TL;DR: Manual service account management is creating unnecessary sprawl, governance gaps, and operational risk as CI/CD, Kubernetes, and automation workloads scale, according to SSH Communications Security. The meaningful change is not just faster provisioning, but a move away from standing machine identities toward ephemeral, scoped access that better fits modern infrastructure.
NHIMG editorial — what this means for NHI practitioners
Questions worth separating out
Q: How should teams reduce service account sprawl in automation-heavy environments?
A: Start by identifying workloads that do not need permanent identities.
Q: Why do federated identities complicate privileged access governance?
A: Federated identities shift trust to the external identity provider and the downstream approval workflow, which means governance depends on both.
Q: What breaks when delegated role management is not tightly scoped?
A: Delegated administration can turn into privilege creep if teams are allowed to create roles outside a clearly bounded environment.
Practitioner guidance
- Replace long-lived service accounts where tasks are short-lived Map GitLab runners, API clients, and automation scripts to workflows that can use ephemeral user creation, external identity assertions, or other short-duration access patterns instead of standing accounts.
- Review federated approval paths before expanding privileged use Check whether OIDC-authenticated identities, API proxy credentials, and authorized SSH keys all land in the same approval, logging, and retention model so auditors can follow the full access path.
- Constrain delegated role administration to explicit scopes Limit local role creation to defined groups or environments, and test that delegated administrators cannot expand privileges beyond the scope assigned to them.
What's in the full announcement
SSH Communications Security's full release covers the operational detail this post intentionally leaves for the source:
- Specific PrivX PAM workflow changes for ephemeral user directories and temporary role assignment
- Implementation details for OIDC-backed approvals, API proxy credentials, and authorized SSH keys
- Configuration guidance for TLS on ICAP scanning connections in cloud and hybrid environments
- Deployment considerations for delegated role management and optional Nginx bypass tuning
👉 Read SSH Communications Security's release on PrivX PAM updates for machine identity management →
Ephemeral access for machine identities: what IAM teams need to know?
Explore further
Ephemeral machine identity is becoming the default control model for automation-heavy environments. Manual account creation no longer scales once CI/CD, Kubernetes, and scripted workflows begin operating continuously. The important shift is not simply reducing overhead, but replacing standing identity with time-bound access that matches machine execution patterns. Practitioners should treat this as a governance redesign, not a tooling convenience.
A few things that frame the scale:
- 57% of organisations lack a complete inventory of their machine identities, according to The Critical Gaps in Machine Identity Management report.
- 61% rely on spreadsheets or manual tracking for machine identity management, which leaves governance teams without a reliable operational view of access.
A question worth separating out:
Q: How do security teams know if machine identity governance is working?
A: Look for fewer standing accounts, faster onboarding of automation workflows, auditable role approvals, and visible retention of access records after logout. If teams still depend on manual tracking to explain machine access, governance is only partially effective. Working machine identity governance should reduce both operational overhead and review friction.
👉 Read our full editorial: Machine identity management is shifting toward ephemeral access models