TL;DR: Privileged access now includes service accounts, API keys, SSH keys, and cloud identities, while identity-based attacks account for 30% of cybersecurity incidents and stolen-credential logins continue to dominate the threat landscape, according to IBM's 2025 X-Force Threat Intelligence Index. Standing privilege and incomplete coverage are the real problem, not password vaulting.
At a glance
What this is: This is an Infisical analysis of modern privileged access management and its shift toward cloud-native, non-human identity coverage.
Why it matters: It matters because IAM teams must treat human and non-human privileged access as one governance problem, or they will leave service accounts, API keys, and cloud entitlements outside control.
By the numbers:
- Identity-based attacks now comprise 30% of all cybersecurity incidents, marking the second consecutive year that credential compromise has dominated the threat landscape.
- In 2024, there was an average 84% increase in infostealers delivered via phishing emails per week compared to 2023.
- Only 5.7% of organisations have full visibility into their service accounts.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
👉 Read Infisical's analysis of modern privileged access management choices
Context
Privileged access management has moved beyond vaulting passwords for human admins. In cloud-native estates, the privileged subject is often a service account, API key, SSH key, certificate, or cloud entitlement, and the governance question is whether that access is visible, bounded, and removable when its job is done.
The article argues that older PAM assumptions break when privileged access is distributed across hybrid infrastructure and developer workflows. That puts NHI governance, lifecycle control, and auditability at the centre of the discussion, not just session monitoring for human operators.
Key questions
Q: How should security teams implement PAM for both human and non-human privileged access?
A: They should build one privileged access model that includes administrators, service accounts, API keys, SSH keys, and cloud entitlements. The test is not whether passwords are vaulted, but whether every privileged subject can be discovered, time-bound, monitored, and revoked across the environments where it operates.
Q: Why do service accounts and API keys increase the risk of lateral movement?
A: Because they often have standing permissions that remain valid after initial exposure, giving attackers reusable access without needing to break in again. Once an account or key is over-privileged, compromise can spread through cloud, infrastructure, and automation systems with very little friction.
Q: What do organisations get wrong about zero standing privilege?
A: They treat it as a human admin control instead of an access model that should apply to non-human identities too. If service accounts, tokens, and certificates still hold permanent access, the organisation has not removed standing privilege, it has only renamed it.
Q: How do teams know whether PAM is actually covering their real attack surface?
A: They should measure privileged identity inventory completeness, approval coverage, session visibility, and revocation effectiveness across human and non-human accounts. If any privileged subject cannot be seen, reviewed, and removed, PAM is partial and the attack surface remains open.
Technical breakdown
Zero standing privilege in privileged access management
Zero standing privilege means no identity keeps permanent elevated access simply because it might be useful later. In PAM, that shifts the control model from always-on admin rights to task-scoped, time-bound elevation with audit trails and revocation. The technical issue is not only whether access is approved, but whether the approval creates a transient privilege surface that can be observed and terminated cleanly across cloud, on-prem, and DevOps systems. Persistent access is where compromise scales, because stolen credentials remain useful long after initial exposure.
Practical implication: replace persistent admin grants with time-bound elevation paths and verify that revocation actually removes effective access.
Why NHI visibility is now a PAM requirement
PAM cannot govern what it cannot inventory. Modern privileged estates include human admins, service accounts, machine tokens, API keys, and cloud identities that often sit outside the visibility of traditional vault-centric tools. The article’s emphasis on comprehensive coverage reflects a broader NHI problem: privileged relationships are dispersed across code, pipelines, cloud consoles, and SaaS integrations, so the control plane must discover, classify, and monitor them continuously. Without that view, access reviews are partial by design and remediation is incomplete.
Practical implication: build a privileged identity inventory that includes non-human accounts, not just named administrators.
Cloud-native PAM versus legacy perimeter controls
Cloud-native PAM is built around ephemeral infrastructure, API-driven automation, and distributed access paths. Legacy perimeter-era PAM assumed relatively stable servers, predictable admin workflows, and long-lived credentials, which is why it struggles with modern CI/CD, Kubernetes, and multi-cloud environments. The real architectural shift is that access now needs to be brokered where work happens, not only where people log in. That is why session controls, policy enforcement, and secret injection increasingly matter as much as vaulting and rotation.
Practical implication: evaluate whether your PAM stack can broker access inside cloud-native workflows without forcing manual workarounds.
Threat narrative
Attacker objective: The attacker wants durable privileged access that can be reused to reach sensitive systems, steal data, and move laterally without needing further exploitation.
- Entry occurs when attackers obtain stolen credentials, with infostealer-driven phishing and exposed secrets providing a fast path into privileged environments.
- Escalation follows when permanent or over-broad privileged access lets attackers reuse valid accounts instead of forcing noisy exploitation.
- Impact lands as lateral movement, data theft, and control-plane abuse across cloud and infrastructure systems that were assumed to be protected by privileged controls.
Breaches seen in the wild
- Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Privileged access management is now an identity governance problem, not a vaulting problem. The article correctly treats privileged access as a control plane issue across humans and non-human identities. Once service accounts, API keys, and cloud entitlements are in scope, PAM has to align with lifecycle, inventory, and auditability rather than only credential storage. Practitioners should judge PAM by how completely it governs all privileged subjects, not by how many passwords it hides.
