Static credentials and JIT access in PAM: what changes now?

TL;DR: Privileged access is shifting from password vaulting and session brokering toward identity-driven, policy-based control as organisations reduce reliance on standing SSH keys and static credentials, according to SSH Communications Security. The core issue is not just stronger governance, but that legacy PAM assumptions were built for stable environments, not ephemeral, automation-heavy infrastructure.

NHIMG editorial — based on content published by SSH Communications Security: identity-driven just-in-time privileged access and the future of PAM

By the numbers:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes , and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should security teams reduce reliance on standing SSH keys?

A: Start by identifying where long-lived keys still create persistent administrative reach, then replace those paths with policy-driven, time-bound access wherever the business can tolerate it.

Q: Why do static credentials create more risk in ephemeral environments?

A: Because the environment changes faster than the credential lifecycle.

Q: What do teams get wrong about just-in-time privileged access?

A: They often treat JIT as a convenience layer rather than a control model.

Practitioner guidance

• Map remaining standing SSH access Inventory where long-lived SSH keys still grant administrative connectivity, then classify each path by business criticality, rotation dependency, and whether access can be replaced with time-bound policy issuance.
• Separate vaulting from enforcement Review whether your PAM platform only stores secrets or actually enforces access at session start, because retention alone does not solve pre-positioned access.
• Prioritise ephemeral environments first Target immutable systems, short-lived workloads, and automation-heavy estates for JIT access before trying to modernise every privileged path at once.

What's in the full article

SSH Communications Security's full article covers the operational detail this post intentionally leaves for the source:

• The vendor's migration approach for moving from static SSH keys to JIT privileged access without breaking existing administration workflows.
• The operational steps behind inventorying, rotating, and governing SSH keys in environments that still depend on them.
• The way its control plane combines identity, access, and network enforcement for native and browser-based connectivity.
• The product-specific migration sequencing and rollout considerations that matter once policy design is complete.

👉 Read SSH Communications Security's analysis of identity-driven JIT privileged access →

Static credentials and JIT access in PAM: what changes now?

Explore further

View Full Forum →  |  NHI Foundation Course →