StrongDM use cases show where legacy PAM breaks down

At a glance

What this is: This is a case-study roundup on infrastructure access management, with the key finding that legacy PAM, VPNs, and manual provisioning struggle to support multi-cloud, least-privilege access at scale.

Why it matters: It matters because IAM, PAM, and NHI programmes all fail in the same place when access is hard to govern, hard to revoke, and hard to audit across databases, clusters, and cloud environments.

By the numbers:

• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.

👉 Read StrongDM's 13 use cases for infrastructure access and audit

Context

Managing infrastructure access has become a governance problem as much as an operational one. When teams rely on legacy PAM, shared VPNs, and manual permission requests, they create delay, over-privilege, and weak audit trails across databases, servers, and cloud control planes.

For IAM and PAM teams, the real issue is not access speed alone. It is whether access can be granted, observed, and removed with enough precision to support least privilege, zero standing privilege, and evidence-grade auditing across both human and non-human identities.

Key questions

Q: How should security teams replace standing privileged access in multi-cloud environments?

A: They should shift privileged workflows to just-in-time access with automatic expiry, so elevated permissions exist only for the task at hand. That model reduces standing exposure, limits lateral movement, and makes revocation measurable. The control is strongest when it is enforced consistently across databases, servers, Kubernetes, and cloud consoles, not just one environment.

Q: Why does multi-cloud access make least privilege harder to maintain?

A: Because each cloud exposes different permission models, toolchains, and audit surfaces, so privilege becomes fragmented and harder to reason about. Teams can think they are enforcing least privilege while leaving gaps between systems. The practical risk is not only over-access but also inconsistent revocation and incomplete evidence when access changes.

Q: What do organisations get wrong about infrastructure access audits?

A: They often treat audit evidence as a reporting exercise instead of a control outcome. If the organisation cannot reconstruct who accessed what, when, and through which session, then access governance is incomplete. Strong auditability depends on session logs, query capture, and consistent permission-change records across the infrastructure stack.

Q: Who is accountable when privileged access is not revoked cleanly?

A: Accountability sits with the control owner for the access path, the team operating the lifecycle process, and the organisation that approved standing access in the first place. If revocation fails, the issue is usually governance, not just tooling. Clean offboarding should be validated the same way as provisioning: by testing that access disappears everywhere it was granted.

Technical breakdown

Why legacy PAM struggles in multi-cloud infrastructure

Legacy privileged access management was built around narrower infrastructure patterns, fewer cloud providers, and more static administrative workflows. In multi-cloud environments, the access problem expands into many permission models, many endpoints, and many audit domains. That creates friction when teams need consistent RBAC, session capture, and policy enforcement across AWS, Azure, GCP, and on-prem systems. The governance issue is not only usability. It is that privilege becomes fragmented across tools, which makes review, revocation, and evidence collection inconsistent.

Practical implication: consolidate access policy and audit controls around the actual infrastructure estate instead of managing each platform separately.

How zero standing privilege changes infrastructure access

Zero standing privilege means access should not persist beyond the moment a task requires it. In practice, that changes infrastructure access from a perpetual entitlement model to a just-in-time model with automatic revocation. This matters for databases, SSH sessions, Kubernetes access, and other high-risk administrative paths where standing access creates unnecessary exposure. The technical shift is not simply shorter duration. It is removing the assumption that administrative access must remain continuously available to be useful.

Practical implication: move privileged workflows toward task-scoped access with revocation tied to completion, not human memory.

Why session logging matters for compliance and control

Session logging and query capture turn access from an opaque entitlement into an inspectable control surface. For infrastructure teams, that means every action can be tied back to a subject, a resource, and a time window, which supports audit evidence and incident reconstruction. In environments with databases and shell access, this is often the difference between proving control and merely claiming control. The key architectural point is that access governance is incomplete if the organisation cannot reconstruct what happened after the session ends.

Practical implication: require session-level telemetry for administrative access paths that feed compliance, investigations, and recertification.

Threat narrative

Attacker objective: The objective is to reach critical infrastructure with broad, persistent access that is difficult to detect, revoke, or reconstruct.

1. Entry began with persistent access paths such as VPNs, shared credentials, or standing administrative entitlements that made infrastructure reachable beyond immediate task need.
2. Escalation followed when those broad permissions let users work across databases, servers, and cloud environments without tightly bounded, session-scoped oversight.
3. Impact was reduced auditability, slower offboarding, and a larger blast radius whenever credentials, permissions, or access paths were mismanaged.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• Codefinger AWS S3 ransomware attack — Codefinger used compromised AWS credentials to encrypt S3 buckets via SSE-C.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Legacy PAM is no longer a complete governance model for cloud-era infrastructure access. These case studies show that the access problem is now multi-cloud, session-based, and audit-driven, not just about privileged logins. When permissions span databases, clusters, and cloud consoles, the old control boundary is too narrow to hold. Practitioners should treat access architecture as a governance layer, not a point solution.