Standing privilege is the failure mode that matters most here. Permanent elevation creates reusable access that attackers can turn into lateral movement, especially when credentials are stolen through phishing or infostealers. The control gap is not abstract, because the article itself ties privileged access exposure to modern identity-based attacks. Practitioners should treat any always-on admin path as an exposure window, not a convenience.
Identity blast radius: the article reveals how privileged access becomes dangerous when human and non-human accounts are governed unevenly. If service accounts, API keys, and SSH keys are only partially covered, the blast radius expands beyond what most PAM teams think they have contained. That is a governance gap in scope, not just tooling. Practitioners should re-evaluate whether their privileged access model actually defines the full attack surface.
Cloud-native PAM is becoming the baseline expectation for modern infrastructure. The article’s contrast between legacy and cloud-native approaches reflects a broader market shift: static, perimeter-oriented PAM no longer fits ephemeral workloads and API-driven operations. The implication is that organisations will increasingly buy for workflow integration, policy enforcement, and audit depth rather than for vault-first feature lists. Practitioners should align architecture decisions with cloud operating reality, not legacy admin habits.
The most important governance assumption is that privileged access can be reviewed after the fact. That assumption holds only when elevation persists long enough to be observed and certified. In highly automated environments, access may be created, used, and withdrawn within a task cycle, which changes how governance, evidence, and accountability need to work. Practitioners should rethink review cadence before they assume the old model still applies.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- A separate finding shows that 97% of NHIs carry excessive privileges, which broadens the attack surface even when teams think access is controlled.
- For a deeper governance view, read 52 NHI Breaches Analysis for the patterns that turn hidden access into real compromise.
What this signals
Privileged identity programmes will be judged less by vault coverage and more by how completely they account for non-human access. The gap between what teams think they govern and what actually exists is still wide, especially once service accounts and API keys are embedded in automation. The practical shift is toward unified entitlement visibility, continuous review, and evidence that revocation truly works.
Identity inventory is becoming the control surface for PAM modernisation. When privileged access spans cloud, DevOps, and hybrid infrastructure, teams need a shared source of truth that can support access reviews and exception handling. That is why the most useful programme conversations now focus on discovery quality, not just policy design.
With 90% of IT leaders saying properly managing NHIs is essential for successful zero-trust implementation, according to the Ultimate Guide to NHIs, PAM and zero trust are converging into the same governance conversation. Teams that separate them will keep missing the privileges that attackers actually abuse.
For practitioners
- Inventory all privileged identities Map human admins, service accounts, API keys, SSH keys, certificates, and cloud entitlements into one privileged inventory so access reviews cover the actual attack surface.
- Eliminate permanent elevation paths Replace always-on admin grants with time-bound elevation and make revocation proveably effective across cloud, on-prem, and DevOps environments.
- Validate coverage across pipelines and code Check whether privileged secrets still exist in CI/CD, configuration files, and automation scripts, then move them behind controlled injection and rotation.
- Measure auditability by account type Test whether session logging, approval history, and entitlement reports include non-human identities with the same fidelity as human admins.
Key takeaways
- Privileged access management now has to govern non-human identities, not just human administrators.
- Standing privilege and incomplete visibility are the two conditions that make modern privilege abuse scale.
- The practical test is whether every privileged subject can be discovered, time-bound, monitored, and revoked across the full stack.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Rotation and standing privilege are central to this PAM analysis. |
| NIST CSF 2.0 | PR.AC-4 | Least privilege and access control map directly to privileged access governance. |
| NIST Zero Trust (SP 800-207) | The article frames privileged access through continuous verification and zero standing privilege. |
Map privileged identities to PR.AC-4 and verify access is constrained, reviewed, and revoked.
Key terms
- Zero Standing Privilege: A governance model where no identity keeps permanent elevated access. Privileges are issued only when needed, for a bounded purpose, and removed after use. In practice, it reduces the time attackers can abuse stolen access and forces PAM to operate as a dynamic control, not a static permission store.
- Non-Human Identity: A non-human identity is a machine or software credential used by services, scripts, workloads, or automation. Examples include API keys, tokens, certificates, service accounts, and workload identities. These identities often outnumber human users and require lifecycle controls, visibility, and revocation discipline.
- Privileged Access Management: Privileged Access Management is the discipline of controlling, monitoring, and securing high-risk access to systems and data. It covers approval, elevation, session oversight, credential handling, and audit evidence. Effective PAM now needs to govern both human administrators and non-human privileged identities.
What's in the full article
Infisical's full blog post covers the operational detail this post intentionally leaves for the source:
- A vendor-by-vendor evaluation of PAM capabilities across cloud-native and legacy environments
- Specific feature comparisons for session recording, JIT access, rotation, and audit logging
- Implementation-oriented discussion of developer-first secrets workflows and Kubernetes support
- Product positioning details for teams choosing between infrastructure access and secrets-management approaches
👉 The full Infisical post covers the feature-by-feature PAM comparisons and deployment trade-offs.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-02-03.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org