Agent-based PEDM versus agentless ZSP: where do controls still fail?

TL;DR: Agent-based PEDM shifts privilege enforcement to the host, eliminating routine standing access and narrowing elevation to specific actions, while agentless IdP-centric models still leave persistent roles and session-wide exposure, according to Delinea. The unresolved issue is that ZSP assumptions built around directory-held privilege and upstream MFA do not fully hold when enforcement stops at the identity provider.

NHIMG editorial — based on content published by Delinea: Why agent-based PEDM is the only path to Zero Standing Privilege

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

Questions worth separating out

Q: What breaks when privilege elevation is handled only in the identity provider?

A: The model breaks when the IdP is treated as the only enforcement point, because the host still receives a broad elevated session that it cannot independently challenge.

Q: Why do service accounts and shared admin identities complicate Zero Standing Privilege?

A: They complicate Zero Standing Privilege because shared or long-lived privileged identities can remain valid outside the moment of use, making accountability and containment harder.

Q: What do security teams get wrong about just-in-time privilege in PAM?

A: They often treat just-in-time privilege as a synonym for true privilege removal.

Practitioner guidance

• Map where privilege is still session-scoped Identify every place where elevation creates a broad privileged session rather than a process, command, or task-scoped entitlement.
• Disable routine use of built-in superuser accounts Keep root and Administrator reserved for break-glass scenarios only, and require unique low-privilege identities for day-to-day administration.
• Move MFA enforcement to the host boundary Require local verification at login and again at elevation so the system can validate privilege at the point of use.

What's in the full article

Delinea's full blog post covers the operational detail this post intentionally leaves for the source:

• A side-by-side comparison of agentless, IdP-centric, and agent-based PEDM enforcement models in server environments
• Detailed discussion of how local MFA enforcement works at the host level for privileged actions
• Examples of how centralized sudoers management reduces drift across Linux and Unix systems
• Delinea's view of how break-glass access, auditing, and delegated administration are implemented in practice

👉 Read Delinea's analysis of why agent-based PEDM closes the gaps in Zero Standing Privilege →

Agent-based PEDM versus agentless ZSP: where do controls still fail?

Explore further

View Full Forum →  |  NHI Foundation Course →