Zero standing privilege is the governance pattern that best matches modern infrastructure risk. The strongest examples in the source all move away from persistent access and toward task-scoped entitlement. That is not just a convenience improvement. It reduces the period during which privilege can be misused, inherited, or forgotten. The implication is that standing access should be treated as an exception requiring justification, not the default operating model.

Session capture turns access management into evidence management. The article repeatedly ties operational access to query logs, keystroke capture, and session replay because auditability is now part of control effectiveness. Without that evidence, teams cannot confidently answer who did what, when, and through which path. Practitioners should judge access tooling by whether it can reconstruct administrative activity at audit depth.

Multi-cloud access sprawl creates an identity blast radius that traditional tooling underestimates. Once one user can touch several clouds, databases, and operational layers, a single governance weakness affects more assets than the originating entitlement suggests. That is the real risk in acquisition-heavy or fast-growing environments. Security teams should reframe permission sprawl as blast-radius expansion, not just administrative complexity.

Lifecycle governance is the hidden control test in every use case here. Onboarding, offboarding, and rapid deprovisioning are where access controls either prove they work or fail visibly. If a tool cannot remove access cleanly when a user changes role or leaves, it does not satisfy lifecycle governance at infrastructure scale. Practitioners should treat revocation speed and completeness as primary evaluation criteria.

From our research:

• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption, according to the 2026 Infrastructure Identity Survey.
• A separate finding from the same survey shows that 70% of organisations grant AI systems more access than they would give a human employee doing the exact same job.
• For a broader view of access governance failure modes, see 52 NHI Breaches Analysis for recurring patterns in over-privilege, visibility gaps, and revocation failures.

What this signals

Zero standing privilege is becoming the most practical bridge between human IAM, PAM, and NHI governance. The organisations in this article are solving the same problem from different angles: persistent access is too hard to audit, too easy to forget, and too broad for modern infrastructure. Teams should expect access review, offboarding, and session evidence to converge into one governance workflow rather than three disconnected ones.

With 67% of organisations still relying heavily on static credentials despite the risks they pose to agentic AI deployments, the access patterns described here are moving from a narrow infrastructure issue into a broader identity risk model. That is why lifecycle controls, revocation speed, and evidence capture will matter just as much for machines as they do for humans.

Identity blast radius: when one access path spans databases, clouds, and operational consoles, a single control failure affects more of the estate than older PAM models assume. That is the programme-level signal for IAM and PAM leaders: evaluate access architecture by how much damage one entitlement can touch, not by how many logins it replaces.

For practitioners

• Map every privileged path to a named owner Inventory database, server, Kubernetes, and cloud-console access paths, then assign an accountable owner for each one so revocation and review do not stall in shared queues.
• Replace standing admin access with task-scoped access Use just-in-time approval and automatic expiry for elevated sessions so access exists only for the duration of the work and does not persist between tasks.
• Standardise audit capture across infrastructure tiers Require session replay, query logging, and permission-change logs for every administrative path that can affect production systems or regulated data.
• Test offboarding against real identity chains Remove a user, service account, or delegated admin path end-to-end and verify that cloud, database, and SSH permissions all disappear without manual cleanup.

Key takeaways

• The post shows that legacy PAM, VPNs, and manual provisioning create operational friction and weaken access governance at cloud scale.
• The strongest evidence is the recurring need for just-in-time access, centralised auditing, and cleaner offboarding across multi-cloud estates.
• Practitioners should treat session capture, revocation speed, and standing-access reduction as the controls that define whether infrastructure access is actually governed.

Key terms

• Zero standing privilege: Zero standing privilege is an access model in which elevated permissions are not left permanently available. Access is provisioned only when needed and removed as soon as the task ends. In infrastructure environments, this reduces the time privileged credentials exist and narrows the window for misuse or accidental overreach.
• Session capture: Session capture records what happened during a privileged access session, such as commands, queries, or screen activity. It creates evidence that supports investigations, audits, and control validation. For infrastructure teams, it is the difference between knowing a session occurred and being able to reconstruct what the identity actually did.
• Privileged access management: Privileged access management is the set of controls used to govern high-risk access to systems, data, and administrative functions. It covers approval, session control, auditability, and revocation. In modern infrastructure, PAM must work across cloud services, databases, and non-human identities, not just human administrator logins.
• Identity blast radius: Identity blast radius is the amount of systems, data, and operations that a single identity can affect if its access is misused or compromised. It is a practical way to measure governance quality. The broader the entitlement footprint, the larger the security and compliance impact of one failure.

Deepen your knowledge

Infrastructure access governance, zero standing privilege, and session-level auditability are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a programme that spans databases, cloud consoles, and privileged sessions, it is worth exploring.

This post draws on content published by StrongDM: 13 StrongDM use cases with real customer case studies. Read the original.