PAM is shifting from accounts to actions across every identity

At a glance

What this is: Delinea’s summary of the 2026 KuppingerCole PAM Leadership Compass argues that privilege is moving from account-centric control to action-centric governance across people, machines, and AI agents.

Why it matters: That matters because IAM, PAM, and NHI teams now have to govern what an identity can do at runtime, not just who owns the account or secret.

By the numbers:

• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.
• Only 44% of organisations are currently using a dedicated secrets management system.

👉 Read Delinea’s analysis of the 2026 KuppingerCole PAM Leadership Compass

Context

Privilege is no longer confined to a small set of administrator accounts. In modern environments, the governance problem is what any identity can do at runtime, especially when service accounts, automation pipelines, workloads, and AI agents inherit legitimate access that traditional account-based controls were never designed to evaluate.

That shift affects NHI governance, PAM, and human identity programmes at the same time. Authentication still matters, but it is no longer enough to explain or contain privileged behaviour when actions happen inside cloud consoles, databases, Kubernetes clusters, and other execution paths that can change system state.

Key questions

Q: How should teams govern privilege when access is tied to actions instead of accounts?

A: Teams should catalogue the actions that can change systems, controls, or other identities, then bind approval and monitoring to those actions rather than to static account labels. That approach is essential when service accounts, workloads, and AI agents inherit authority across environments. It makes governance reflect runtime behaviour instead of credential ownership.

Q: Why do service accounts and workloads make traditional PAM less effective?

A: Because they often operate with inherited permissions, reusable credentials, or long-lived access that does not fit human login assumptions. Traditional PAM can still help, but it cannot fully govern privilege if the identity can act continuously or outside review windows. The control problem shifts from login protection to runtime authorization.

Q: What breaks when organisations rely on vaulting without point-of-action controls?

A: Vaulting can protect secrets at rest, but it does not stop an identity from using legitimate access once a session or credential is available. If control is not enforced at the moment of action, the organisation still has overbroad privilege, lateral movement potential, and weak containment. In practice, vaulting becomes a storage control, not a governance control.

Q: Who is accountable when AI agents or automation misuse privileged access?

A: Accountability sits with the identity owner, the platform owner, and the governance function that approved the privileged path. If the organisation cannot assign responsibility for runtime actions taken by non-human identities, then the control model is incomplete. Frameworks like NIST CSF and zero trust governance require clear ownership before privilege is granted.

Technical breakdown

Action-based privilege control in modern PAM

Traditional PAM was built around protecting high-value accounts, but modern privilege is expressed through actions. That means the real governance question is not simply which identity owns a credential, but which systems, controls, and identities the identity can affect at the moment an action is attempted. Context-based enforcement shifts the control point closer to execution, where inherited permissions, ephemeral access, and delegated authority actually create risk. In hybrid environments, this is the only place where policy can reliably distinguish routine access from privileged use.

Practical implication: map privileged entitlement to the action being performed and enforce decisions at execution time, not only at login.

Why just-in-time access needs zero standing privilege

Just-in-time access reduces exposure by making privilege temporary, but it only works when standing privilege is removed from the design. Otherwise, teams end up layering ephemeral approval on top of persistent access, which still leaves a large blast radius if a credential, token, or session is abused. The architectural value of ZSP is that privilege exists only for the task window and then disappears, which materially changes how much can be stolen, reused, or delegated. That makes JIT a governance pattern, not merely an access convenience.

Practical implication: pair JIT with standing-privilege elimination, otherwise you only shorten the abuse window without reducing the underlying entitlement risk.

AI agents and workload identity under privileged access governance

AI agents and workloads complicate PAM because they often act with inherited permissions rather than interactive sign-in. In that model, the credential itself becomes the exposure, and the more important control is whether the identity ever needs to hold reusable secrets at all. This is where workload identity, secretless access, and policy enforcement at the point of action become central. The report’s framing aligns with the broader shift in NHI governance: privilege is no longer just a human administrative problem, but a runtime authorization problem across every non-human executor.

Practical implication: treat AI agents and workloads as privileged actors that need runtime authorization paths, not just vault access and periodic reviews.

NHI Mgmt Group analysis

Privilege as an action, not an account, is the category shift PAM vendors now have to follow. The report’s central premise is structurally correct: an identity can be privileged without looking like an administrator account. That matters because service accounts, workloads, and AI agents often inherit authority that is only visible when they act. The implication is that PAM programmes need to be judged by whether they control sensitive actions, not by how many vaults or admin accounts they cover.

