Who should own the move from legacy PAM to identity-driven access?

Ownership usually sits across IAM, PAM, infrastructure, and platform teams because the change affects policy, session control, and operational workflows at the same time. The best indicator of readiness is whether the organisation can remove static access without losing continuity for critical systems.

Why This Matters for Security Teams

The move from legacy PAM to identity-driven access is not a tooling swap. It changes who approves access, how session risk is evaluated, and how secrets are issued and revoked across human and non-human identities. That ownership question matters because legacy PAM assumptions break down when service accounts, API keys, and automation pipelines need short-lived, task-specific access instead of standing privilege. NHI Mgmt Group research in the Ultimate Guide to NHIs shows why: only 5.7% of organisations have full visibility into their service accounts, and 97% of NHIs carry excessive privileges. When the migration is not owned clearly, teams keep static exceptions alive long after they should have been retired. The OWASP OWASP Non-Human Identity Top 10 frames the same problem as an identity governance issue, not just a vaulting issue. In practice, many security teams encounter privilege sprawl only after a service outage or access review failure has already exposed the weakness in their operating model.

How It Works in Practice

In practice, ownership should be shared, but accountability needs one coordinating lead. IAM usually owns policy design, identity lifecycle, and approval workflows. PAM owns session brokering, credential handling, and high-risk privileged use cases. Infrastructure and platform teams own the workloads that consume access and must redesign how agents, services, and CI/CD jobs authenticate. The cleanest model is a migration program led by identity architecture, with security governance and platform engineering as formal partners.

For identity-driven access to work, the organisation needs to replace standing secrets with JIT issuance, workload identity, and runtime policy checks. That means authorisation should happen at request time, not only through pre-assigned roles. Current guidance suggests pairing strong workload identity with short-lived credentials, because static RBAC alone cannot describe goal-driven automation. This is where implementation details matter: a service should prove what it is, request only what it needs, and lose access automatically when the task ends. The Top 10 NHI Issues and 52 NHI Breaches Analysis both reinforce that lingering credentials and weak visibility are common failure points. For control design, the OWASP Non-Human Identity Top 10 is useful for mapping where secrets, rotation, and brokered access need redesign. Where mature, teams also anchor workload identity in standards such as SPIFFE/SPIRE or OIDC-backed service tokens so the system can validate the workload itself instead of trusting a static credential.

• Define one accountable owner for the migration, then assign PAM, IAM, and platform tasks beneath that owner.
• Inventory NHIs, service accounts, API keys, and automation jobs before changing any access model.
• Move high-risk access to JIT issuance and revoke on completion, not on a monthly cycle.
• Use policy-as-code to evaluate intent, context, and system state at runtime.

These controls tend to break down when legacy systems cannot support short-lived tokens or when application owners are unwilling to refactor hard-coded secrets.

Common Variations and Edge Cases

Tighter identity-driven controls often increase operational overhead at first, so organisations must balance faster revocation against migration complexity and release friction. That tradeoff is especially visible in mainframes, vendor-managed platforms, and legacy batch jobs, where rotating secrets or enforcing runtime policy may require code changes the business has deferred for years. There is no universal standard for this yet, but current guidance suggests prioritising the highest-risk workloads first: internet-exposed automation, production service accounts, and anything that can trigger lateral movement or data exfiltration.

A second edge case is ownership inside regulated environments. Financial services and critical infrastructure often require formal change control, so the “owner” of the migration may be a programme board rather than a single team lead. That does not remove accountability; it just formalises decision rights across IAM, PAM, platform, audit, and application security. The best indicator of readiness is whether the organisation can remove static access without losing continuity for critical systems, which usually means secrets have been inventoried, dependencies are mapped, and rollback paths exist.

Another common exception is AI-enabled automation. If an agent can call tools, chain actions, or request resources autonomously, the migration is no longer just about human privilege workflows. In those cases, the same ownership model needs to extend to agent identity, intent-based authorisation, and ephemeral secrets. The practical lesson from NHI incidents such as BeyondTrust API key breach and JetBrains GitHub plugin token exposure is that static access rarely fails in a single place; it usually fails where ownership was assumed instead of defined.

Related resources from NHI Mgmt Group

• Who is accountable for MCP access when identity is federated?
• How should security teams run access reviews for non-human identities?
• How should security teams govern non-human identities that have persistent access?
• When does a machine identity become a compliance problem?