TL;DR: Identity, access, and defence security are converging into a more platform-like market structure, with SSH Communications Security saying its proposed partnership with Leonardo includes a EUR 20 million share issue, a 24.55% ownership stake, and market rights tied to zero trust privileged access management and quantum-safe encryption.
At a glance
What this is: SSH Communications Security's proposed partnership with Leonardo combines capital, ownership change, and commercial reach around privileged access and quantum-safe security.
Why it matters: For IAM teams, the deal matters because it signals tighter coupling between privileged access governance, market consolidation, and how identity controls are packaged for regulated environments.
By the numbers:
- Leonardo would hold 24.55% of SSH after completion of the share issue.
👉 Read SSH Communications Security's announcement on the Leonardo partnership and share issue
Context
SSH Communications Security is framing the proposed partnership as a capital and commercial alignment, not just a financing event. The transaction would bring Leonardo into a large minority ownership position while linking SSH's privileged access and quantum-safe portfolio to defence and government market reach.
For identity teams, the significance sits in the market signal. Privileged access management is increasingly being evaluated as part of broader security architecture, where trust boundaries, supplier relationships, and regulated-sector requirements intersect rather than sit in separate programme silos.
Key questions
Q: What does the SSH and Leonardo partnership mean for privileged access governance?
A: It shows that privileged access management is increasingly being shaped by capital, channel strategy, and regulated-sector distribution, not just by technical features. For practitioners, the key question is whether the vendor's operating model still supports auditability, portability, and long-term control ownership when ownership and market rights change.
A: Yes, because the governance risk is no longer limited to product capability. Strategic ownership can influence roadmap priorities, market exclusivity, and the durability of support commitments. Security teams should review vendor dependence, contractual exit options, and whether control evidence remains available if the commercial relationship shifts.
Q: Why does quantum-safe encryption not replace privileged access management?
A: Quantum-safe encryption protects data against future cryptographic risk, but it does not control who can obtain elevated access or how administrative sessions are governed. Privileged access management remains necessary for authentication, session oversight, credential lifecycle control, and revocation. The two controls are complementary, not interchangeable.
Q: How should procurement teams evaluate access security tools in defence and government environments?
A: They should evaluate jurisdictional assurance, audit evidence, support continuity, and exit flexibility alongside core access controls. In these environments, the commercial model can affect operational trust as much as the technology. That is why governance criteria need to include ownership structure and ecosystem dependence.
Technical breakdown
Strategic minority ownership and channel control
A directed share issue does more than raise funds. It changes governance leverage, commercial positioning, and market access at the same time. In this case, the planned ownership stake gives Leonardo influence without full acquisition, which can reshape how product direction, market focus, and partner exclusivity are handled. For identity security buyers, that matters because access governance products are often evaluated not only on capability but on ecosystem fit, long-term control, and support for regulated deployment patterns.
Practical implication: reassess supplier concentration risk when access governance tooling becomes tied to strategic equity and channel rights.
Privileged access management in defence and government environments
Privileged access management in defence and government settings is shaped by high assurance, auditability, and constrained administrative pathways. These environments need tighter control over who can elevate, when elevation occurs, and how sessions are recorded and revoked. When a vendor positions PAM as part of a strategic alliance with a defence company, the technical question becomes less about feature checklists and more about whether the delivery model can support sovereign requirements, procurement scrutiny, and long-lived operational oversight.
Practical implication: validate whether your PAM governance model still holds when procurement, sovereignty, and channel control become part of the product risk surface.
Quantum-safe encryption and access governance
Quantum-safe encryption addresses cryptographic longevity, but it does not replace identity controls. Access pathways still need strong authentication, privileged session control, and lifecycle governance around accounts, keys, and administrative roles. The important technical point is that encryption hardening and identity hardening are complementary, not interchangeable. Organisations that treat quantum-safe roadmaps as a substitute for privileged access review or credential governance will leave the administrative layer exposed even if data protection improves.
Practical implication: keep cryptographic migration plans and privileged access lifecycle controls in separate governance tracks.
Breaches seen in the wild
- BeyondTrust API key breach — compromised BeyondTrust API key led to unauthorized SaaS access.
- Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Strategic security partnerships are becoming a distribution model for identity tooling. This transaction is not just about capital injection. It shows how access governance vendors are increasingly being positioned inside broader defence and security ecosystems, where market reach, channel access, and procurement alignment matter as much as product capability. For practitioners, that means supplier evaluation now has to include ownership structure and downstream market dependence, not only control coverage.
Privileged access management is being pulled closer to sovereign and regulated procurement logic. When PAM is packaged for defence and government markets, the buying criteria shift toward traceability, jurisdictional assurance, and operational control. That changes how teams should read product roadmaps and partner strategies. The practical conclusion is that PAM governance now sits inside a broader resilience and supply-chain assurance conversation.
