Notifications
Clear all
Topic starter
24/06/2026 10:27 pm
TL;DR: Fragmented secrets, PAM, certificate, and key management leave blind spots as enterprises add humans, machines, workloads, containers, and AI agents, according to Akeyless, and it positions runtime identity enforcement, ephemeral access, and unified governance as the answer. The real shift is that access control now has to follow execution, not just provisioning.
NHIMG editorial — what this means for AI and NHI governance
By the numbers:
- Only 44% of organisations are currently using a dedicated secrets management system.
Questions worth separating out
Q: How should security teams govern AI agents that need access to secrets and internal systems?
A: Treat AI agents as runtime identities, not as enhanced service accounts.
Q: Why do fragmented secrets tools create more risk than a single platform view?
A: Fragmentation hides privilege paths, slows revocation, and makes it harder to prove who had access to what and when.
Q: What do teams get wrong about just-in-time access for machines and workloads?
A: They often treat just-in-time access as a point feature instead of a lifecycle control.
Practitioner guidance
- Inventory identity control-plane fragmentation Map where secrets, PAM, certificate, and key management are operating as separate governance islands.
- Prioritise runtime access for high-risk workflows Move the most sensitive workload, pipeline, and AI agent integrations to ephemeral, policy-controlled access first.
- Separate human, workload, and agent policy logic Do not reuse the same entitlement rules for people and non-human identities.
What's in the full announcement
Akeyless's full analysis covers the operational detail this post intentionally leaves for the source:
- Side-by-side product scope across secrets, PAM, certificate management, key management, and AI agent security.
- Platform and deployment details for SaaS-native control, hybrid gateways, and runtime identity enforcement.
- Specific integration claims across cloud, SaaS, DevOps, and legacy environments that shape implementation decisions.
- Comparison tables that break down feature coverage across secrets rotation, JIT access, and certificate lifecycle management.
👉 Read Akeyless's analysis of unified runtime identity security for AI agents →
AI agent identity security and runtime access control: what changes?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
25/06/2026 7:08 am
Fragmented identity security is now a governance failure, not just an architecture issue. When secrets, PAM, certificates, and keys are split across products, the organisation loses a coherent control surface for access approval, audit, and revocation. The problem is not tool count alone. The problem is that identity evidence becomes distributed across systems that do not share one operational truth. Practitioners should treat fragmentation as a measurable governance risk, not a nuisance.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: How can organisations tell whether their identity governance is keeping pace with runtime access?
A: Look for evidence that policy, audit, and revocation operate at the same speed as execution. If access decisions are still made after the task is complete, or if reviewers cannot reconstruct who or what used a credential, the governance model is behind the environment. Runtime access must be observable while it is still actionable.
👉 Read our full editorial: Akeyless frames unified runtime identity security for AI agents
