A lot of SMB cloud environments look secure at first glance. The console has alerts turned on, admins use named accounts, and someone enabled basic encryption when the environment was built. Then normal work happens. A developer launches a VM for a short-lived test. A team lead opens broad access because a vendor needs something…