Quantum-safe encryption does not reduce the need for identity governance. The security industry often bundles cryptographic assurance and access assurance together, but they solve different problems. Encryption protects the payload, while identity controls govern who can act, elevate, and persist. Organisations should treat this partnership as evidence that the market is moving toward layered trust architectures, not as a reason to merge governance responsibilities.
Market consolidation is reshaping who owns identity control distribution. As security vendors align with larger industrial and defence players, practitioners should expect more emphasis on ecosystem integration, exclusive routes to market, and packaged trust assurances. That can accelerate procurement in some sectors, but it also complicates vendor independence and roadmap transparency. Teams should scrutinise whether the governance model still supports portability, auditability, and operational exit options.
Identity security is no longer bought only as a technical control set. The decision is increasingly strategic, tied to funding, alliances, and market access. That matters because privileged access and Zero Trust controls are often adopted in long-duration programmes where switching cost is high. Practitioners should therefore evaluate not just the control, but the durability of the control owner's operating model.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- Another finding from our research shows that 97% of NHIs carry excessive privileges, which broadens the attack surface and makes governance drift harder to detect.
- For deeper context on how hidden privileges and poor lifecycle controls interact, see The 52 NHI breaches Report for real-world root cause patterns.
What this signals
Strategic partnerships are now part of the identity governance problem space. When access security vendors align with larger industrial buyers, practitioners need to inspect commercial dependency alongside technical control strength. The programme risk is not only whether the tool works, but whether the delivery model remains stable enough to support audit, portability, and long-term operating continuity.
Identity control ownership is becoming as important as control capability. Procurement, sovereignty, and ecosystem alignment are starting to shape how access governance tools are selected and retained. Teams that separate product evaluation from vendor-operating-model review will miss the part of the risk that changes most quickly.
With 92% of organisations exposing NHIs to third parties, according to our Ultimate Guide to NHIs, supplier relationships are already part of the identity attack surface. That means commercial restructuring should trigger control reassessment, not just market watching.
For practitioners
- Reassess vendor concentration risk Review whether your PAM or access governance roadmap depends on a supplier whose market strategy is now tied to strategic ownership and sector-specific exclusivity. Map exit paths, data portability, and support dependencies before the relationship becomes harder to unwind.
- Separate cryptographic and identity governance workstreams Keep quantum-safe migration planning distinct from privileged access review, credential lifecycle management, and session control. Those controls solve different problems and should be measured independently.
- Validate sovereignty and procurement constraints early For regulated or public-sector deployments, confirm where hosting, support, and administrative control will sit after any partnership changes. Document the approval chain for privileged access operations and the audit evidence required to prove it.
- Test ecosystem dependency in your control design Ask whether the product still functions cleanly if channel rights, partner priorities, or ownership structures change. Build governance requirements around portability, logging retention, and administrative continuity, not around a single commercial relationship.
Key takeaways
- This partnership signals that privileged access governance is moving deeper into strategic and regulated-sector procurement decisions.
- The deal illustrates a broader pattern of market consolidation around identity security, where ownership and distribution matter as much as feature depth.
- Practitioners should treat supplier dependency, audit continuity, and exit flexibility as first-class governance requirements.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Access governance and lifecycle control are central to the partnership's PAM implications. |
| NIST CSF 2.0 | PR.AC-4 | The deal highlights least-privilege and access-management governance in regulated environments. |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Zero Trust access assumptions underpin the partnership's identity-security positioning. |
Revalidate trust boundaries, authentication paths, and privileged session controls before expanding deployment.
Key terms
- Privileged Access Management: Privileged Access Management is the discipline of governing high-risk administrative access so it is issued, used, monitored, and revoked under tight control. In practice, it covers elevated human and machine access, session oversight, credential lifecycle management, and audit evidence for sensitive operations.
- Strategic partnership risk: Strategic partnership risk is the governance exposure that appears when a security capability becomes tied to ownership changes, channel rights, or ecosystem dependencies. The concern is not only product continuity, but also support stability, roadmap influence, and whether the control can still be operated and audited on your terms.
- Quantum-safe encryption: Quantum-safe encryption refers to cryptographic methods designed to remain resistant to future quantum attacks. It protects data confidentiality, but it does not manage who can access systems, elevate privilege, or operate administrative functions, so it must be governed alongside identity and access controls.
Deepen your knowledge
Privileged access governance in regulated environments is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are reassessing vendor dependency and control ownership, it is worth exploring.
This post draws on content published by SSH Communications Security: its proposed strategic partnership with Leonardo and related share issue announcement. Read the original.
Published by the NHIMG editorial team on 2025-06-30.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
