Hybrid security trends show PAM remains the weakest control gap

At a glance

What this is: This is Netwrix's 2023 hybrid security trends report, and its key finding is that cyberattack exposure remains high while privileged access management is still the control many teams want to improve first.

Why it matters: It matters because hybrid security failures show up first in identity and privilege management, which affects NHI, human access, and the guardrails around emerging autonomous systems.

By the numbers:

• 68% of organizations suffered a cyberattack within the last 12 months.
• 49% of respondents would opt to improve privileged access management (PAM) in their organization if they could decide on their own.

👉 Read Netwrix's 2023 hybrid security trends report on cyberattacks and PAM

Context

Hybrid security is the operating model where organisations run critical workloads across on premises and cloud environments, so identity control has to hold across both. That is where many programmes still break down: the same privileges, credentials, and administrative pathways behave differently once infrastructure is distributed and harder to observe.

Netwrix's survey points to a familiar pattern in identity security. Attack frequency stays high, but the remediation instinct still centres on privileged access rather than on a broader redesign of how identities, sessions, and access boundaries are governed across hybrid estates.

Key questions

Q: How should security teams reduce privilege risk in hybrid environments?

A: Start by inventorying every elevated identity that can operate across on premises and cloud systems, then remove standing access wherever possible. Pair that with task-scoped approval, session oversight, and clear ownership so privileged accounts cannot drift outside governance. The goal is to narrow the blast radius before attackers exploit the same trust path.

Q: Why do hybrid environments make PAM harder to govern?

A: Hybrid environments spread elevated access across different control planes, which makes it easier for privilege to become inconsistent, duplicated, or invisible. PAM becomes harder because one set of controls rarely covers human admins, shared accounts, and cloud roles equally well. Teams need one governance view of privilege, even if execution differs by platform.

Q: What breaks when privileged access is left standing in hybrid estates?

A: Standing privilege turns one compromised identity into a broad access path across multiple systems. Once credentials or admin rights are exposed, attackers can move faster than review cycles and use the same privilege again and again. That is why hybrid programmes need revocation speed, session control, and tighter entitlement scope.

Q: Who is accountable when privileged access fails in a hybrid security programme?

A: Accountability should sit with the identity, infrastructure, and security owners jointly, because no single team controls the full privilege path in a hybrid estate. The practical test is whether each elevated identity has a named owner, a business purpose, and a review process. If any of those are missing, accountability is already fragmented.

Technical breakdown

Why hybrid infrastructure increases identity risk

Hybrid environments expand the number of identity control planes a team must govern at once. On premises systems often rely on long-lived administrative accounts and inherited trust, while cloud environments introduce APIs, service identities, and role-based access paths that can drift quickly. The result is not just more assets, but more inconsistent privilege models, more places where credentials can linger, and more difficulty proving that access matches business need across environments.

Practical implication: map every high-risk identity path across on premises and cloud so you can see where privilege is duplicated, inherited, or left standing.

Privileged access management in hybrid security

PAM is the discipline for controlling elevated access, whether it belongs to a human administrator or to a non-human workload with sensitive permissions. In hybrid estates, PAM has to cover shared admin accounts, emergency access, vaulting, approval workflows, and session oversight across multiple platforms. If those controls are fragmented, attackers do not need to defeat every environment. They only need one privileged path that is exposed, reused, or poorly governed.

Practical implication: treat privileged access as a cross-platform control set, not a separate on-premises and cloud programme.

Why cyberattack data matters for identity governance

Attack prevalence is not just a security metric. It is a governance signal that identity controls are not limiting how far an intruder can move once initial access occurs. In a hybrid model, the blast radius is shaped by entitlement scope, session visibility, and the speed of revocation. When those functions are weak, cyber insurance and detection tooling may reduce financial shock, but they do not resolve the underlying access problem.

Practical implication: use attack frequency as a trigger to review entitlement scope, administrative session monitoring, and revocation speed.

Threat narrative

Attacker objective: The attacker wants to turn one identity foothold into broad hybrid access, data exposure, and operational disruption before privilege can be revoked.

1. Entry typically begins through a compromised credential, exposed privileged account, or another identity foothold that crosses the boundary between on premises and cloud systems.
2. Escalation follows when the attacker finds standing privilege, weak PAM controls, or reused administrative trust that allows broader access than the initial identity should have had.
3. Impact comes from the ability to move across hybrid systems, access sensitive data, and accelerate disruption before teams can contain the privileged session.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Hybrid security fails first at privilege continuity, not at environment type. The report shows organisations are operating across on premises and cloud while still struggling to make elevated access behave consistently. That is not an infrastructure problem alone. It is an identity governance problem because the same actor can inherit different trust rules depending on where it lands. Practitioners should read hybrid risk as a privilege-containment failure, not a simple architecture mismatch.