Zero standing privilege is becoming the baseline control for modern privileged access. The problem is no longer just credential storage or session monitoring, it is the persistence of access that outlives the task. When privilege remains available outside the moment of need, blast radius expands across cloud consoles, databases, and automation paths. Practitioners should treat standing access as the design flaw, not the exception.

Identity security is converging into a control plane because discovery without enforcement leaves privilege intact. Continuous discovery and posture analysis matter only when they feed a control decision at the point of action. That is why the market is moving away from siloed vaulting and toward integrated governance over secrets, entitlements, and privileged sessions. The practical conclusion is that teams should evaluate whether their control stack can close the gap between finding privilege and stopping its use.

AI agent privilege exposes a governance assumption that was built for human-paced access reviews. Access review processes were designed for identities whose privilege persists long enough to be observed and certified. That assumption fails when an AI agent or automated workload can acquire, use, and release access inside a compressed runtime window. The implication is not simply tighter review cadence, but a rethink of what governance can observe before the action is already complete.

Named concept: identity blast radius. This report is describing the growing distance between where privilege is granted and where it is actually exercised. The more identities can act across multiple systems, the harder it becomes to bound the damage of one exposed secret or one overbroad entitlement. Practitioners should measure how far a single privileged identity can move before controls intervene.

From our research:

• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
• 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure, according to Entro Security's 2025 research.
• For a broader governance lens, read NHI Lifecycle Management Guide for provisioning, rotation, and offboarding controls that reduce privileged sprawl.

What this signals

Identity blast radius: as privilege spreads across workloads, AI agents, and automation pipelines, the practical question becomes how far one identity can move before enforcement intervenes. That is the metric programmes should start tracking alongside access counts and vault coverage.

A PAM programme that still centres on vaulting is likely to miss the runtime layer where actions are actually authorised. Teams should align privileged access controls with the control point used in NIST Cybersecurity Framework 2.0, because governance now depends on decisions made at execution time, not only at provisioning time.

The next maturity jump is not more secrets inventory, but tighter connection between discovery, posture, and action. When organisations can show that a privileged path is not only found but also blocked or narrowed at use time, they have crossed from visibility into control.

For practitioners

• Reclassify privilege around actions Inventory privileged operations by the systems and data they can affect, then map each identity to the actions it can trigger rather than the account it owns.
• Remove standing access before adding JIT Treat just-in-time access as incomplete until persistent administrative rights are removed, especially in cloud consoles, databases, and Kubernetes estates.
• Separate secrets from runtime authorization Use secretless or workload identity patterns where possible so AI agents and automation do not need reusable credentials to reach private resources.
• Connect discovery to enforcement Make sure continuous identity discovery feeds control decisions at the point of action, otherwise posture findings only describe risk without reducing it.
• Review privileged paths across human and non-human identities Run access reviews against the same privileged action set for administrators, service accounts, and automation so governance does not stop at the human layer.

Key takeaways

• The report shows PAM is moving from protecting accounts to governing actions, which changes what counts as privileged risk.
• The scale of NHI and secret exposure means standing access and duplicated secrets remain material governance failures, not edge cases.
• Practitioners should evaluate whether their controls can intervene at runtime, because discovery alone does not constrain privilege.

Key terms

• Action-based privilege: A model where privilege is defined by what an identity can do to systems, data, or controls, not by the label on the account. It is especially important for service accounts, workloads, and AI agents, where inherited permissions matter more than human-style login flows.
• Zero standing privilege: A governance pattern where elevated access does not persist beyond the task that needs it. Instead of leaving privileged rights available for later use, the system grants them only when needed and removes them immediately after the action is complete.
• Identity blast radius: The maximum damage one identity can cause if its permissions are abused or misused. It reflects how far a compromised secret, token, or entitlement can move through systems before controls intervene, which makes it a useful measure of privileged exposure.
• Point-of-action control: An authorization approach that evaluates privilege when the action is about to occur rather than only when the identity signs in. It is critical in modern PAM because many non-human identities operate continuously and can cause harm long after initial authentication.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Delinea: Beyond the vault, Delinea named a Leader in the 2026 KuppingerCole PAM Leadership Compass. Read the original.