Visibility gaps are weakening mature PAM in hybrid enterprises

At a glance

What this is: This is an analysis of why mature PAM programmes still fail when identity visibility breaks down across hybrid, cloud, and machine identities.

Why it matters: It matters because IAM, PAM, and NHI teams need a shared view of privilege paths, lifecycle gaps, and ephemeral access before attackers exploit the blind spots.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 5.7% of organisations have full visibility into their service accounts.
• NHIs outnumber human identities by 25x to 50x in modern enterprises.

👉 Read Hydden's analysis of mature PAM visibility gaps in hybrid environments

Context

Mature PAM environments do not fail because vaulting or session controls are absent. They fail when the programme cannot see the full identity attack surface, especially where service accounts, API keys, certificates, and cloud roles create privilege paths outside the PAM console.

That visibility gap becomes more serious in hybrid estates because access relationships now span on-premises systems, cloud IAM, Kubernetes, CI/CD pipelines, and ephemeral workloads. For identity teams, the problem is not one control failure but the inability to model and govern privilege end to end.

This is a mature PAM problem, but it is also an NHI governance problem because the most persistent blind spots increasingly sit in machine identities and delegated access rather than human logins.

Key questions

Q: How should teams govern privileged access across hybrid environments?

A: They should govern privileged access as a connected identity graph rather than as separate cloud, on-premises, and workload problems. That means normalising entitlements, mapping inheritance, and tracking who or what owns each identity. Without that joined-up view, PAM will miss escalation paths that cross domains and persist outside the vault.

Q: Why do service accounts create more PAM risk than many teams expect?

A: Service accounts create more risk because they often persist without clear ownership, rotate poorly, and accumulate excessive privileges over time. They are also easy to overlook in traditional review processes. When that happens, attackers can use them as stable footholds for lateral movement and privilege escalation.

Q: What breaks when discovery does not cover machine identities?

A: When discovery misses machine identities, access reviews, offboarding, and exception management all become incomplete. Teams end up governing only the identities they can see while leaving tokens, certificates, and automated workload credentials outside the control model. That blind spot turns routine operational access into persistent attack surface.

Q: Who should be accountable for privileged access hidden in CI/CD and cloud tooling?

A: Accountability should sit with the team that owns the identity lifecycle, not only the platform team that stores the credential. CI/CD and cloud tooling often distribute privileges across several systems, so governance must assign ownership, review cadence, and remediation responsibility at the identity level.

Technical breakdown

Why mature PAM misses attack paths across domains

Traditional PAM was built to govern discrete privileged sessions, not to map how access relationships chain across AD, cloud IAM, containers, and application roles. Attackers rarely need a single direct admin account when they can move laterally through inherited permissions, nested groups, and pipeline credentials that were never modelled together. In practice, the technical failure is not just privilege escalation. It is incomplete relationship discovery, which leaves cross-domain attack paths invisible to review, policy, and remediation workflows.

Practical implication: teams need cross-domain relationship mapping, not only vaulting and session recording.

Machine identities and ephemeral access change the control model

Service accounts, API tokens, certificates, and short-lived workload identities behave differently from human accounts because they can be created, used, and forgotten at machine speed. Traditional PAM assumes there is time to discover, classify, and govern an identity before it becomes dangerous. That assumption breaks when identities are generated by CI/CD, containers, or orchestration systems and then persist without lifecycle management. The result is a growing population of privileged non-human identities that are often invisible to legacy PAM controls.

Practical implication: discover non-human identities continuously and tie them to lifecycle and privilege review processes.

Why multi-cloud privilege models need normalisation

Cloud providers expose privilege differently, so an entitlement in AWS, Azure, or GCP is not directly comparable without a normalised permission model. Mature PAM struggles here because a single policy layer cannot reliably interpret all provider-specific roles, managed identities, and service accounts. When permissions are fragmented across platforms, risk scoring becomes inconsistent and review outcomes become unreliable. Visibility must therefore include contextual identity data, not just a raw inventory of credentials.

Practical implication: normalise entitlements across platforms before attempting enterprise-wide privileged access governance.

Threat narrative

Attacker objective: The attacker aims to turn hidden identity relationships into sustained privileged access across hybrid infrastructure.

1. entry: Attackers exploit overlooked identity paths such as orphaned accounts, exposed machine credentials, or privileged CI/CD access that bypasses the PAM workflow.
2. escalation: They traverse inherited permissions and cross-domain relationships, moving from low-privilege identities into cloud, pipeline, or administrative control planes.
3. impact: The attacker reaches sensitive systems or deployment paths with elevated access, turning a visibility gap into broad privileged compromise.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Visibility is the governing control that mature PAM programmes still underinvest in. Credential vaulting and session recording are useful, but they do not answer the core question of what identities exist, how they relate, and where privilege can move next. In hybrid estates, the attack surface is defined by relationships, not by stored secrets alone. Teams that cannot see the full graph of access cannot govern privilege with confidence. The practical conclusion is that mature PAM needs an observability layer, not just stronger vault hygiene.

