Cloud-first privileged access without static credentials or delays

At a glance

What this is: This is a case study about cloud-first privileged access management in regulated financial services, showing that agentless, passwordless PAM can satisfy auditability and speed requirements across regions.

Why it matters: It matters because IAM teams must reconcile compliance, session traceability, and deployment speed across human, NHI, and automation-adjacent access patterns without reintroducing standing privilege.

By the numbers:

• The initial deployment covered around 2,000 endpoints and 100 privileged users, using role-based access control, session recording, and passwordless authentication.

👉 Read SSH Communications Security's case study on cloud-first privileged access

Context

Cloud-first privileged access management is the discipline of controlling elevated access without slowing operational teams or weakening auditability. In this case, a globally operating investment manager needed privileged access that could satisfy regional regulatory expectations while still fitting an ephemeral infrastructure model and the pace of a competitive market.

The core governance problem is familiar to IAM teams: legacy PAM designs assume static systems, long rollout cycles, and persistent administration patterns. That assumption becomes brittle in modern finance, where access must be traceable, passwordless, and deployable quickly across cloud and data centre environments.

Key questions

Q: How should security teams govern privileged access in cloud-first environments?

A: Security teams should use brokered, auditable access paths that fit ephemeral infrastructure, then layer session recording and least-privilege assignment on top. The goal is to preserve speed without reintroducing standing credentials or heavyweight rollout overhead. In regulated environments, governance must prove access, not just permit it.

Q: When does legacy PAM become a poor fit for modern infrastructure?

A: Legacy PAM becomes a poor fit when it assumes static servers, long deployment cycles, and persistent host software in environments that are actually ephemeral and cloud-driven. At that point, control overhead becomes part of the operational problem. Teams should re-evaluate whether the platform matches the infrastructure lifecycle.

Q: What should organisations look for in privileged access auditability?

A: They should look for a complete chain of evidence: who accessed the system, what was approved, what actions were taken, and how those actions were recorded. Auditability is not just logging volume. It is the ability to reconstruct privileged activity in a way regulators and internal reviewers can trust.

Q: How do privileged access controls need to change for automation workflows?

A: Automation workflows should be treated as privileged actors with their own scope, approval, and revocation rules. If scripts or orchestration tools can make infrastructure changes, they need traceability and lifecycle governance just like human administrators. Otherwise, the access model stops at the boundary where the real risk begins.

Technical breakdown

Agentless privileged access in ephemeral infrastructure

Agentless PAM removes the need to install heavy endpoint agents on every managed system and instead brokers access centrally. In ephemeral environments, that matters because systems are short-lived and operational overhead rises quickly when controls depend on persistent local software. The result is a control model better aligned to cloud-native operations, where access can be issued, observed, and withdrawn without dragging lifecycle complexity into every host.

Practical implication: prefer access brokering models that do not depend on long-lived endpoint agents in short-lived infrastructure.

Passwordless access, session recording, and auditability

Passwordless privileged access reduces reliance on shared or manually handled secrets, while session recording preserves traceability for review and compliance. For regulated financial services, the value is not just stronger authentication. It is the ability to prove who accessed what, when, and under which conditions, without sacrificing the operational speed that cloud teams need. That combination is often the difference between a workable PAM programme and one that business units bypass.

Practical implication: pair passwordless access with session recording so privileged actions remain both fast and auditable.

PAM for cloud, data centre, and automation workflows

Modern privileged access programmes now have to govern more than human admins. The article points to expansion into automation and DevOps workflows, which means the same privileged access logic must work across scripts, orchestration tools, and cloud operations. That is where traditional PAM boundaries become visible: if a platform can only handle human sessions, it will not support the access paths that actually run the business.

Practical implication: map privileged workflows across humans and automation before deciding whether PAM coverage is complete.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Legacy PAM assumptions break first in cloud-first regulated finance. This case shows that controls designed around static servers and long deployment cycles do not map cleanly to ephemeral infrastructure or multi-region compliance demands. The discipline problem is not just tool fit, but programme fit: auditability, speed, and operational simplicity have to coexist. Practitioners should treat this as a warning that conventional PAM architectures can become a governance bottleneck.

Agentless access is a governance choice, not just an architecture preference. When infrastructure is short-lived, controls that depend on endpoint persistence introduce avoidable friction and lifecycle overhead. The more the environment behaves like software, the less value there is in anchoring privileged access to heavyweight host-level dependencies. Practitioners should evaluate PAM through the lens of operational durability across ephemeral estates.

