PAM shifts to identity security as AI and NHI expand risk

At a glance

What this is: The article argues that PAM is evolving into broader identity security as organisations face NHI growth, agentic AI, zero trust, and stronger data sovereignty demands.

Why it matters: That matters because IAM teams now have to govern human, non-human, and emerging autonomous access patterns together, instead of treating PAM as a narrow admin-access control.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

👉 Read SSH Communications Security's perspective on PAM, NHI, and secure access in 2026

Context

PAM is no longer just an administrator-access control. As organisations layer in NHI, agentic AI, and zero trust, privileged access becomes a broader governance problem: who or what is allowed to act, when, and under which controls.

The article frames that shift around three pressure points. Security teams want more control and resilience, collaboration platforms are becoming governance surfaces, and OT environments now require auditability, least privilege, and vendor oversight without losing operational continuity.

Key questions

Q: How should security teams govern privileged access as NHI use expands?

A: Treat privileged access as a lifecycle issue, not a credential vault problem. Every service account, token, certificate, and API key needs an owner, a scope, a rotation rule, and a revocation path. If PAM cannot see machine identities end to end, the programme is controlling storage while leaving actual privilege exposure untouched.

Q: Why do NHI and zero trust change the way PAM should be designed?

A: Zero trust assumes continuous verification, but NHI access often persists across systems, sessions, and automation flows. That means PAM must govern context, duration, and scope, not just authenticate a caller. Without that shift, privileged machine access becomes a standing exception that undermines zero trust.

Q: What do teams get wrong about PAM in collaboration and OT environments?

A: They often treat PAM as a login-control layer instead of a governance layer. In collaboration and OT settings, the bigger risks are uncontrolled data access, weak delegation, and poor revocation discipline. The right question is not only who logged in, but who can still act, where data sits, and how quickly access can be withdrawn.

Q: What frameworks should guide PAM programmes that now cover NHI and operational access?

A: Use NIST CSF for programme structure, ZT-NIST-207 for continuous verification, and OWASP NHI guidance for machine credential governance. If OT or collaboration is in scope, add sector and data-residency requirements so privileged access, sovereignty, and auditability are managed together rather than as separate workstreams.

Technical breakdown

How PAM becomes an identity control plane

Modern PAM increasingly sits between authentication, entitlement governance, and response tooling. When it integrates with ITDR, CIEM, and SOAR, PAM is no longer only brokering privileged sessions. It is also detecting suspicious privilege use, correlating excess entitlements, and triggering automated response. That changes the control surface from static credential protection to runtime governance of privileged actions. For NHI-heavy environments, this matters because service accounts, API keys, certificates, and automation identities often bypass human-centric approval patterns and need policy enforcement at the point of use.

Practical implication: map PAM coverage to runtime privilege decisions, not just administrator logins.

Why zero trust and NHI push PAM beyond static credentials

Zero trust assumes continuous verification, but privileged access often lives in long-running machine and administrative workflows. NHI growth expands the number of identities that can reach critical systems, while AI-assisted workflows introduce more dynamic access paths. PAM therefore has to govern both standing human privilege and machine-issued credentials that can be reused, copied, or embedded in tools. The technical shift is from protecting a login event to controlling the lifecycle and context of access across systems and sessions.

Practical implication: enforce short-lived privileged access and tie it to explicit identity context.

Data sovereignty and OT change the access boundary

Secure collaboration and OT both expose a familiar problem in new places: access control is only part of the issue if data location, auditability, and vendor oversight are unclear. In collaboration systems, sovereignty depends on knowing where data resides and who can access it. In OT, remote maintenance and telemetry create high-value privileged channels that must be tightly bounded. The architecture challenge is to preserve operational access while preventing uncontrolled external dependency, which requires segmentation, auditable delegation, and policy-aware remote entry.

Practical implication: treat sovereignty, remote access, and auditability as one control design problem.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

PAM is becoming the enforcement layer for identity security, not a separate admin tool. Once PAM integrates with ITDR, CIEM, and SOAR, it starts governing privilege as a live security state rather than a static entitlement. That aligns PAM with how modern attacks actually unfold across human admins, service accounts, and automation. Practitioners should treat privileged access as a runtime control plane, not a vault with better branding.

Non-human identity growth turns PAM from a narrow control into a lifecycle problem. The article’s framing fits what we see in the field: organisations are no longer just protecting elevated human accounts, they are managing service credentials, tokens, and machine permissions that outnumber people by a wide margin. NHI governance fails when it is reduced to credential storage instead of lifecycle, scope, and revocation discipline. Practitioners should re-evaluate whether their PAM programme can actually see and govern machine identities end to end.

