Security architecture reviews still spend too much time admiring boxes. VPCs, subnets, Kubernetes clusters, data stores, API gateways. Useful, but incomplete. The modern breach surface is often the set of things that can change those boxes.
Cloud control planes are where identity, deployment, logging, policy, secrets, and automation meet. That is where a boring permission mistake becomes a production incident. It is where a stale service principal can read data across environments, a CI token can deploy unreviewed code, or a broad admin role can turn one compromised account into a very bad week.
The map should include the operators
Most diagrams show where packets go. They rarely show who can change the route, rotate the key, approve the deployment, read the bucket, alter the policy, or suppress the alert. That missing layer is where real risk hides.
Control-plane review means asking about human identities, service identities, break-glass accounts, CI/CD systems, cloud org policies, IaC pipelines, secrets stores, and the systems that collect telemetry. If those are weak, the application diagram is mostly theater.
Identity and secrets are one conversation
Identity is not just users in a directory. It includes API keys, workload identities, access tokens, automation roles, SaaS app grants, database credentials, and the ugly temporary thing someone created during a migration three quarters ago. Secrets management and IAM should not be separate campfires.
The practical question is not "do we use a vault?" It is whether the organization can explain which identities exist, what they can touch, how they are rotated, who owns them, and whether the audit trail is good enough to reconstruct what happened.
The useful review
A useful control-plane review produces a short list of uncomfortable facts: privileged identities without owners, broad roles used by automation, logs that do not capture the action that matters, emergency access paths nobody tests, and data stores reachable by identities that do not need them.
That is the work. Not drawing a prettier cloud diagram. Naming who can change reality, then reducing that power until the business can still move without leaving every door unlocked.