Machine identity sprawl has become a PAM failure mode, not an adjacent concern. Service accounts, tokens, certificates, and workload identities now outnumber human accounts in many environments and often persist without clear ownership. That makes lifecycle management inseparable from privilege governance. When the control plane cannot reliably discover or classify those identities, access reviews become partial and remediation becomes reactive. Practitioners should treat NHI visibility as a prerequisite for PAM assurance.

Cross-domain privilege normalisation is the named concept this problem now demands. Different platforms express privilege in different ways, but risk is only actionable when those entitlements are compared in a common model. Without that normalisation, the same access can look low risk in one system and high risk in another, depending on the schema. That inconsistency weakens certification, exception handling, and attack-path analysis. The implication is that PAM governance must be built on normalised identity context, not isolated tool outputs.

Ephemeral infrastructure exposes a timing mismatch between modern access and legacy review cycles. Short-lived resources can create and destroy privilege before traditional governance processes even register the identity. That means the issue is not simply scale, but the speed at which access comes into existence and disappears again. Mature programmes that still depend on periodic discovery will continue to miss the identities that matter most. Security teams need governance that operates at the same tempo as the infrastructure it is meant to control.

Hybrid governance now requires PAM, IGA, and NHI controls to work from the same identity inventory. The article’s central point is not that PAM is obsolete, but that PAM alone is no longer enough to establish trustworthy privilege boundaries. When discovery, ownership, and entitlement data are fragmented, recertification and least-privilege controls lose precision. The practical outcome is a governance model that treats machine identities, cloud entitlements, and privileged human access as one connected problem space.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing that remediation lag keeps exposure open well beyond first detection.
• 52 NHI Breaches Analysis shows how persistent identity failures repeatedly turn small access gaps into breach-scale incidents.

What this signals

Cross-domain privilege normalisation: mature PAM programmes will need a common entitlement model if they want recertification and attack-path analysis to remain credible. The practical shift is toward identity context that spans cloud roles, service accounts, and privileged human access in one control plane. That is where PAM, IGA, and NHI governance start to converge rather than operate as adjacent tools.

With only 5.7% of organisations having full visibility into their service accounts, according to the Ultimate Guide to NHIs, the visibility gap is already structural. Teams should expect audit pressure to move from credential inventory toward evidence of ownership, lifecycle status, and cross-domain privilege mapping.

The next maturity step is not more periodic review. It is continuous discovery tied to remediation workflows, so dormant and orphaned identities can be acted on before they become persistent escalation paths. For identity programmes, that means aligning PAM operating models with workload identity, secrets hygiene, and cloud entitlement governance.

For practitioners

• Build a cross-domain identity graph Map relationships across AD, cloud IAM, Kubernetes, CI/CD, and secrets stores so privileged paths are visible before they are exploited.
• Continuously discover machine identities Inventory service accounts, API keys, certificates, and ephemeral workload identities on an ongoing basis, then bind each identity to an owner and lifecycle state.
• Normalise entitlements before review Translate provider-specific roles and permissions into a shared model so access reviews and exception handling can compare like with like.
• Prioritise orphaned and dormant accounts first Focus remediation on identities that have no clear owner, no recent use, or unclear business justification because those are the most likely persistent escalation paths.

Key takeaways

• Mature PAM fails when it cannot see the full identity graph across hybrid, cloud, and machine environments.
• The scale of the problem is amplified by non-human identities, which frequently outnumber humans and often remain overprivileged.
• Teams need cross-domain discovery, normalised entitlements, and lifecycle ownership if they want privileged access governance to hold up in practice.

Key terms

• Identity attack surface: The full set of identities, entitlements, relationships, and credentials that can be used to gain access inside an environment. For mature PAM, this includes human, non-human, and workload identities, plus the pathways that connect them across cloud, on-premises, and automation systems.
• Cross-domain privilege path: A chain of permissions that moves access from one identity domain to another, such as from a developer account into cloud administration or a CI/CD pipeline. These paths matter because attackers often use inherited or linked permissions rather than direct admin compromise.
• Machine identity: A non-human identity used by software, services, workloads, or infrastructure components to authenticate and access resources. In modern environments, machine identities often outnumber human accounts and can become high-risk when they persist without ownership, rotation, or visibility.
• Identity observability: The practice of continuously collecting and enriching identity data so governance teams can see how access is created, inherited, used, and retired. It goes beyond inventory by showing relationships, privilege movement, and lifecycle state in a form that supports action.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Hydden: advanced technical challenges in mature PAM implementations. Read the original.