Secure collaboration is now an identity governance issue because communication channels carry operational trust. When business-critical decisions move through digital collaboration tools, access control, data location, and delegation policy all become part of the same risk surface. Centralised platforms can create concentration risk, while federation shifts control back to the organisation but increases governance complexity. Practitioners should align collaboration security with identity policy, data residency, and audit requirements rather than treating it as a separate productivity stack.

OT remote access exposes the gap between operational availability and identity rigor. The article points to a familiar tension: industrial environments need vendor and integrator access, but that access must not become a standing pathway into control systems. This is where least privilege, auditability, and oversight stop being abstract governance terms and become safety controls. Practitioners should judge OT access by how tightly it can be bounded, monitored, and revoked under operational pressure.

Identity blast radius: the new PAM question is not whether access is privileged, but how far one identity can reach once it is compromised or misused. That concept cuts across human admin access, service accounts, and collaboration platforms alike. The broader the blast radius, the more PAM has to behave like a containment model rather than a convenience layer. Practitioners should measure how much damage any single credential can do across systems, data, and decision flows.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• For a broader baseline on machine-identity exposure, see Top 10 NHI Issues for the governance issues teams most often miss.

What this signals

Identity blast radius: PAM programmes are moving toward containment thinking, where the real measure is how far a credential can reach before it is stopped or observed. That shift matters because static privilege models cannot explain modern compromise paths across administrators, machine identities, and delegated collaboration access.

When 97% of NHIs already carry excessive privileges, the design problem is not only privilege reduction but privilege visibility. Teams should expect PAM, CIEM, and OT access controls to converge around runtime context, revocation speed, and audit evidence.

Organisations that still separate human IAM, NHI governance, and collaboration security will struggle to prove control effectiveness. The operational signal to watch is whether access policy is enforced at the point of use and whether revocation works as quickly in machine and OT paths as it does for human admin sessions.

For practitioners

• Re-map privileged access to runtime enforcement points Inventory where privileged actions actually occur across admins, service accounts, collaboration tools, and OT remote sessions. Then verify that PAM, ITDR, CIEM, and SOAR share enough context to detect misuse, not just issue credentials.
• Separate human admin access from machine privilege governance Track service accounts, API keys, and certificates as distinct governance objects with their own approval, rotation, and revocation paths. Human PAM controls do not translate cleanly to non-human identities unless lifecycle ownership is explicit.
• Define sovereignty requirements before choosing collaboration deployment models Document where communication data must reside, who can administer it, and what audit evidence regulators or auditors will expect. Use those requirements to decide between local cloud, on-premise, private network, or federated patterns.
• Harden OT remote access as a safety control Put vendor and integrator access behind bounded sessions, strong audit trails, and explicit approval paths. Remote maintenance should be time-limited and observable, with revocation tested as part of operational readiness.

Key takeaways

• PAM is shifting from administrator credential protection to broader identity governance across people, machines, and operational systems.
• The evidence points to a structural NHI problem: most organisations still lack reliable offboarding and rotation for machine credentials.
• Teams should redesign privileged access around runtime enforcement, sovereignty requirements, and revocation speed, not just login control.

Key terms

• Privileged Access Management: Privileged Access Management is the set of controls used to govern high-risk access to systems, data, and operational tools. In modern identity programmes it is no longer only about administrator passwords, but about controlling who or what can perform sensitive actions, for how long, and under what audit conditions.
• Non-Human Identity: A Non-Human Identity is any machine or software identity used to access systems, including service accounts, API keys, tokens, and certificates. These identities often outnumber human users and require explicit ownership, lifecycle control, and revocation processes because they can be copied, reused, or left active after their original purpose has ended.
• Identity blast radius: Identity blast radius describes how much damage one compromised or misused identity can cause before it is detected or contained. It is a practical way to think about privilege scope, lateral reach, and delegated access across human, machine, and operational environments.
• Data sovereignty: Data sovereignty is the requirement that data be stored, processed, and governed according to the applicable jurisdiction and organisational policy. In identity terms, it affects who can administer communication systems, where audit records live, and how access decisions are aligned to legal and operational boundaries.

Deepen your knowledge

PAM, NHI lifecycle governance, and runtime privilege controls are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme still treats privileged access as an admin-only problem, this is the right starting point.

This post draws on content published by SSH Communications Security: Cybersecurity in 2026 looks very different from just a few years ago. Read the original.