Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Agent-based PEDM versus agentless ZSP: where do controls still fail?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Agent-based PEDM shifts privilege enforcement to the host, eliminating routine standing access and narrowing elevation to specific actions, while agentless IdP-centric models still leave persistent roles and session-wide exposure, according to Delinea. The unresolved issue is that ZSP assumptions built around directory-held privilege and upstream MFA do not fully hold when enforcement stops at the identity provider.

NHIMG editorial — based on content published by Delinea: Why agent-based PEDM is the only path to Zero Standing Privilege

By the numbers:

Questions worth separating out

Q: What breaks when privilege elevation is handled only in the identity provider?

A: The model breaks when the IdP is treated as the only enforcement point, because the host still receives a broad elevated session that it cannot independently challenge.

Q: Why do service accounts and shared admin identities complicate Zero Standing Privilege?

A: They complicate Zero Standing Privilege because shared or long-lived privileged identities can remain valid outside the moment of use, making accountability and containment harder.

Q: What do security teams get wrong about just-in-time privilege in PAM?

A: They often treat just-in-time privilege as a synonym for true privilege removal.

Practitioner guidance

  • Map where privilege is still session-scoped Identify every place where elevation creates a broad privileged session rather than a process, command, or task-scoped entitlement.
  • Disable routine use of built-in superuser accounts Keep root and Administrator reserved for break-glass scenarios only, and require unique low-privilege identities for day-to-day administration.
  • Move MFA enforcement to the host boundary Require local verification at login and again at elevation so the system can validate privilege at the point of use.

What's in the full article

Delinea's full blog post covers the operational detail this post intentionally leaves for the source:

  • A side-by-side comparison of agentless, IdP-centric, and agent-based PEDM enforcement models in server environments
  • Detailed discussion of how local MFA enforcement works at the host level for privileged actions
  • Examples of how centralized sudoers management reduces drift across Linux and Unix systems
  • Delinea's view of how break-glass access, auditing, and delegated administration are implemented in practice

👉 Read Delinea's analysis of why agent-based PEDM closes the gaps in Zero Standing Privilege →

Agent-based PEDM versus agentless ZSP: where do controls still fail?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Standing privilege is the wrong abstraction for host-level enforcement. Agentless models still reason about privilege as something the directory grants and later revokes, but that leaves a window in which the host itself must trust a broadly elevated session. The practical failure is not just weaker enforcement, it is that the control boundary sits too far away from the action. For IAM and PAM teams, that means ZSP cannot be claimed while privilege still exists outside the resource boundary.

A few things that frame the scale:

  • Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing how slowly identity risk is actually removed in practice.

A question worth separating out:

Q: Who is accountable when elevated access is shared across operators?

A: Accountability becomes blurred when multiple operators use the same privileged account, even if the credential is vaulted and rotated. The cleaner model is one named operator, one named task, and one auditable elevation event. Shared access may still be necessary for emergencies, but it should not be the ordinary operating pattern.

👉 Read our full editorial: Agent-based PEDM and the limits of agentless zero standing privilege



   
ReplyQuote
Share: