Notifications
Clear all
Topic starter
22/06/2026 3:14 pm
TL;DR: Traditional PAM and credential rotation were built for segmented, mostly on-prem environments, but identity now spans remote workers, machine identities, and third-party access, according to Whiteswan Security. The governance gap is no longer just privileged accounts, it is whether endpoints, access paths, and servers are being controlled as one identity problem.
NHIMG editorial — based on content published by Whiteswan Security: The Modern Identity & Access Security stack for securing your applications and cloud infrastructure
Questions worth separating out
Q: How should security teams implement zero standing privilege across endpoints, access, and servers?
A: Start by treating privilege as a single access journey instead of three separate tools.
Q: Why do over-provisioned VPNs and persistent privileges keep defeating zero trust?
A: Because they preserve broad access after the initial trust decision has already been made.
Q: What breaks when device trust is not part of privileged access decisions?
A: Privilege becomes detached from real session risk.
Practitioner guidance
- Map the full privilege path Inventory where elevated access is created, approved, and consumed across endpoints, access gateways, servers, and third-party entry points.
- Collapse overlapping access consoles Reduce duplicated policy enforcement between endpoint privilege tools, trusted access, and server PAM so that one access decision produces one auditable outcome.
- Bind privilege to live device signals Use current device posture, location, and application context to decide whether a session can proceed and what it can do.
What's in the full article
Whiteswan Security's full analysis covers the operational detail this post intentionally leaves for the source:
- The vendor's deployment-oriented view of endpoint privilege manager, trusted access, and server PAM integration
- Specific examples of how passwordless trusted access and just-in-time grants are configured in practice
- Architecture detail on how the ZSP agent evaluates identity, device trust, and application context before access
- Integration points with SIEM, EPP, IAM, and server PAM tools for teams planning implementation
👉 Read Whiteswan Security's analysis of zero standing privilege for apps and infrastructure →
Zero standing privilege for apps and infrastructure: are controls keeping up?
Explore further
22/06/2026 3:17 pm
Traditional PAM is now only one control plane inside a broader identity attack surface. The article shows that privileged access can no longer be governed only at the server boundary because endpoints, access systems, machine identities, and third-party access all influence whether privilege is real or merely assumed. That makes the governance problem cross-domain rather than tool-specific. Practitioners should treat PAM as part of a wider identity control fabric, not the whole answer.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most teams cannot reliably see where privileged access is concentrated.
A question worth separating out:
Q: Which controls matter most when replacing standing privilege with JIT access?
A: The important controls are policy scope, approval timing, session expiry, and auditability. JIT only reduces risk when it grants the minimum privilege needed, for the minimum time needed, and then revokes that access reliably. If those controls are weak, JIT becomes a temporary version of the same standing access problem.
👉 Read our full editorial: Zero standing privilege for apps and infrastructure needs a new stack
