TL;DR: Continuous machine and AI-driven access is pushing security away from vault-and-session privilege models toward per-request authorization, according to Pomerium’s analysis. That shift matters because static PAM assumptions break when software acts continuously and identity decisions must happen at the moment of action.
NHIMG editorial — based on content published by Pomerium: Privilege Access Is the Past. Per Request Authorization Is the Future
By the numbers:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should security teams govern machine access when requests are continuous?
A: Treat each request as the unit of control.
Q: Why do privileged access models struggle with NHI and agentic workloads?
A: They assume access is rare, elevation is exceptional, and sessions define trust.
Q: What breaks when organizations rely on vaulting instead of authorization?
A: Vaulting protects credentials, but it does not decide whether an action should be allowed.
Practitioner guidance
- Map every privileged workflow to its actual trust boundary Identify where your programme still assumes a session start, approval gate, or credential checkout is the point of control.
- Separate secret custody from access decisioning Keep vaulting, rotation, and storage controls, but do not treat them as substitutes for runtime authorization.
- Rework PAM assumptions for machine and agent identities Review which PAM workflows were built for human administrators and do not scale to continuous machine activity.
What's in the full article
Pomerium's full blog covers the operational detail this post intentionally leaves for the source:
- How the request authorization model is implemented across API-driven and distributed environments
- Where session brokering still fits for legacy administrative workflows and where it does not
- Why the control boundary shifts from credential checkout to runtime policy evaluation
- What the platform architecture looks like when secrets are removed from the primary access path
👉 Read Pomerium's analysis of per-request authorization for modern access control →
Per-request authorization for agents and workloads: what changes?
Explore further
Privilege management is no longer the primary security control for machine-driven identity. PAM was designed for rare elevation, bounded sessions, and human-paced review. That premise fails when software acts continuously, credentials spread between services, and the real decision is whether a request should be allowed now. The implication is that identity governance has to stop treating privilege as the control surface and start treating authorization as the governing layer for modern access patterns.
A few things that frame the scale:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing how slowly remediation often follows discovery.
A question worth separating out:
Q: How do zero trust and least privilege change for autonomous systems?
A: They move closer to the request itself. Least privilege can no longer be treated as a provisioning-time state only, because software may select actions dynamically and act without a human approval gate. Zero trust then becomes a continuous authorization problem, with policy re-evaluated each time an identity tries to do something.
👉 Read our full editorial: Request-based authorization is displacing privilege management