Identity-driven PAM is replacing static credential control

At a glance

What this is: This is an analysis of how privileged access management is moving from static credential control toward identity-driven, just-in-time access.

Why it matters: It matters because IAM teams must decide how to govern privileged access across NHI, autonomous, and human workflows as environments become more ephemeral and Zero Trust-oriented.

By the numbers:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 17 minutes

👉 Read SSH Communications Security's analysis of identity-driven JIT privileged access

Context

Privileged access management is no longer just about storing passwords and brokering admin sessions. In identity security terms, the issue is whether privileged access is still being treated as a static entitlement or as a dynamic, policy-driven decision that changes with context, session state, and workload behaviour. That shift matters most for NHI governance, where SSH keys and other long-lived secrets behave like pre-positioned access rather than continuously verified identity.

Legacy PAM assumptions break when infrastructure becomes ephemeral, automation-driven, and more tightly aligned with Zero Trust architecture. Static credentials can still be governed, but they cannot provide the same real-time enforcement, observability, or revocation model that modern access programmes expect. For teams managing service accounts, workload access, and human administrators, the question is increasingly about reducing standing privilege rather than just controlling it better.

SSH-based access sits at the centre of that tension because it is both operationally embedded and hard to make ephemeral. Organisations that understand this gap are moving from credential-centric management toward access intent, where the real control point becomes authenticated identity plus policy rather than a reusable secret.

Key questions

Q: How should security teams reduce reliance on standing SSH keys?

A: Start by identifying where long-lived keys still create persistent administrative reach, then replace those paths with policy-driven, time-bound access wherever the business can tolerate it. The goal is not to rotate keys faster forever, but to shrink the number of credentials that can outlive the task they support.

Q: Why do static credentials create more risk in ephemeral environments?

A: Because the environment changes faster than the credential lifecycle. A reusable secret can remain valid after the workload, session, or business need has changed, which creates access that is technically authorised but operationally stale. In ephemeral estates, that mismatch expands exposure and weakens accountability.

Q: What do teams get wrong about just-in-time privileged access?

A: They often treat JIT as a convenience layer rather than a control model. JIT only changes risk materially when policy, identity verification, and automatic revocation are all enforced at the access decision point. If static paths remain the default, the programme still depends on standing privilege.

Q: Who should own the move from legacy PAM to identity-driven access?

A: Ownership usually sits across IAM, PAM, infrastructure, and platform teams because the change affects policy, session control, and operational workflows at the same time. The best indicator of readiness is whether the organisation can remove static access without losing continuity for critical systems.

Technical breakdown

Why static SSH keys behave like standing privilege

An SSH key is effectively pre-authorised access until it is removed or rotated. That makes it different from a session-bound control because the credential itself carries the right to connect, while enforcement is largely retrospective once the key is accepted. In practice, this creates a wide control gap between provisioning and actual use. Even mature environments can inventory and rotate keys, but they still rely on the assumption that long-lived credentials can be managed safely over time. That assumption becomes brittle in ephemeral infrastructure, where the useful lifetime of access is often much shorter than the credential's lifetime.

Practical implication: Treat every long-lived SSH key as standing privilege and map where it still bypasses session-level control.

Just-in-time access and identity-driven policy in PAM

Just-in-time privileged access changes the control point from credential possession to authenticated identity plus central policy. Access is issued for the duration of a task and then revoked, which narrows the exposure window and reduces dependence on periodic rotation. This is not just a usability change, it is an architectural change because enforcement moves closer to the decision moment. The result is better alignment with Zero Trust principles, where access should be granted only when the identity, context, and need are all present. For NHI and human administrators alike, that shifts the question from who owns the secret to what the policy permits right now.

Practical implication: Design privileged access workflows so policy issuance, session start, and revocation all happen in the same control plane.

Why legacy PAM struggles in ephemeral and automation-heavy environments

Legacy PAM was built around shared admin accounts, central gateways, and long-lived credentials in relatively stable environments. That model can still work, but it becomes increasingly awkward when workloads are short-lived, access paths are distributed, and operational teams expect connectivity to appear only when needed. The technical limitation is not that legacy PAM cannot store secrets, but that it cannot easily express access intent at runtime without extra instrumentation. In modern estates, especially where SSH access intersects with automation and immutable infrastructure, the weakest point is often not vaulting but the absence of native ephemeral enforcement.

Practical implication: Prioritise access paths that can enforce runtime policy natively instead of layering more workflow around static secrets.

