TL;DR: Traditional VPNs still dominate privileged access in many environments, but they rely on implicit trust, broad network reach, and limited visibility once a session begins, according to JumpCloud. The security shift is toward identity-scoped, auditable access that better fits cloud-native, hybrid, and distributed operations.
NHIMG editorial — based on content published by JumpCloud: VPN-less Privileged Access Management for Modern Infrastructure
By the numbers:
- In one study, 80% of users said they use a VPN for increased security.
- Just 6% cited protecting their employer’s data.
- 16% use a VPN because it’s required by their employer.
Questions worth separating out
Q: How should security teams replace VPN access for privileged users?
A: Security teams should replace VPN access with identity-scoped, protocol-level access to specific systems, then layer just-in-time approval, session monitoring, and device checks on top.
Q: Why do VPNs create risk in modern privileged access environments?
A: VPNs create risk because they treat network presence as trust, which can expose more infrastructure than the task requires.
Q: What breaks when privileged access is granted through a flat network tunnel?
A: A flat network tunnel breaks the link between identity, intent, and resource scope.
Practitioner guidance
- Scope access to the target system, not the network Remove broad VPN entry for privileged workflows and replace it with protocol-level access to the exact server, database, or application required for the task.
- Make privileged access expire by default Use just-in-time approvals or policy triggers so elevated access ends automatically after the session or time window closes, even if the user remains authenticated.
- Turn on session evidence for every privileged connection Record commands, monitor sensitive actions, and retain session logs so investigators can reconstruct what happened without relying on network-only telemetry.
What's in the full article
JumpCloud's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step VPN-less access patterns for privileged users across remote teams and third-party vendors.
- Concrete examples of session recording, logging, and real-time monitoring in privileged workflows.
- Access control patterns tied to SSO, MFA, RBAC, and context-aware authorization.
- Practical comparisons between network tunnels, proxies, and browser-based access models.
👉 Read JumpCloud's analysis of VPN-less privileged access for modern PAM →
VPN-less PAM and the governance gap teams are missing?
Explore further
Implicit network trust is the wrong governance model for privileged access. VPNs treat reachability as a proxy for legitimacy, but modern infrastructure no longer behaves like a fixed perimeter. In cloud-native and hybrid environments, the thing that matters is which identity can do what to which resource, not whether the user landed inside a tunnel. The implication is that PAM programmes must stop using network entry as the control boundary and treat it as an implementation detail.
A few things that frame the scale:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
- Another finding shows that organisations with least-privileged AI access had a 17% incident rate versus 76% for over-privileged systems, a 4.5x difference that reinforces the value of narrow access scope.
A question worth separating out:
Q: Who is accountable when privileged access is too broad to audit properly?
A: Accountability sits with the teams that define access boundaries and the owners who approve them. For IAM and PAM programmes, that means proving that access is scoped, monitored, and reviewable, not merely that a user authenticated successfully.
👉 Read our full editorial: VPN-less privileged access is replacing implicit trust in modern PAM