Modern PAM for hybrid cloud: why identity trust beats VPN access

At a glance

What this is: This is an analysis of modern privileged access in hybrid and multi-cloud environments, with the key finding that identity trust and just-in-time control now matter more than network perimeter access.

Why it matters: It matters because IAM, PAM, and NHI teams now have to govern privileged sessions across cloud consoles, Kubernetes, databases, and servers without relying on static network access models.

By the numbers:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.

👉 Read Akeyless' comparison of Boundary and modern PAM for hybrid cloud access

Context

Privileged access in hybrid and multi-cloud environments is no longer a network problem first. When servers, clusters, and cloud targets change daily, the governance issue becomes how to give the right identity the right access for the shortest possible time without expanding the blast radius.

This article compares two approaches to modern PAM and shows why identity-based access is replacing VPN-style trust. The practical question for IAM and PAM teams is not whether to secure access, but whether access can be brokered, recorded, and revoked cleanly across cloud consoles, Kubernetes, databases, and servers.

For teams building a broader identity programme, the issue extends beyond privileged human access. The same controls that remove standing access for people also shape how organisations should think about NHI governance and future agentic access patterns, especially where secrets, injected credentials, and session recording are involved.

Key questions

Q: How should security teams replace VPN-style privileged access in hybrid cloud environments?

A: They should replace broad network trust with identity-based, task-scoped access that brokers a session to a specific target, records the activity, and removes or rotates credentials when the session ends. The key test is whether access is limited to the exact resource and action required, not the whole network.

Q: Why do static credentials create so much risk in modern privileged access workflows?

A: Static credentials create risk because they persist beyond the task and can be copied, reused, or exposed long after the access request is complete. In hybrid and multi-cloud environments, that persistence expands the blast radius and makes offboarding and audit evidence much harder to trust.

Q: What do organisations get wrong when they treat host discovery as access control?

A: They assume that automatically discovering a server or VM means the access model is already governed. Discovery only updates inventory. Access control still requires explicit policy, target scoping, and session enforcement, otherwise the organisation has visibility without real privilege control.

Q: Who is accountable when privileged access spans VPNs, bastions, and identity-based tooling?

A: Accountability sits with the team that owns the access policy and lifecycle, not just the tool administrator. If access still relies on multiple manual steps, shared accounts, or delayed offboarding, the governance failure is organisational, because no single control owns the full session lifecycle.

Technical breakdown

Identity-aware proxy vs unified PAM platform

An identity-aware proxy brokers connections between users and targets without exposing the network directly, which reduces the need for inbound firewall openings and broad VPN reach. A unified PAM platform goes further by combining identity verification, credential injection, just-in-time access, session recording, and rotation in one access flow. The architectural difference matters because brokering alone does not solve credential handling, while a broader PAM layer can enforce access scope and session controls end to end. In practice, teams should distinguish between connection brokering and privileged access governance before deciding what problem they are actually solving.

Practical implication: separate target connectivity from privileged access control so you do not mistake brokered transport for complete PAM governance.

Dynamic host discovery and access scope in cloud environments

Dynamic host discovery keeps target inventories current by pulling in tagged VMs or servers from cloud providers and updating host catalogs as infrastructure changes. That is useful because static allowlists age badly in elastic environments, but the model still depends on accurate tagging and policy scope. It does not grant access to cloud management consoles unless the platform explicitly supports that workflow. For practitioners, the technical question is whether discovery is being used only to reduce inventory drift or whether it also enforces least-privileged access to the discovered targets.

Practical implication: verify that discovery feeds policy enforcement, not just inventory hygiene, or you will still accumulate excessive access.

Credential injection, rotation, and session recording

Credential injection removes the need for users to see or handle passwords, and just-in-time access creates short-lived credentials only when a session starts. Rotation after disconnect shortens the lifetime of any credential that was used, while session recording adds an audit trail for privileged activity. These controls work well together because each one covers a different failure point: secret exposure, standing privilege, and post-event investigation. The limitation is that they become weaker if different protocols or target types are handled inconsistently across the platform.

Practical implication: require the same credential and recording controls across SSH, RDP, databases, Kubernetes, and web console access rather than applying them unevenly.

NHI Mgmt Group analysis

Identity trust is now the correct operating model for privileged access in dynamic infrastructure. VPN-era trust assumed a stable network boundary and a limited set of admin workflows. Hybrid cloud breaks that assumption because the target set changes continuously and access has to be granted to specific resources, not the environment as a whole. The implication is that PAM, IGA, and NHI governance must be designed around identity, scope, and session boundaries rather than perimeter membership.

