By NHI Mgmt Group Editorial TeamPublished 2025-07-25Domain: Best PracticesSource: Infisical

TL;DR: Traditional PAM strategies still rely on standing privileges, manual rotation, and visibility gaps that attackers can turn into ransomware footholds, according to Infisical’s analysis. The real shift is from managing permanent access to removing persistent privilege and making credentials invisible to users.


At a glance

What this is: This is a PAM best-practices analysis arguing that standing privilege, exposed credentials, and manual workflows no longer match modern attack patterns.

Why it matters: It matters because IAM teams must govern human, NHI, and technical access with the same expectation of short-lived privilege, stronger monitoring, and tighter lifecycle control.

By the numbers:

👉 Read Infisical's analysis of modern privileged access management best practices


Context

Privileged access management works only when elevated access is short-lived, visible, and tightly scoped. When standing privileges, shared credentials, and unmanaged technical accounts become normal, the control model stops matching how attackers actually move through environments, especially where non-human identities and administrative access overlap.

This article is about the gap between legacy PAM habits and current operational reality. The central issue is not whether access exists, but whether organisations can prove why it exists, who or what holds it, and how quickly it disappears after the task is complete.


Key questions

Q: How should security teams reduce standing privilege in production environments?

A: Start with the accounts that can reach production systems, cloud administration, or sensitive data. Replace permanent elevation with just-in-time access, set short expiry windows, and require explicit justification for each request. The goal is to make privilege temporary, task-specific, and automatically removed when the work ends.

Q: Why do service accounts and API keys need PAM controls?

A: Because attackers use non-human identities to move silently once they are compromised. Service accounts and API keys often have broad permissions, weak visibility, and poor lifecycle discipline, which makes them ideal footholds for lateral movement. Treat them as privileged assets, not background plumbing.

Q: What do organisations get wrong about credential rotation?

A: They often assume rotation alone solves exposure, when the real issue is whether secrets are still usable during the window before revocation. Rotation helps, but it must be paired with visibility, access scoping, and automatic removal of unused credentials. Otherwise, the secret remains exploitable long after discovery.

Q: Who should own break-glass account governance?

A: Break-glass accounts should be owned jointly by IAM, security operations, and the system owners who depend on them. That ownership model matters because emergency access must be tested, tightly approved, and auditable without becoming a standing backdoor. Exceptional access needs stronger governance than routine admin access.


Technical breakdown

Zero standing privilege versus standing admin access

Standing privilege is persistent elevated access that remains active until someone remembers to remove it. Zero standing privilege replaces that model with just-in-time access, so elevation is granted only for a specific task and then expires automatically. The technical value is not only smaller attack surface. It is also reduced credential reuse, cleaner audit scope, and less opportunity for lateral movement when an administrative account is compromised. In mature environments, approval logic, time limits, and policy checks become part of the access path rather than an afterthought.

Practical implication: move the highest-risk administrative roles to just-in-time elevation first and remove permanent access wherever the business case is weak.

Why privileged access must include service accounts and API keys

Modern privileged access is not limited to human administrators. Service accounts, API keys, machine identities, and SaaS super-user accounts often have broader reach than human users and are harder to monitor because they operate non-interactively. Treating only domain admins as privileged leaves the most automation-heavy parts of the environment outside the control plane. That blind spot matters because attackers prefer credentials that can be reused silently and at scale. PAM therefore needs to cover non-human identities with the same discipline used for human admin access, including visibility, rotation, and least privilege.

Practical implication: extend PAM controls to service accounts, machine identities, and API credentials before assuming human admin governance is enough.

Credential invisibility, session brokering, and auditability

Credential invisibility means users never see the underlying secret, even when they are allowed to perform privileged work. Session brokering and injection let a platform supply access without exposing passwords or tokens to the operator, while session recording preserves accountability. This is technically stronger than vault checkout because it removes a common leakage path through clipboard use, shared notes, browser storage, and accidental disclosure. The real control outcome is not just safer authentication. It is that privileged work can be reviewed at the session level instead of inferred later from log fragments.

Practical implication: replace credential checkout with brokered sessions and recorded activity wherever privileged operations can be mediated.


Threat narrative

Attacker objective: The attacker wants durable privileged access that can be reused to spread through the environment, disrupt operations, and maximise ransomware impact.

  1. Entry occurs when attackers obtain privileged credentials through exposed API keys, forgotten service accounts, or over-permissioned technical users that were never brought under effective PAM control.
  2. Escalation follows when those credentials provide standing access into production systems, CI/CD pipelines, or cloud administration paths that were designed for convenience rather than containment.
  3. Impact comes from the attacker using that persistent privilege to move laterally, disable controls, or deploy ransomware across critical systems before the organisation can contain the session.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Standing privilege is the failure mode, not merely the control gap. Traditional PAM assumes elevated access can safely remain available between use cases, but that assumption belongs to a slower operational model. Once credentials, service accounts, and admin paths stay live indefinitely, the organisation has already accepted persistent blast radius. Practitioners should treat every always-on privilege as an exposure window that outlives its original business need.