Passwordless privileged access reduces secret handling debt. In regulated environments, removing passwords from the privileged path can lower both user friction and audit exposure, especially when session recording preserves the evidence trail. That does not eliminate governance, but it changes where the control burden sits. Practitioners should see passwordless PAM as part of a broader move away from standing credential dependence.

Privilege governance now extends into automation and DevOps. The article’s forward-looking note on Ansible and Kubernetes reflects a broader market reality: privileged access is no longer confined to human admins. As infrastructure becomes more automated, the control plane must account for machine-operated sessions and the same traceability expectations applied to people. Practitioners should plan PAM coverage as a workflow problem, not a user problem.

Cloud-native PAM is becoming a baseline expectation in regulated sectors. The combination of regional oversight, cloud operations, and rapid deployment is pushing identity programmes toward lighter, more adaptable privileged access models. That does not make governance easier, but it does change the evaluation standard: if the control cannot keep pace with business operations, it will be sidelined. Practitioners should re-test PAM assumptions against current operating speed.

From our research:

• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• A separate finding shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which keeps delegated access and offboarding gaps hidden.
• For a broader control baseline, see NHI Lifecycle Management Guide for lifecycle, rotation, and offboarding practices that reduce access drift.

What this signals

Privileged access programmes will keep converging with NHI governance even when the initial use case is human administration. The more cloud operations, DevOps, and automation enter the privileged path, the more identity teams have to govern machine-operated access with the same rigour they apply to people. This is where PAM stops being a narrow admin-control programme and becomes part of a broader identity lifecycle discipline.

Confidence in NHI security is still materially lower than confidence in human identity controls. With only 1.5 out of 10 organisations highly confident in securing NHIs, per The State of Non-Human Identity Security, many programmes are still overestimating their ability to govern machine and automation-adjacent privilege. That gap will matter more as privileged access expands into orchestration and agentic workflows.

Cloud-native PAM should be evaluated as a control-plane capability, not a product feature. If it cannot support audit evidence, rapid rollout, and lifecycle governance across ephemeral assets, the business will route around it and re-create risk in side channels.

For practitioners

• Map privileged access to infrastructure lifecycle, not just user roles Inventory where privileged sessions occur across cloud, data centre, and automation paths, then decide whether each path needs a human session, a service account, or an orchestration identity. This is where lifecycle ownership and offboarding evidence become essential.
• Prioritise agentless controls for ephemeral estates For short-lived systems, avoid access designs that depend on persistent endpoint agents or manual software rollout on every host. Use brokered access patterns that can be deployed quickly and removed cleanly as infrastructure scales or expires.
• Require session recording for all elevated actions Make evidence collection part of the privileged path so audit teams can reconstruct administrative activity across regions and business units. Session recording is especially important where regulatory scrutiny is high and privileged access must be defensible after the fact.
• Extend PAM controls into automation workflows Review Ansible, Kubernetes, and adjacent operational tools as privileged actors in their own right. If they can change infrastructure, they need access scope, traceability, and revocation rules that are as deliberate as those applied to human administrators.

Key takeaways

• The core issue is not whether privileged access is allowed, but whether it remains auditable and fast enough for cloud-first regulated operations.
• The case shows that static, agent-heavy PAM models struggle when infrastructure is ephemeral and deployment speed is part of the business requirement.
• Teams should extend privileged access governance into automation workflows before machine-operated sessions become the least visible part of the environment.

Key terms

• Privileged Access Management: Privileged Access Management is the discipline of controlling, monitoring, and reviewing elevated access to systems and data. In practice, it focuses on how administrators, automation, and service identities receive access, how sessions are evidenced, and how standing privilege is reduced over time.
• Ephemeral Infrastructure: Ephemeral infrastructure refers to systems that are short-lived, frequently replaced, or dynamically scaled. For identity teams, that changes the control model because access must be provisioned, traced, and retired quickly without depending on persistent host-level agents or long-lived configuration states.
• Passwordless Access: Passwordless access uses authenticators or brokered access patterns that do not rely on typed passwords or shared secrets in the privileged path. In regulated environments, it can reduce secret handling risk while improving usability, but it still requires strong audit trails and lifecycle governance.
• Session Recording: Session recording captures privileged activity during an interactive access session so later reviewers can reconstruct what occurred. It is more than logging because it preserves context, sequencing, and operator actions, which makes it valuable for audit, incident review, and accountability in regulated operations.

Deepen your knowledge

Cloud-first privileged access, session recording, and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a PAM programme that must work across cloud, automation, and regulated operations, it is worth exploring.

This post draws on content published by SSH Communications Security: a case study on cloud-first privileged access for a European investment manager. Read the original.