The cloud is like the wild west right now. Cloud applications are roaming the plains like gunslingers in a Spaghetti Western. That's a crazy analogy but the point is that all the hard work IT has done over the last decade to corral identities within your network has been rendered useless in the cloud.
Everything you know about your user is rendered useless when they go out and create an account in the cloud. A perfectly useful account for them to do their job but you in IT have no control over how they use it. Or know what they're doing. You have no idea what the user's cloud identity is: how they access it, what their account is, or if they should have access to it.
You need to understand their cloud identity. The best way to get a user to buy in to IT knowing about their cloud life is to offer them something. Cloud single sign-on is the best incentive to get users buy-in. Think about it, if you want to know that weird little obscure account they are using, tell them you'll help them sign on more easily with their network account.
So, how do you integrate cloud identity into your network identity? Workflow, beautiful role based workflow. Let's take the biggest and most common example: salesforce.com. In this example, you have 4 basic types of users who use salesforce: sales and service, user and manager. Two departments, two roles in each.
If you have an IdM platform provisioning users and giving them roles (if you don't, please call us!), just assign a workflow that provisions the cloud applications like salesforce. You know the user's role, so you can assign different permissions in salesforce to a sales manager v. a service user.
Once you've created the cloud account (in this case salesforce), you know the password, you have it linked to the user's network account. You give the user single sign on to the cloud application. Most cloud applications use some sort of standard authentication: SAML, WS-Trust, WS-Federation, and OAuth. Now, between the provisioning, the SSO, and the role based access, you know what the user is doing in your audit and you have controlled the wild west.
Of course, in this scenario you have also controlled what they do on network. And you might have dozens of cloud applications that you now control. Identity in the cloud is NOT different than identity on the network, you just need a way to manage both together.