PAM is shifting to action-based control, are your controls ready?

TL;DR: KuppingerCole’s 2026 PAM Leadership Compass says privilege is moving from accounts to actions, with AI agents, service accounts, workloads, and automation pipelines now shaping privileged risk according to Delinea’s summary of the report. That shift makes point-in-time authorization and zero standing privilege more important than vault-centric controls alone.

NHIMG editorial — based on content published by Delinea: Beyond the vault, Delinea named a Leader in the 2026 KuppingerCole PAM Leadership Compass

By the numbers:

• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.
• Only 44% of organisations are currently using a dedicated secrets management system.

Questions worth separating out

Q: How should teams govern privilege when access is tied to actions instead of accounts?

A: Teams should catalogue the actions that can change systems, controls, or other identities, then bind approval and monitoring to those actions rather than to static account labels.

Q: Why do service accounts and workloads make traditional PAM less effective?

A: Because they often operate with inherited permissions, reusable credentials, or long-lived access that does not fit human login assumptions.

Q: What breaks when organisations rely on vaulting without point-of-action controls?

A: Vaulting can protect secrets at rest, but it does not stop an identity from using legitimate access once a session or credential is available.

Practitioner guidance

• Reclassify privilege around actions Inventory privileged operations by the systems and data they can affect, then map each identity to the actions it can trigger rather than the account it owns.
• Remove standing access before adding JIT Treat just-in-time access as incomplete until persistent administrative rights are removed, especially in cloud consoles, databases, and Kubernetes estates.
• Separate secrets from runtime authorization Use secretless or workload identity patterns where possible so AI agents and automation do not need reusable credentials to reach private resources.

What's in the full analysis

Delinea's full blog post covers the operational detail this post intentionally leaves for the source:

• The report’s category-by-category scoring and why KuppingerCole placed Delinea in the Leader position.
• Specific examples of how the platform applies just-in-time access across databases, Kubernetes environments, cloud consoles, and server infrastructure.
• The vendor’s description of discovery, posture analysis, and control as one connected motion for privileged access governance.
• Additional detail on how the platform handles AI agent access without handing over reusable credentials.

👉 Read Delinea’s analysis of the 2026 KuppingerCole PAM Leadership Compass →

PAM is shifting to action-based control, are your controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →