NHS identity risk in 2026: PAM and NHI controls

At a glance

What this is: A Delinea webinar argues that NHS identity risk in 2026 is being driven by privileged access, unmanaged service credentials, and machine identities across clinical and IT environments.

Why it matters: For IAM and NHI practitioners, the key issue is how to reduce privileged access risk and secure non-human identities without slowing frontline care.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

Context

NHS identity risk in 2026 is no longer just about human logins. It now includes service accounts, API credentials, bots, and machine identities that can reach critical systems without the visibility or governance applied to staff accounts. In healthcare, that creates an operational problem as much as a security problem because access controls must protect patient services while preserving clinical continuity.

The webinar frames that gap around privileged access management and non-human identity governance. That is the right lens for NHS Trusts, because identity sprawl, excessive privilege, and unmanaged secrets are common failure points across hybrid environments. The starting position described here is typical for large organisations under digital transformation, not exceptional.

Delinea positions the discussion around how modern PAM can reduce standing access, improve third-party control, and support audit readiness without introducing friction at the point of care. For practitioners, the useful question is not whether identity is a risk, but which access paths create the greatest blast radius if they are left persistent or undocumented.

Key questions

Q: How should NHS security teams reduce privileged access risk without disrupting clinical operations?

A: Start by separating urgent clinical access from routine administrative access, then apply just-in-time elevation for high-risk tasks. Keep approvals fast, scope each session tightly, and record activity for audit purposes. The goal is to remove standing privilege where possible while preserving the speed clinicians and support teams need.

Q: What is the difference between privileged access management and non-human identity governance?

A: Privileged access management focuses on controlling elevated human or service access at the moment it is used. Non-human identity governance is broader, covering the lifecycle of service accounts, API keys, tokens, certificates, and automation identities. In practice, the two need to work together because machine credentials often carry privileged access.

Q: When does just-in-time access create more risk than it reduces?

A: JIT becomes risky when approval logic is weak, session boundaries are unclear, or emergency access is left active after the task ends. It can also increase risk if no one reviews who granted access and why. The control works only when issuance, duration, and revocation are enforced consistently.

Q: How can organisations secure third-party privileged access in hybrid environments?

A: Require suppliers to use time-limited access, monitor every session, and restrict them to the minimum systems needed for support. Do not treat vendor access as a permanent exception. It should be governed like any other high-risk identity, with ownership, approvals, and offboarding built in.

Background and context

Why privileged access becomes the control plane in healthcare

In healthcare environments, privileged access is the control plane because it governs who or what can reach clinical systems, records, integrations, and infrastructure. When privileged accounts are permanent, compromise lasts longer and spreads faster. The same is true for non-human identities such as service accounts and automation accounts, which often outlive the workflows they support. PAM reduces that exposure by limiting elevation, enforcing approval or policy checks, and separating routine access from high-risk access paths. In NHS settings, the challenge is not only preventing misuse, but doing so without interrupting urgent care workflows.

Practical implication: map every privileged path that can affect patient systems and remove standing access where the business process allows it.

How machine identities and secrets expand the NHS attack surface

Machine identities are credentials used by software, scripts, integrations, and devices to authenticate without a human present. In practice, they often include API keys, tokens, certificates, and service account credentials. The risk is that these secrets are rarely managed with the same discipline as employee access. They can be copied into code, reused across environments, or left active long after a supplier, project, or automation job has changed. Once exposed, an attacker can use them to impersonate trusted systems, pivot into internal services, or bypass normal authentication checks.

Practical implication: inventory secrets and machine identities first, then apply rotation, scoping, and offboarding controls to each one.

Zero standing access and third-party access in multi-cloud NHS estates

Zero standing access means credentials are provisioned only when needed and removed when the task ends. That matters in multi-cloud and hybrid NHS estates because third-party support, remote administration, and automation often rely on long-lived access that is difficult to audit. If suppliers hold persistent credentials, the trust boundary becomes wider than the immediate operator. Modern access design should therefore combine time-limited elevation, strong session controls, and tight policy scoping so that external support cannot become an always-on pathway into critical infrastructure.

Practical implication: treat every supplier credential as a temporary exception and require time-bounded access with explicit approval and session oversight.

NHI Mgmt Group analysis

Privileged access in healthcare is now an availability issue, not just a confidentiality issue. If an attacker takes over a privileged account or automation credential, the impact reaches patient services, integrations, and operational resilience at the same time. NHS teams therefore have to treat identity protection as core service protection. The practical conclusion is that access design must be measured against outage risk as well as breach risk.

Ephemeral credential trust debt is becoming the defining NHI problem in digital health. Credentials created for one workflow often persist across projects, environments, and supplier relationships long after their original purpose has ended. That creates hidden exposure because the organisation cannot easily prove who still has access, where the secret exists, or whether it was rotated. Practitioners should assume every persistent machine secret increases audit and incident-response complexity.

Least privilege only works in NHS environments when it is enforced at runtime. Static entitlement reviews are too slow for automation, supplier support, and clinical integration patterns that change frequently. Runtime policy, time limits, and session-level controls are the mechanisms that make least privilege real. The practitioner takeaway is to move from entitlement spreadsheets to enforced access decisions at the moment of use.

Supplier access is part of the NHI problem, not a separate governance track. Third-party credentials and remote support sessions often have the same access breadth as internal admins, but weaker visibility and weaker lifecycle discipline. That combination enlarges the attack surface without improving service quality. Security teams should align supplier access with the same NHI controls they apply to internal service accounts and machine identities.

The NHS use case validates a broader market shift toward identity-first resilience. As more organisations modernise hybrid estates, the most material controls are moving closer to credential issuance, session control, and machine identity governance. That shift does not replace traditional security tooling, but it does redefine where the highest-risk decisions occur. Practitioners should expect identity governance to sit at the centre of resilience planning.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• Security teams should pair lifecycle controls with Lifecycle Processes for Managing NHIs so exposed credentials can be found, rotated, and revoked quickly.

What this signals

Ephemeral credential trust debt is the practical risk signal here. Once credentials are created for automation, supplier support, or integration work, they tend to persist beyond the original use case unless ownership and expiry are enforced. That means programme leaders should prioritise lifecycle controls, not just access review cycles, and align them with NIST Cybersecurity Framework 2.0 governance and protection functions.

With NHIs outnumbering human identities by 25x to 50x in modern enterprises, identity-first resilience becomes a scale problem rather than a point-solution problem. NHS teams should expect the largest risk reduction to come from inventorying machine identities, reducing standing privilege, and making secret ownership explicit.

The programme signal is that supplier access, automation, and clinical support paths should be governed as one identity plane. That means pairing least-privilege controls with runtime enforcement and aligning remediation to the highest-blast-radius accounts first, rather than trying to normalise every identity at once.

For practitioners

• Inventory all privileged and machine identities Build a single register for admin accounts, service accounts, API keys, certificates, bots, and supplier credentials across clinical and IT systems. Classify each identity by owner, system, privilege level, and rotation status so hidden access paths can be reviewed systematically.
• Replace standing privilege with just-in-time access Use approval and policy-based elevation for high-risk tasks, then remove access when the task ends. Keep sessions time-bounded and tightly scoped so that urgent operational work can continue without persistent admin rights.
• Rotate and offboard secrets on a defined schedule Set rotation intervals for all secrets and require revocation when a supplier leaves, a project closes, or a workflow changes. Prioritise the secrets most likely to be reused in code, CI/CD tools, and integration pipelines.
• Tighten third-party access controls Require explicit approval, session recording, and least-privilege scoping for external support access. Review whether supplier accounts can reach production systems directly or only through monitored jump paths.
• Use audit evidence to drive remediation Track privileged access exceptions, secret age, and account ownership gaps in a way that supports audit readiness. Use the findings to prioritise the highest blast-radius identities first rather than trying to fix everything at once.

Key takeaways

• NHS identity risk in 2026 is driven by privileged access paths and non-human credentials that can affect patient services as directly as human admin accounts.
• Secrets sprawl and persistent machine identities make visibility, rotation, and offboarding the main operational controls, not optional hygiene.
• The strongest defence is runtime least privilege, because static entitlement reviews do not move fast enough for clinical, supplier, and automation workflows.

Key terms

• Non-Human Identity: A non-human identity is any account or credential used by software, systems, or automation instead of a person. It includes service accounts, API keys, tokens, certificates, bots, workloads, and AI agents. In most enterprises, these identities create more governance strain than human accounts because they are numerous, persistent, and poorly owned.
• Privileged Access Management: Privileged access management is the discipline of controlling elevated access to sensitive systems and data. It limits who or what can use high-risk permissions, often through approval, session control, and credential vaulting. In NHI contexts, PAM must cover both human admins and machine credentials that can perform administrative actions.
• Zero Standing Privilege: Zero standing privilege means no one holds persistent elevated access by default. Access is granted only when needed for a specific task and removed afterwards. For NHI governance, this reduces the long-lived exposure of service accounts, supplier access, and automation credentials that would otherwise remain active indefinitely.
• Secrets Sprawl: Secrets sprawl is the uncontrolled spread of credentials across code, configuration files, CI/CD systems, shared vaults, and environment variables. It makes ownership, rotation, and revocation harder because the same secret can exist in multiple places. The result is hidden exposure and delayed remediation after a compromise or notification.

Deepen your knowledge

Privileged access management, machine identity governance, and zero standing privilege are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for NHS-style hybrid operations, it is worth exploring.

This post draws on content published by Delinea: NHS identity risk in 2026 and how to reduce privileged access exposure. Read the original.