TL;DR: VPNs, shared credentials, and manual policies cannot keep pace with database access across cloud, on-premises, and containerised environments, according to JumpCloud, while citing a $4.9M average breach cost and multiple access-sprawl indicators. The governance problem is no longer theoretical: privileged access must be brokered, auditable, and lifecycle-aware or databases remain overexposed.
NHIMG editorial — based on content published by JumpCloud: securing database access with PAM in modern environments
By the numbers:
- Over 70% of companies report that employees have been granted inappropriate access to sensitive data, or that former employees have retained access after their departure.
- 51% of companies reported that non-employees still had access to business data even after their projects were finished.
Questions worth separating out
Q: How should security teams secure database access without relying on VPN trust?
A: Security teams should separate connectivity from authorisation.
Q: Why do shared database credentials create so much risk in hybrid environments?
A: Shared credentials create risk because they outlive the task, the person, and often the environment that originally justified them.
Q: How can organisations tell whether PAM is actually improving database governance?
A: Look for three signals: fewer standing privileges, stronger session evidence, and faster revocation after role or project changes.
Practitioner guidance
- Remove direct database exposure for privileged users Route admin and contractor access through a brokered control path so users never need raw database credentials or open network reachability.
- Replace shared credentials with vaulted, time-bound access Store database secrets in a controlled vault, inject them only when a task is approved, and rotate them immediately after use.
- Bind access reviews to actual database privilege state Re-certify who can reach which database roles, not just who remains on the payroll or in the directory.
What's in the full article
JumpCloud's full blog post covers the operational detail this post intentionally leaves for the source:
- The vendor's comparison table for access with and without PAM, including the operational differences in credential handling and deprovisioning
- Step-by-step examples for database credential vaulting and automatic rotation in CI/CD and admin workflows
- Session recording and monitoring specifics, including how keystrokes, queries, and audit trails are captured for investigation
- Brokered access patterns for third-party vendors and direct database connections without exposed credentials
👉 Read JumpCloud's analysis of PAM for securing database access →
Database access without PAM: where VPNs and policies break down?
Explore further
PAM is now the control layer that makes database access governable in hybrid estates. VPNs were built for connectivity, not for proving that a person or workload should reach a specific database operation. Once databases span cloud, on-premises, containers, and third parties, the governance problem becomes access brokerage, session accountability, and revocation. The implication is that database privilege can no longer be managed as a network exception.
A few things that frame the scale:
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
A question worth separating out:
Q: Who should own database access accountability when contractors or service teams are involved?
A: Accountability should sit with the identity and security function that can enforce lifecycle control, session oversight, and revocation. Contractors and service teams should not be treated as exceptions to the governance model. If they can access databases, they must be included in the same approval, monitoring, and offboarding discipline as employees.
👉 Read our full editorial: PAM is now baseline for securing database access in hybrid IT