PAM for NHIs and AI agents: what the challenger label means

TL;DR: Traditional PAM tools are being stretched by secret sprawl, excessive privileges, and the growth of non-human identities and AI agents, according to Saviynt, while Gartner named it a Challenger in the 2025 Magic Quadrant for Privileged Access Management. The deeper issue is that PAM programmes now have to govern both human privilege and machine-issued access paths at once.

NHIMG editorial — based on content published by Saviynt: Saviynt Named a Challenger in the 2025 Gartner Magic Quadrant for Privileged Access Management

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should security teams govern privileged access for service accounts and AI agents?

A: They should govern privileged access as an identity lifecycle problem, not only a session control problem.

Q: Why do secrets outside vaults create such a large PAM gap?

A: Because PAM can only enforce control over credentials it can discover and manage.

Q: What do organisations get wrong about PAM for non-human identities?

A: They often treat non-human identities as technical plumbing rather than governed identities.

Practitioner guidance

• Inventory privileged secrets outside vaults Identify every location where passwords, API keys, and tokens are stored in code repositories, configuration files, build systems, and runtime variables.
• Classify machine identities by privilege persistence Separate short-lived automation from long-lived service accounts, because persistent credentials need lifecycle controls, not only session controls.
• Tie PAM reviews to identity lifecycle events Trigger entitlement review when an application, integration, or workflow changes, not only on a calendar cycle.

What's in the full analysis

Saviynt's full post covers the market context and report references this post intentionally leaves for the source:

• The exact Gartner Magic Quadrant placement language and category context around privileged access management.
• Saviynt’s own positioning on how its PAM capabilities are being unified with governance for internal users, external users, and NHIs.
• The source article’s broader framing of AI agents and NHI growth as drivers of next-generation PAM demand.
• The report link and surrounding announcement context for teams tracking market signals rather than implementation detail.

👉 Read Saviynt’s analysis of the 2025 Gartner PAM Challenger placement →

PAM for NHIs and AI agents: what the challenger label means?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →