TL;DR: VPNs, jump hosts, scattered credentials, and patchwork logs are slowing remote work while widening exposure, and browser-based, app-scoped access with policy, vaulted credentials, and audit creates a tighter control layer for users and admins, according to Delinea. The governance question is not convenience versus security, but whether access is still being granted at the right boundary.
NHIMG editorial — based on content published by Delinea: Open the application, not the network
By the numbers:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- Only 5.7% of organisations have full visibility into their service accounts.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Questions worth separating out
Q: How should security teams scope remote access without exposing the broader network?
A: Security teams should broker access to the application, server, or portal itself rather than the surrounding network.
Q: Why do VPN-based remote access models still create privilege risk?
A: VPNs often turn identity decisions into network decisions, which makes it easier for users to reach more than they need.
Q: What breaks when privileged remote sessions are not time-bound?
A: Without time bounds, privileged access becomes standing privilege with a nicer interface.
Practitioner guidance
- Map remote access to application scope, not network scope. Inventory every privileged remote path that still depends on VPN access or jump hosts, then redesign those paths so users open only the server, application, or portal they actually need.
- Enforce vaulted credential injection for privileged sessions. Require credentials to remain in the vault and be injected into the session, rather than exposed on the endpoint or reused across tools.
- Group remote targets into governed collections. Use role-based collections for remote applications and private web apps so access reviews can be performed at the collection level instead of per ad hoc target.
What's in the full article
Delinea's full blog covers the operational detail this post intentionally leaves for the source:
- Browser launch flow details for server, RDP, SSH, and private web application access
- Credential injection and session streaming mechanics for privileged remote access
- Collection-level permissioning and role grouping for remote application catalogs
- Support for vendor tools, OT consoles, and custom launchers through the platform
👉 Read Delinea's analysis of browser-based privileged remote access →
Remote access sprawl: what app-scoped access changes for IAM teams?
Explore further
App-scoped remote access is a privilege boundary, not a convenience layer. The article’s core shift is away from network-first access and toward access that is attached to a specific application or administrative task. That matters because the old model treats the network as the thing to open and then hopes downstream controls will contain the damage. For IAM and PAM programmes, that is the wrong control plane. The practitioner conclusion is that remote access should be governed at the session and target level, not at the network edge.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who is accountable when a vendor or partner uses remote administrative access?
A: The organisation granting the access remains accountable for how it is scoped, approved, recorded, and revoked. Third-party access should not be treated as an exception to governance. It should be treated as a higher-risk use of the same controls, with strict expiration, searchable audit evidence, and explicit lifecycle offboarding when the relationship changes.
👉 Read our full editorial: Remote access governance shifts from network tunnels to app-scoped access