Standing credential exposure is the real risk hidden inside convenience workflows. When teams keep shared admin accounts, long-lived secrets, or broad VPN access to make operations easier, they create access that outlives the task. That is exactly the failure mode modern PAM is meant to reduce, and it remains the same across human administrators and service-mediated workflows. Practitioners should treat every persistent credential as a governance liability, not just an operational shortcut.

Privileged access governance is becoming a cross-domain identity problem. The same programme now has to think about human admins, machine-issued credentials, and future autonomous access paths in one policy model. That is why access scope, lifecycle, and session evidence matter across IAM, PAM, and NHI domains. Teams that keep these controls in separate silos will struggle to explain who had access, why it existed, and when it was removed.

Unified control planes are gaining importance because fragmented access stacks create policy gaps. If secrets management, access brokering, session recording, and rotation live in different products, policy consistency becomes harder to prove. This is less about vendor architecture and more about governance clarity: one access event should produce one revocation path and one audit trail. The practitioner takeaway is to measure whether your current stack can enforce that chain without manual stitching.

Access revocation is only meaningful when it is operationally immediate. A delayed offboarding process still leaves a live exposure window, even if the credential is technically temporary. Modern PAM needs to make revocation, rotation, and recording behave as part of the same workflow, not as separate after-the-fact controls. That is the standard teams should apply when evaluating privileged access across cloud and on-prem targets.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
• 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, which is why privilege scope and credential lifetime remain governance weak points.
• See also Ultimate Guide to NHIs for the lifecycle and least-privilege controls that help close standing-access gaps.

What this signals

Privilege sprawl is increasingly a programme design issue, not a point tool problem. If your access model still depends on per-system exceptions, you are encoding operational drift into governance. The reader-level signal is clear: start measuring how often privileged access can be granted and removed without manual intervention, because that is where control quality now shows up.

Identity lifecycle and privileged session control are converging. Offboarding can no longer be treated as a human-HR process alone when contractors, vendors, and machine-mediated workflows all need revocation paths. For teams maturing their programme, this is the moment to connect the Ultimate Guide to NHIs with access review and rotation design.

Modern PAM should be judged by how well it compresses exposure, not by how many endpoints it covers. With 70% of organisations already granting AI systems more access than human employees, per The 2026 Infrastructure Identity Survey, the governance standard is shifting toward shortest-lived privilege and stronger evidence of removal.

For practitioners

• Map every privileged target to an identity-first access path Document whether each SSH, RDP, database, Kubernetes, and cloud console workflow uses brokering, injected credentials, or direct login. Then remove any path that still depends on shared admin accounts or broad VPN reach for routine privileged work.
• Separate discovery from authorization policy Keep cloud host discovery and access authorization as distinct control steps so tagged instances do not become implicitly reachable. Require an explicit policy check before a discovered target is added to an approved session path.
• Standardise session recording and post-session rotation Make sure privileged sessions across all target types produce a usable audit trail and that the credential used in the session is rotated or invalidated immediately after disconnect. Treat any exception as a control gap, not an edge case.
• Review offboarding for temporary and vendor access Test whether a contractor, vendor, or internal admin can still reach a target after the ticket is closed. If manual cleanup is required across firewall rules, VPN groups, or jump boxes, the process is not governed tightly enough.

Key takeaways

• Hybrid cloud has made privileged access an identity governance problem, not just a network access problem.
• Static credentials, broad VPN reach, and manual offboarding continue to drive the largest exposure windows in modern PAM.
• Teams should evaluate privileged access by scope, session evidence, and revocation speed across every target type they support.

Key terms

• Identity-Aware Proxy: An identity-aware proxy sits between a user and a target system and brokers the connection after checking who the user is and what they are allowed to reach. It narrows network exposure, but it is not complete PAM unless it also handles credentials, session evidence, and revocation.
• Just-In-Time Access: Just-in-time access creates privilege only when a task begins and removes it when the session ends. In privileged access programmes, it reduces standing exposure, but it only works if issuance, logging, and revocation are tightly coupled and consistently enforced across every target type.
• Session Recording: Session recording captures what happened during a privileged session so administrators and auditors can review the activity later. For effective governance, recording must be tamper-resistant, tied to the identity that used the access, and available across the protocols that matter most.
• Host Catalog: A host catalog is an inventory of systems that an access platform can discover, group, and use for policy enforcement. In dynamic cloud environments, it helps reduce stale target lists, but it does not replace authorization controls or session governance.

What's in the full article

Akeyless' full article covers the operational detail this post intentionally leaves for the source:

• Exact platform workflow for browser-based access to SSH, RDP, databases, Kubernetes, and cloud consoles
• Feature-by-feature comparison of Boundary editions versus a unified PAM approach
• Demo-specific notes on session recording, credential injection, and live revocation
• Practical examples of how lightweight Gateways are deployed for private targets

👉 Akeyless' full article covers the demo workflow, target support, and feature differences in detail

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.