Per-request authorization for agents and workloads: what changes?

TL;DR: Continuous machine and AI-driven access is pushing security away from vault-and-session privilege models toward per-request authorization, according to Pomerium’s analysis. That shift matters because static PAM assumptions break when software acts continuously and identity decisions must happen at the moment of action.

NHIMG editorial — based on content published by Pomerium: Privilege Access Is the Past. Per Request Authorization Is the Future

By the numbers:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should security teams govern machine access when requests are continuous?

A: Treat each request as the unit of control.

Q: Why do privileged access models struggle with NHI and agentic workloads?

A: They assume access is rare, elevation is exceptional, and sessions define trust.

Q: What breaks when organizations rely on vaulting instead of authorization?

A: Vaulting protects credentials, but it does not decide whether an action should be allowed.

Practitioner guidance

• Map every privileged workflow to its actual trust boundary Identify where your programme still assumes a session start, approval gate, or credential checkout is the point of control.
• Separate secret custody from access decisioning Keep vaulting, rotation, and storage controls, but do not treat them as substitutes for runtime authorization.
• Rework PAM assumptions for machine and agent identities Review which PAM workflows were built for human administrators and do not scale to continuous machine activity.

What's in the full article

Pomerium's full blog covers the operational detail this post intentionally leaves for the source:

• How the request authorization model is implemented across API-driven and distributed environments
• Where session brokering still fits for legacy administrative workflows and where it does not
• Why the control boundary shifts from credential checkout to runtime policy evaluation
• What the platform architecture looks like when secrets are removed from the primary access path

👉 Read Pomerium's analysis of per-request authorization for modern access control →

Per-request authorization for agents and workloads: what changes?

Explore further

View Full Forum →  |  NHI Foundation Course →