Breaches seen in the wild

• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
• Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Static credential control is being outgrown by the environment it was built for. Legacy PAM assumed access would be long-lived enough to vault, broker, and review. That model still has value, but it no longer matches immutable infrastructure, short-lived workloads, and access patterns that change faster than review cycles. Practitioners should stop treating static credential governance as the end state.

Standing SSH keys are a form of identity debt. They preserve access that has to be re-managed repeatedly, even when the business no longer wants permanent connectivity. The more automation and ephemeral infrastructure expand, the more that debt accumulates across users, workloads, and administrative paths. The practical conclusion is that reducing dependency on standing credentials is now a governance objective, not just an optimisation.

JIT privileged access is the architectural expression of Zero Trust for administrative connectivity. It shifts enforcement from possession of a reusable secret to a time-bound, identity-checked session. That does not eliminate risk, but it changes where control lives and what can actually be observed. Teams should read this as a sign that policy-driven access intent is becoming the baseline expectation for modern PAM.

Migration safety matters because most enterprises cannot rip and replace privileged access paths overnight. Incremental adoption, parallel access paths, and validation in production are the operational realities that determine whether a PAM modernisation succeeds. This is where governance and implementation collide: if the transition plan is weak, organisations will keep static credentials longer than they intended. The implication is to treat migration as an access architecture programme, not a tooling swap.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• The lifecycle gap is broader than rotation alone, so review Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the operational model behind offboarding and revocation.

What this signals

Static credential reduction is becoming a control-plane decision, not a secret-management task. As environments become more ephemeral, the teams that succeed will be the ones that separate secret storage from runtime enforcement and then decide where standing access is still acceptable. The governance question is shifting from whether credentials are rotated to whether they should exist at all. That is a programme design issue, not a tooling tweak.

Credential rotation alone is no longer enough when access intent must be enforced at session start. Modern PAM programmes will need to reconcile operational continuity with tighter access windows, especially where SSH remains embedded in core administration workflows. For many organisations, the next step is not a bigger vault but a narrower access perimeter. Map that perimeter to NIST Cybersecurity Framework 2.0 so govern, protect, and respond functions remain aligned.

Identity debt: long-lived privileged access accumulates when organisations keep reusable secrets because migration feels risky. The result is a growing backlog of access paths that are technically controlled but structurally outdated. With 97% of NHIs carrying excessive privileges according to Ultimate Guide to NHIs, the case for reducing standing access is now operational, not theoretical.

For practitioners

• Map remaining standing SSH access Inventory where long-lived SSH keys still grant administrative connectivity, then classify each path by business criticality, rotation dependency, and whether access can be replaced with time-bound policy issuance.
• Separate vaulting from enforcement Review whether your PAM platform only stores secrets or actually enforces access at session start, because retention alone does not solve pre-positioned access.
• Prioritise ephemeral environments first Target immutable systems, short-lived workloads, and automation-heavy estates for JIT access before trying to modernise every privileged path at once.
• Build migration gates around continuity Run parallel access paths, validate policy behaviour in production, and retire static access only after the new model has been proven without disrupting critical operations.

Key takeaways

• Privileged access management is moving from credential custody to runtime policy enforcement as organisations reduce their dependence on standing SSH keys.
• Legacy PAM models still manage secrets, but they do not fully solve the observability and revocation gap created by pre-positioned access.
• Teams modernising privileged access should treat migration as an access architecture programme and retire static credentials only after JIT paths prove stable in production.

Key terms

• Standing Privilege: Standing privilege is access that remains available without needing a fresh approval at the moment of use. In privileged access programmes, it usually appears as reusable credentials or persistent entitlements. The risk is not only overreach, but the fact that the access can outlive the operational need that justified it.
• Just-In-Time Privileged Access: Just-in-time privileged access grants elevated access only for the duration of a specific task or session. It reduces the time window in which a privileged identity can be misused and shifts enforcement toward identity verification and policy at the moment access is requested.
• Identity-Driven Access: Identity-driven access uses authenticated identity and contextual policy as the control point for privileged actions. Instead of relying primarily on a stored secret, the system decides whether access should exist right now. This is especially relevant in environments where infrastructure changes faster than manual governance cycles.
• Credential Rotation: Credential rotation is the process of replacing a secret with a new one so that the old value no longer grants access. It remains a necessary control in NHI governance, but by itself it does not solve the deeper problem of whether a reusable credential should be present at all.

Deepen your knowledge

Identity-driven privileged access and just-in-time session control are covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are moving from static SSH keys toward policy-based access, it is a practical place to start.

This post draws on content published by SSH Communications Security: identity-driven just-in-time privileged access and the future of PAM. Read the original.