TL;DR: Senior regional leaders have been added for EMEA and APAC as the vendor expands go-to-market capacity around identity security, channel scale, and customer success, according to Delinea. The move shows how identity vendors are pairing platform growth with regional execution, while practitioner programmes still need clearer governance for human and machine access.
At a glance
What this is: Delinea is expanding its regional leadership in EMEA and APAC while positioning identity security as a core control plane for modern enterprises.
Why it matters: For IAM teams, this signals continued market pressure to govern human and machine identities together while aligning operating models, channel coverage, and lifecycle controls across regions.
👉 Read Delinea's company news on EMEA and APAC leadership expansion
Context
Identity security programmes increasingly fail when they are treated as a headquarters-only function. Regional execution matters because cloud adoption, channel delivery, and access governance all vary by market, yet the underlying governance model still has to cover humans, machines, and the privileges they carry. Delinea's leadership changes sit in that operating reality rather than in a product feature story.
The article is really about how vendors are organising themselves around identity becoming the control plane for modern enterprises. For practitioners, the takeaway is less about hiring and more about the direction of travel: identity governance is being pulled into broader platform, channel, and regional scaling decisions that affect how access is granted, reviewed, and monitored.
Key questions
Q: How should identity teams govern human and machine access in the same programme?
A: Treat them as one governance problem with different privilege patterns, not as separate programmes. Use a shared policy model for approvals, entitlements, review cadence, and revocation, then adapt the operational controls for the actor type. Human access may need more user-experience handling, while machine access needs tighter lifecycle discipline and stronger evidence of task-bounded privilege.
Q: When does centralized authorization improve identity governance most?
A: It helps most when entitlement decisions are scattered across cloud, SaaS, infrastructure, and partner workflows. Centralized authorization reduces policy drift, improves auditability, and makes it easier to enforce consistent privilege rules across regions. It is most valuable where administrators, developers, and machines all need access under different timing and scope constraints.
Q: What do IAM teams get wrong about just-in-time access?
A: They often stop at policy design and never verify runtime behaviour. If access is still present after the task ends, or if exceptions become the norm, JIT has not reduced exposure. Teams should test approval, issuance, and revocation together, because the control only works when the entire access window is tightly bounded.
Q: Who should own lifecycle governance for service accounts and machine identities?
A: Ownership should sit with the same governance function that manages human lifecycle controls, but with engineering and platform teams providing operational input. Service accounts and machine identities need joiner-mover-leaver rules, recertification, and offboarding discipline so their access does not outlive the business process that created it.
Technical breakdown
Regional execution in identity security platforms
Identity security platforms depend on more than product capability. They also need regional sales, partner, and delivery structures that can support deployment, account expansion, and local customer requirements. In practice, EMEA and APAC often create different demand patterns around compliance, channel motion, and cloud adoption, which makes regional leadership part of the operating model rather than a back-office detail. When vendors scale internationally, the identity programme must still deliver consistent authorization, lifecycle governance, and evidence collection across jurisdictions.
Practical implication: treat regional operating models as part of identity governance design, not just commercial organisation.
Centralized authorization for human and machine identities
Centralized authorization means access decisions are made from one governance layer rather than scattered across systems and teams. That matters because modern environments mix workforce users, administrators, developers, service accounts, and machine identities, each with different privilege patterns and review needs. The technical challenge is not merely discovering identities. It is making sure access context, approval logic, and enforcement stay consistent across cloud, SaaS, and traditional infrastructure without creating blind spots or control drift.
Practical implication: map authorization decisions to a single policy model that spans human and machine identities.
Just-in-time runtime authorization and privilege reduction
Just-in-time runtime authorization limits access to the moment it is needed and reduces persistent privilege. In machine and administrator workflows, that lowers exposure because standing access is not left in place between tasks. The mechanism only works if the entitlement request, approval, issuance, and revocation chain is tightly controlled and observable. Without that, just-in-time becomes a label rather than a governance outcome, and privileged access still accumulates in operational shortcuts, exception paths, or unreviewed automation.
Practical implication: verify that JIT access actually revokes privileges at task end, not just at policy definition time.
NHI Mgmt Group analysis
Identity platform growth is now a regional governance issue, not just a sales motion. When vendors expand leadership across EMEA and APAC, they are signalling that identity security has become operationally regional as well as technically global. That matters because access policies, partner delivery, and regulatory expectations differ by market, but the underlying governance model still has to remain consistent. Practitioners should treat regional scale as a test of whether identity controls can be enforced uniformly without losing local accountability.
