VPN-less privileged access is replacing implicit trust in modern PAM

At a glance

What this is: This is an analysis of why VPN-based privileged access no longer fits modern PAM, and the key finding is that implicit network trust creates excess access and weak visibility.

Why it matters: It matters because IAM, PAM, and NHI programmes all need access models that scope privilege to identity, context, and task instead of exposing broad network reach.

By the numbers:

• In one study, 80% of users said they use a VPN for increased security.
• Just 6% cited protecting their employer’s data.
• 16% use a VPN because it’s required by their employer.

👉 Read JumpCloud's analysis of VPN-less privileged access for modern PAM

Context

VPN-less privileged access replaces network perimeter trust with identity-scoped access that is granted only for a specific task. The problem with VPNs is not simply usability, but the access model itself: once a session lands on the network, the environment is often treated as trusted even when the user only needs one system.

That creates a governance gap for PAM and wider identity programmes because access becomes broader than the task, harder to observe, and harder to certify after the fact. For teams managing human admins, third-party vendors, and machine-led operations, the central question is no longer how to extend the network safely, but how to remove the network from the trust decision altogether.

Key questions

Q: How should security teams replace VPN access for privileged users?

A: Security teams should replace VPN access with identity-scoped, protocol-level access to specific systems, then layer just-in-time approval, session monitoring, and device checks on top. The goal is to eliminate broad network reach while preserving auditable access for administrators, engineers, and third parties who only need narrow task-based privilege.

Q: Why do VPNs create risk in modern privileged access environments?

A: VPNs create risk because they treat network presence as trust, which can expose more infrastructure than the task requires. In cloud and hybrid environments, that broad reach increases lateral movement opportunities, weakens least privilege, and makes post-connection activity harder to observe or certify.

Q: What breaks when privileged access is granted through a flat network tunnel?

A: A flat network tunnel breaks the link between identity, intent, and resource scope. Once the session is inside, users may see systems they do not need, and defenders lose precision around what was accessed, by whom, and for how long.

Q: Who is accountable when privileged access is too broad to audit properly?

A: Accountability sits with the teams that define access boundaries and the owners who approve them. For IAM and PAM programmes, that means proving that access is scoped, monitored, and reviewable, not merely that a user authenticated successfully.

Technical breakdown

Implicit trust in VPN-based privileged access

Traditional VPNs extend a network boundary to the user, then assume that access inside the boundary is acceptable. That model worked when systems were centralized and relatively static, but it breaks in cloud and hybrid environments where the meaningful security unit is not the network, but the identity and the resource being accessed. The result is an overly permissive session that may expose far more systems than the user needs for the task. In PAM terms, the VPN acts as a coarse transport layer, not a privilege boundary.

Practical implication: replace network-wide entry points with access paths that scope privilege to the target system and the specific task.

Just-in-time access and time-bounded privilege

VPN-less PAM often uses just-in-time access to grant temporary privilege only when it is needed. This matters because standing privilege is the default failure mode in many remote access models, especially where engineers, contractors, or vendors are given persistent pathways for convenience. JIT access does not solve every risk, but it changes the control objective from continuous availability to narrowly bounded exposure. That is a better fit for modern privileged workflows, where task duration, approval, and context should shape the entitlement.

Practical implication: make privilege expire automatically after the task or session ends, and tie approvals to specific resources.

Session monitoring, protocol-level control, and auditability

A VPN connection tells you that a user entered the network, but not what they did next. VPN-less architectures move enforcement closer to the protocol layer, such as SSH, RDP, or HTTPS, where access can be logged, monitored, and in some cases recorded at the command or session level. That gives PAM teams a usable audit trail for investigations and compliance. It also reduces lateral movement because the user can be granted access to one service without inheriting visibility into the rest of the environment.

Practical implication: enforce recording and command-level logging for privileged sessions, not just connection logging at the network edge.

Threat narrative

Attacker objective: The attacker seeks broad internal reach, hidden movement opportunities, and privileged actions that are harder to detect or contain.