Privileged access governance now has to include non-human identities by default. The article is right to collapse the distinction between human admins and technical accounts because attackers do not care whether access was intended for a person or a workload. Service accounts and API keys often carry the most consequential permissions, yet they are still governed with weaker review habits than human users. The implication is that PAM, IGA, and secrets governance need a shared view of privilege, not separate blind spots.

Credential invisibility is becoming a core security property. When a user can never see the secret, the organisation reduces the chance of leakage through sharing, storage, or transcription. That is more than a usability improvement. It changes the attacker's opportunity structure by removing a class of reusable secret exposure that traditional checkout models still permit. Practitioners should regard exposed credential handling as an avoidable design choice, not an unavoidable trade-off.

Automated access workflows only work when they are bound to lifecycle discipline. Auto-provisioning and automatic revocation are effective only if the privilege source of truth is accurate and the offboarding path is enforced. The article’s best-practice set correctly points toward access expiry, recertification, and emergency-account controls as connected parts of one governance model. Teams that treat them as separate projects will keep rediscovering the same privileged access failure in different forms.

Identity blast radius is the right concept for modern PAM. The practical question is no longer whether access is privileged, but how far it can travel if abused. That includes human admin accounts, service accounts, machine credentials, and break-glass paths. The organisations that reduce blast radius fastest will be the ones that stop thinking in terms of static admin entitlements and start measuring how much damage any single credential can do.

From our research:

  • 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to The State of Secrets Sprawl 2026.
  • 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded.
  • That pattern points forward to Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs as the next resource for lifecycle controls that limit privilege persistence.

What this signals

With 64% of valid secrets leaked in 2022 still exploitable today, the practical signal is clear: rotation without automated revocation will not close the exposure window. IAM and PAM teams should expect more pressure to prove that privileged access can be removed as quickly as it is granted.

Identity blast radius: this is the control problem that now cuts across human admin accounts, service accounts, and machine identities. The organisation that cannot measure how far one credential can travel will keep discovering privilege only after it has been abused.

Readers building lifecycle controls should pair PAM with 52 NHI Breaches Analysis and the OWASP Non-Human Identity Top 10 so the governance model reflects both breach patterns and current NHI guidance.


For practitioners

  • Remove standing privileges from high-risk admin roles first Inventory permanent administrative grants, rank them by production reach, and replace the top exposures with just-in-time access that expires automatically after the task completes.
  • Bring non-human identities into the PAM control set Apply the same review, scoping, and revocation standards to service accounts, API keys, and machine identities that you already expect for human privileged users.
  • Replace credential checkout with brokered sessions Use session injection and proxied access so operators can perform privileged work without ever handling the underlying secret.
  • Automate revocation and recertification workflows Connect termination, role change, and access review events to automatic entitlement removal so privilege does not outlive its purpose.
  • Secure break-glass accounts as exceptional controls Store emergency credentials in tamper-evident vaults, require multi-person approval, and record every use with immediate alerting.

Key takeaways

  • Legacy PAM fails when it treats permanent privilege as normal and secret handling as a user convenience.
  • The operational risk is not only exposed credentials, but the length of time those credentials remain useful after exposure.
  • The control shift is toward short-lived privilege, non-human identity coverage, and brokered access that removes secrets from the operator path.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Covers credential rotation and standing-secret exposure in privileged access.
NIST CSF 2.0PR.AC-4Least-privilege access management matches the article's PAM and JIT guidance.
NIST Zero Trust (SP 800-207)AC-4Zero trust access aligns with task-scoped elevation and continuous verification.

Map privileged accounts and secrets to NHI-03 and remove persistent credentials where possible.


Key terms

  • Standing Privilege: Standing privilege is elevated access that remains active all the time instead of being granted for a specific task. It increases attack surface because the account is always available for misuse, theft, or lateral movement. In mature governance, standing privilege is treated as an exposure window, not a convenience.
  • Just-In-Time Access: Just-in-time access is a control pattern that grants elevated permissions only when they are needed and removes them automatically after the task ends. It reduces the time attackers can abuse privileged access and makes approval, expiry, and audit trails part of the access event itself.
  • Break-Glass Account: A break-glass account is an emergency credential reserved for critical situations when normal access paths fail. It should be tightly controlled, rarely used, and heavily monitored because its value in a crisis makes it a high-risk target if governance is weak.
  • Session Brokering: Session brokering is the practice of mediating privileged access through a control layer so the operator never sees the underlying secret. It improves auditability and reduces leakage because the security system records and enforces the session instead of handing out reusable credentials.

What's in the full article

Infisical's full blog post covers the operational detail this post intentionally leaves for the source:

  • A step-by-step PAM best-practice sequence for replacing standing privilege with time-bound access.
  • Specific operational patterns for handling service accounts, API keys, and machine identities as privileged assets.
  • Concrete monitoring and session-recording approaches for privileged access auditability.
  • Break-glass governance details, including approval, storage, and post-use review practices.

👉 Infisical's full post covers the PAM patterns, monitoring controls, and emergency access handling in more operational detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-07-25.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org