered through a browser extension your team can trust.

No new agents, no long deployment timelines, and no separate systems to learn.

Here's what that looks like in practice:

• Credential management standardizes how every employee creates, stores, and shares passwords across your organization. It's the foundation of sound cloud identity security: It ensures credentials meet the standard required to resist modern attacks, and that no one is reusing weak or compromised credentials across apps.
• SaaS Monitoring is where Business Max starts to do something no traditional password manager can. It uncovers the hidden apps your employees are actually using. This is cloud asset management at the access layer. In just six months, nearly 5,000+ organizations have expanded into Business Max, a signal that the market has recognized this visibility gap as the urgent priority it is.
• SaaS Protect turns visibility into action. Once you see the shadow apps your team is using, you can set usage rules, block unapproved tools, and enforce cloud access management policies in real-time directly in the browser.

The new SaaS Protect dashboard gives you a true "single pane of glass" view. It creates a clear picture of what's allowed, restricted, or blocked across your organization. You can even add custom apps, defining policies before an app is discovered.

• SSO and FIDO2 MFA unifies access across every app and login, extending cloud identity security beyond passwords and closing the authentication gaps PhaaS kits are designed to exploit.

The result is a coherent, layered cloud access management posture, not a patchwork of disconnected tools with DIY identity security.

As Axxor, a global manufacturer with a lean IT team, puts it: "People are experimenting with AI tools ...We don't want to block innovation, but we do want to guide it safely. LastPass is smart, secure, and it just works."

Read the Axxor case study here and try Business Max free (no card required).

What is the real ROI of investing in cloud identity security?

The ROI of investing in cloud identity security is less about what you have to spend and more about what you never have to pay.

At $9 per user/month, a 20-person team will spend $2,160 per year on Business Max.

Set that against the average breach cost of $10.22 million, and the ROI becomes crystal clear.

Shadow IT/AI isn't just an IT problem but a financial and compliance liability.

Business Max surfaces redundant subscriptions and generates the audit trails that GDPR, HIPAA, and PCI DSS require.

When you see every tool your team uses, you don't just close security gaps. You find duplicate tools, abandoned subscriptions still billing your card, and forgotten apps with active employee credentials.

Dormant credentials, shadow apps, unmanaged logins – this is the path of least resistance for attackers targeting businesses like yours.

Business Max closes the human identity and SaaS visibility gap.

Sure, human-created NHIs like OAuth tokens, API keys, and service accounts are a growing risk, and so are AI agents like OpenClaw.

They connect to SaaS apps, inherit excessive privileges, and persist after employees leave. Without governance, NHIs and AI agents become attack vectors.

But if you don't have visibility into what apps your team is using or what permissions they've granted, you have no baseline from which to identify which NHIs and AI agents even exist in your system.

Getting this foundation right is the highest ROI move you can make in 2026.

You can't effectively govern NHIs or AI agents if you don't have visibility into your human identities first.

Business Max is where that visibility starts.

Sources

Orca Security 2025 Cloud Security report

Security Week: Cost of data breach in US rises to $10.22 million, says latest IBM report

Cloud Awards: The real cost of a breach in 2025: What the numbers mean for security leaders

IT Pro: Software sprawl is getting out of control

Astrix: Non human identities

Virus Total: From automation to infection: How OpenClaw AI agent skills are being weaponized

Trend Micro: Malicious OpenClaw skills used to distribute Atomic macOS stealer