Because “least privilege” dies the second our tools don’t talk to each other

We can’t run just-in-time access or cloud entitlement management in isolation. Not in 2026, not with identity attacks happening at machine speed and with secure agentic AI being a new and evolving priority. Microsoft’s own telemetry puts identity attack volume at 600 million daily identity attacks, with 7,000 password attacks per second blocked over the past year. And Verizon keeps repeating the same thing: for basic web app attacks, about 88% of breaches involve stolen credentials. 

So if our JIT/CIEM/ILM platform isn’t deeply integrated into the systems where identity actually lives, we don’t have a least-privilege program, we have a spreadsheet and a prayer. This means HR, directories, cloud control planes, dev tooling, business SaaS, and the place where our teams approve things (via chatops).

Below is our tight list of the “minimum required CIEM integrations” (15 in total). It’s the shortest set that lets a modern security team run a workable loop:

‍discover → decide → grant → auto-expire → prove

1–3) The Cloud Control Planes: AWS, Azure, GCP

If we can’t integrate directly with the big three cloud providers, “CIEM” becomes “Cloud Guessing”. Full stop. We may not be multi-cloud right now, but (trust me) we will be in the future.

• AWS integration is table stakes for discovering IAM roles/users/policies, mapping effective permissions, and finding the classics: wildcard actions, overly-broad resource scopes, and roles that are basically “admin, but with extra steps.”
• Microsoft Azure integration matters because entitlement sprawl hides in management groups/subscriptions/nested groups, plus role assignments that survived three reorganizations and a Terraform rewrite.
• Google Cloud integration matters because GCP’s org/folder/project hierarchy and service accounts create a different flavor of drift—especially where service accounts become pseudo-humans. 

This is where the blast radius gets reduced in a measurable way. This is where detections become actionable (“who can assume this role right now?”) instead of archaeological. 

4–6) The Identity Control Plane: Entra ID, Okta, Google Workspace

Most access in most companies is still mediated through directories and IdPs. If our platform can’t integrate here, we can’t reliably enforce lifecycle management, group/role governance, or time-bound membership.

• Microsoft Entra ID is the nerve centre for many modern enterprises, especially when it’s tied to Microsoft 365 and app access.
• Okta remains a common IdP for multi-app SSO and role/group-driven access.
• Google Workspace often looks like “just productivity” until we audit group membership and realize it’s also our internal access model.
  

This is the layer where “policy” becomes real: who is in what group, why, and for how long, and whether that group fans out into admin roles everywhere else.

7–8) The Source Of Truth That Actually Changes: Workday, Rippling

If HR is not integrated, our “least privilege” program will constantly lose fights to reality: joiners, movers, leavers, contractors, interns, and “oh, they left last Friday.”

The joiner-mover-leaver cycle is never-ending, especially in today’s economy. A modern platform includes HRIS integrations like Workday and Rippling. 

The technical payoff:

• Trigger downstream deprovisioning immediately when employment status changes.
• Reduce “orphaned account access” windows (the silent killer of good audit outcomes).
• Keep entitlement reviews aligned to what humans actually do and how they work.

Fewer manual tickets, fewer late-night escalations, fewer “we’ll remove it later” permissions that become permanent.

9–10) Dev Tooling: GitHub, GitLab

Repo platforms are privilege magnets. Org owners, repo admins, protected branches, CI secrets, deploy keys. This is where “code access” quietly becomes “production access.”

A modern platform integrates with GitHub and GitLab. 

Why it matters for JIT/CIEM/ILM:

• Devs need a path of least resistance, because devs.
• We can time-bound high-risk roles (like org owner/repo admin).
• We can identify stale accounts, broad permissions, and surprisingly overpowered teams (like, sorry, but cloud/platform/security engineering).
• We can treat repo privilege as part of the same entitlement model as cloud privilege. Which is what it is, in practice.

11–13) Business-Critical SaaS: Salesforce, Snowflake, HubSpot

Security teams love cloud admin; attackers love customer data. CRMs and marketing automation platforms hold PII, pipeline, customer comms, integrations, and often “whoops, we connected it to everything.”

A modern platform must integrate with Salesforce, Snowflake, and HubSpot. 

It’s the “quiet” side of identity risk. Broad access granted for convenience, then never revoked. It’s sensitive data, and the control expectation is boring but firm: access must be justified, reviewed, and removed when not needed. Let’s not even get started on SQL queries in Snowflake throttling access and increasing time to getting what’s immediately needed by business teams.

14–15) ChatOps: Slack, Microsoft Teams

If approvals aren’t in the flow of work, engineers will optimize around our process (probably by asking for permanent access).

Any modern platform should support Slack access requests and automation, and Microsoft Teams as a parallel path. ChatOps matters because it closes the loop. Request access where people already work, route approvals quickly, apply policy, grant access, and (this is the bit everyone forgets) expire it automatically.

Friction is the hidden cause of standing privilege.

The CIEM Integration Basics

IBM pegs the global average cost of a data breach at USD $4.4M (ouch). We don’t need a fantasy spreadsheet worthy of March Madness to justify integrations that shrink standing privilege, reduce credential abuse impact, remove access faster when someone leaves or moves department, and give us compliance evidence trails without screenshot scrapbooks.

This 15-integration minimum provides end-to-end coverage across the common systems that cause entitlement drift and the workflow that prevents “temporary” access from becoming permanent. If our platform can’t do these 15 well, sorry, but it’s not a JIT/CIEM/ILM platform. It’s an access-themed dashboard.

Want to see how these integrations work in the real world? Start a free trial and get full visibility into cloud and app entitlements, grant access only when it’s needed, revoke it automatically, and give auditors the evidence. All of the above and more, with new integrations weekly. No credit card. No nonsense. Live in about 30 minutes.