1. Entry begins when a user connects through a VPN and receives broad network reach instead of a tightly scoped application or system entitlement.
2. Escalation occurs when that network-level trust exposes more infrastructure than the user needs, making lateral movement and over-privilege easier if credentials or sessions are abused.
3. Impact follows when privileged activity cannot be fully observed or constrained, slowing incident response and making compliance validation harder.

Breaches seen in the wild

• BeyondTrust API key breach — compromised BeyondTrust API key led to unauthorized SaaS access.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Implicit network trust is the wrong governance model for privileged access. VPNs treat reachability as a proxy for legitimacy, but modern infrastructure no longer behaves like a fixed perimeter. In cloud-native and hybrid environments, the thing that matters is which identity can do what to which resource, not whether the user landed inside a tunnel. The implication is that PAM programmes must stop using network entry as the control boundary and treat it as an implementation detail.

Standing access is the real control failure that VPNs conceal. A VPN session can remain active long after the original need has changed, which turns convenience into persistent exposure. This is a governance problem for both human admins and non-human access paths because the entitlement outlives the task. The relevant conclusion is not simply that VPNs are outdated, but that they make persistent privilege look normal.

VPN-less PAM exposes the identity blast radius. Identity blast radius: the amount of infrastructure a single authenticated session can meaningfully reach if the control model is too coarse. When access is scoped to one system, one protocol, or one session, the blast radius shrinks. That is why the modern PAM question is not connectivity, but containment.

Zero Trust and PAM converge once access is no longer network-shaped. Zero Trust demands continuous verification, while PAM demands narrow privilege and observable sessions. VPN-based models blur those goals by moving trust to the tunnel rather than the transaction. The practitioner takeaway is to align access design with identity, context, and task, not with legacy perimeter assumptions.

From our research:

• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
• Another finding shows that organisations with least-privileged AI access had a 17% incident rate versus 76% for over-privileged systems, a 4.5x difference that reinforces the value of narrow access scope.
• For a deeper governance lens, read Ultimate Guide to NHIs for the lifecycle controls that keep privileged access reviewable and bounded.

What this signals

Identity blast radius will become the more useful planning concept for PAM teams than network reach. As VPNs fade from privileged workflows, the practical question shifts to how much infrastructure a single authenticated session can touch before controls intervene.

With 67% of organisations still relying heavily on static credentials despite the risks they pose to agentic AI deployments, per the 2026 Infrastructure Identity Survey, the broader pattern is clear: access models are still too persistent for modern identity risk.

Teams should expect privileged access tooling to converge with policy enforcement, session telemetry, and lifecycle governance. That means reworking reviews, approvals, and audit evidence around the actual access path rather than the old perimeter model.

For practitioners

• Scope access to the target system, not the network Remove broad VPN entry for privileged workflows and replace it with protocol-level access to the exact server, database, or application required for the task.
• Make privileged access expire by default Use just-in-time approvals or policy triggers so elevated access ends automatically after the session or time window closes, even if the user remains authenticated.
• Turn on session evidence for every privileged connection Record commands, monitor sensitive actions, and retain session logs so investigators can reconstruct what happened without relying on network-only telemetry.
• Apply context checks before access is granted Use device posture, location, and risk signals to deny high-risk endpoints and tighten controls for vendor and admin access paths.

Key takeaways

• VPN-based privileged access persists because it is familiar, not because it matches how modern infrastructure works.
• The core security problem is excess reach, weak session evidence, and trust that survives longer than the task.
• PAM programmes should shift from network entry to identity-scoped access, bounded sessions, and auditable privilege.

Key terms

• Vpn-less Access: VPN-less access is a model for granting users access to specific systems without placing them on the broader network. It reduces exposed surface area by tying connectivity to identity, context, and the exact resource being used, rather than to a shared tunnel.
• Just-in-time Access: Just-in-time access is temporary privilege that is created only when needed and removed when the task ends. In privileged access programmes it helps reduce standing exposure, but it still depends on good approval logic, session evidence, and clear ownership of the entitlement.
• Identity Blast Radius: Identity blast radius is the amount of infrastructure, data, or administrative capability that a single authenticated session can reach if the control model is too broad. The smaller the blast radius, the easier it is to contain mistakes, credential abuse, and lateral movement.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by JumpCloud: VPN-less Privileged Access Management for Modern Infrastructure. Read the original.