Centralized authorization is becoming the architectural answer to identity sprawl. The article reinforces a field-wide shift away from fragmented access decisions toward a single control plane for human and machine identities. That approach is increasingly necessary where cloud adoption, AI automation, and developer access all intersect. The implication for practitioners is that identity governance now has to absorb more runtime context without losing auditability or consistency.
Just-in-time access is moving from a privilege pattern to a core governance expectation. Delinea's reference to planned runtime authorization reflects a market where standing privilege is harder to justify, especially for privileged and machine-led workflows. The practical meaning is that access duration, task scope, and revocation timing are becoming central design questions for IAM and PAM teams. Practitioners should assume reviewers will ask not only who can access a resource, but for how long and under what runtime conditions.
Identity programmes now need to govern the full lifecycle across humans, machines, and administrators. The article's language about discovering identities, assigning access, detecting irregularities, and responding in real time points to an expanding lifecycle scope. That creates pressure on governance teams to align joiner-mover-leaver processes, privilege review, and monitoring across actor types instead of maintaining separate operating assumptions. Practitioners should re-check whether their lifecycle controls are still coherent across the whole identity estate.
From our research:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which shows how much room remains between intent and operational control.
- For a broader view of why this matters, see Ultimate Guide to NHIs , Why NHI Security Matters Now for the market forces pushing identity governance into the foreground.
What this signals
Centralized authorization will keep expanding because fragmented identity decision-making no longer matches how enterprises operate. Regional leadership, channel motion, and hybrid infrastructure all push toward one governance layer, but the programme challenge is to keep policy consistent while still supporting local execution. Practitioners who still run separate rules for cloud, SaaS, and privileged administration are likely to see more drift, not less.
With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, per The State of Non-Human Identity Security, identity governance cannot stop at internal users and servers. The next maturity step is to extend visibility, lifecycle control, and review discipline into delegated access paths that often sit outside the core IAM operating model.
Lifecycle discipline is becoming the differentiator in mature identity programmes. The teams that can consistently offboard, recertify, and bound access for humans, service accounts, and machine identities will have a more defensible control environment than those relying on static entitlements. That shift makes identity governance less about provisioning volume and more about governing the full lifespan of access.
For practitioners
- Validate regional governance consistency Review whether EMEA and APAC teams apply the same access request, approval, and review standards as headquarters, especially for privileged and machine identities. If regional teams use local exceptions, document who owns them and how they are retired.
- Map centralized authorization to actual systems List the systems where human, developer, admin, and machine access decisions are still made independently, then identify where policy drift creates audit gaps. Use that map to decide which entitlements should move into a single authorization layer.
- Test JIT revocation timing in privileged workflows Walk through a privileged access request from approval to revocation and confirm the entitlement really disappears at the end of the task. Pay special attention to emergency access, API-driven administration, and any workflow that can outlive the original approval.
- Align lifecycle controls across all identity types Check that joiner-mover-leaver processes, recertification, and offboarding are defined for humans, service accounts, and machine identities in one governance model. The goal is to remove the assumption that only human identities need lifecycle discipline.
Key takeaways
- Delinea's leadership changes are best read as a scaling signal for identity governance, where regional execution and access control now move together.
- The article reinforces the shift toward centralized authorization and task-bounded access as the practical response to human and machine identity sprawl.
- IAM teams should use this moment to test whether their lifecycle, privilege, and regional governance models still hold across all identity types.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Centralized authorization and machine identity governance are core to this article. |
| NIST CSF 2.0 | PR.AC-4 | The post emphasizes access governance across human and machine identities. |
| NIST Zero Trust (SP 800-207) | GV.3 | Centralized authorization and continuous verification align with zero trust governance. |
Apply zero trust governance to keep identity decisions consistent across cloud and on-prem environments.
Key terms
- Centralized Authorization: A governance model where access decisions are made from a single policy layer instead of being scattered across applications and teams. It helps keep approvals, entitlements, and revocation consistent across humans, machines, and administrative workflows, which is essential when identity sprawl creates overlapping access paths.
- Just-in-Time Access: A privilege pattern that grants access only when a task requires it and removes it when the task is complete. For non-human and privileged workflows, the control matters most when revocation is real, observable, and enforced at runtime rather than left as a policy promise.
- Identity Lifecycle Governance: The set of processes used to manage identity creation, change, review, and removal from joiner to leaver. For NHIs, machines, and human users alike, the goal is to ensure access does not outlive the business need, the owner, or the approved purpose.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
This post draws on content published by Delinea: Delinea appoints three senior leaders to accelerate growth across EMEA and APAC. Read the original.
Published by the NHIMG editorial team on 2026-02-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