Privileged access management is the clearest control signal in this report. Nearly half of respondents say they would improve PAM first if they could choose. That is a strong indicator that teams already understand where compromise becomes consequential. The field should treat PAM as the place where hybrid governance, incident containment, and auditability converge, not as a narrow admin toolset. Practitioners should prioritise the privilege layer before adding more detection noise.

Standing access remains the dominant assumption behind hybrid compromise. PAM was designed for environments where elevated access could be identified, approved, and then reviewed over time. That assumption fails when identities persist across cloud and on premises with overlapping privileges and weak session boundaries. The implication is that hybrid programmes need to rethink how privilege is bounded across the full access lifecycle, not just how it is logged.

Identity blast radius is now the more useful metric than perimeter coverage. The report's cyberattack prevalence shows that attacks are common enough that governance must focus on limiting consequence, not merely preventing entry. In hybrid estates, the decisive question is how far a compromised identity can travel before it is stopped. Practitioners should measure containment by privilege scope, not by environment label.

Cyber insurance is a response layer, not an identity control. The report shows 59% of organisations either have a policy or plan to buy one, which signals that many teams are still using financial transfer to compensate for technical gaps. That may help after the fact, but it does not change whether privileged access is exposed, reusable, or oversized. Practitioners should separate risk financing from privilege governance.

From our research:

• 19% of organisations give AI systems dramatically more access than human employees, nearly one in five granting unrestricted privilege, according to The 2026 Infrastructure Identity Survey.
• Only 13% of organisations feel extremely prepared for the reality of agentic AI, which shows that governance maturity is still trailing adoption.
• That gap makes the case for Ultimate Guide to NHIs - Key Research and Survey Results stronger for teams rethinking access models across humans, machines, and agents.

What this signals

Identity blast radius will become the metric that separates mature hybrid programmes from brittle ones. The article points to attack prevalence, but the operational lesson is that teams must measure how far a compromised identity can travel before control is lost. In practice, that means tying privileged access reviews to containment outcomes, not just compliance cycles.

With 67% of organisations still relying heavily on static credentials in the 2026 Infrastructure Identity Survey, the same control weaknesses that affect hybrid infrastructure will also shape AI and machine identity governance. Teams that unify privilege scope, session control, and revocation across actor types will be better placed to absorb the next wave of access complexity.

For practitioners

• Map privileged identities across the hybrid estate Inventory every admin account, emergency account, service credential, and cloud role that can reach sensitive systems. Tie each one to an owner, a purpose, and a review cadence so no elevated identity exists outside governance.
• Shrink standing privilege before adding more controls Replace persistent elevation with just-in-time approval and task-scoped access where the workflow supports it. Focus first on the privileges that can traverse both on premises and cloud systems because those create the widest blast radius.
• Unify privileged session oversight Monitor privileged activity through a single control model that covers session start, command scope, and revocation across platforms. Without consistent oversight, hybrid access reviews will miss the most dangerous privilege paths.
• Use attack frequency to reprioritise remediation Treat repeated compromise as evidence that privilege scope and revocation speed are lagging. Feed incident patterns into access review decisions so remediation focuses on the identities attackers actually abuse.

Key takeaways

• Hybrid security remains fragile because privilege is still treated as a platform-specific problem instead of a cross-environment governance issue.
• The survey data shows that attack exposure is common and that PAM is where many practitioners would invest first, which is a strong signal about control priority.
• The most effective response is to reduce standing privilege, unify oversight, and measure containment by identity blast radius rather than by infrastructure boundary.

Key terms

• Hybrid security: Hybrid security is the practice of protecting systems that run partly on premises and partly in cloud services. The challenge is that identity, access, and monitoring controls often behave differently across those environments, which creates inconsistent privilege and broader attack paths if governance is fragmented.
• Privileged access management: Privileged access management is the discipline of controlling high-risk access to systems, data, and administrative functions. It covers approval, vaulting, session oversight, and review for both human administrators and non-human identities that carry elevated permissions.
• Standing privilege: Standing privilege is access that remains available all the time instead of being granted only when needed. In hybrid environments, it is dangerous because a compromised identity can keep reusing the same elevated rights across multiple systems until someone notices and revokes them.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Netwrix: 2023 Hybrid Security Trends Report. Read the original.