Notifications
Clear all
Topic starter
03/06/2026 2:24 pm
TL;DR: Traditional PAM is straining under the expansion of service accounts, bots, and AI agents, while manual reviews and static roles are turning into bottlenecks, according to Saviynt’s analysis of KuppingerCole’s Leadership Compass for Privileged Access Management. The deeper issue is that standing-access assumptions no longer hold when non-human identities outnumber humans and privileged activity shifts faster than review cycles can track.
NHIMG editorial — what this means for AI and NHI governance
By the numbers:
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: How should security teams govern privileged access for non-human identities?
A: Treat service accounts, bots, and automation credentials as governed identities, not technical exceptions.
Q: Why do non-human identities complicate privileged access management?
A: Because they scale faster than human review processes and often operate without interactive sessions.
Q: What breaks when privileged access reviews are still built for humans?
A: Human-centric reviews assume a stable person, a named manager, and a cadence slow enough for manual certification.
Practitioner guidance
- Inventory privileged non-human identities Build a complete map of service accounts, bots, pipeline identities, and AI-linked accounts, then assign a human owner to each one.
- Replace persistent privilege with task-scoped access Use just-in-time access for privileged operations wherever the business process allows, and make revocation part of the same workflow.
- Unify governance and PAM review cycles Align entitlement review, privilege enforcement, and lifecycle management so that the same identity record drives all three.
What's in the full announcement
Saviynt's full analysis covers the operational detail this post intentionally leaves for the source:
- The way the platform unifies IGA, PAM, AAG, ISPM, and ITDR in one operating model
- How the article frames just-in-time access for business users as well as privileged administrators
- The continuous discovery angle for secrets and privileged paths across cloud and CI/CD environments
- The report context behind Saviynt's positioning in KuppingerCole's PAM Leadership Compass
👉 Read Saviynt's analysis of identity-centric PAM and NHI governance →
Identity-centric PAM for NHIs and AI agents: what changes now?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
03/06/2026 2:32 pm
Identity-centric PAM is now a governance model, not just a control set. The article points to a market reality where PAM can no longer be evaluated only by session brokering or vaulting. Identity now spans humans, service accounts, bots, and AI-linked workloads, so the control plane has to unify governance, discovery, and privilege enforcement. Practitioners should treat PAM as one layer inside a broader identity operating model.
A few things that frame the scale:
- NHIs outnumber human identities by 25x to 50x in modern enterprises, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them. That gap is one reason privilege sprawl persists even when teams believe controls are in place.
A question worth separating out:
Q: Should organisations move from PAM to an identity-centric control plane?
A: They should move toward a converged operating model if they need to govern privilege across multiple identity types consistently. The question is not whether PAM still matters, but whether PAM, IGA, and discovery can share one trusted identity picture. Without that, teams keep discovering privilege after exposure instead of controlling it at creation time.
👉 Read our full editorial: Identity-centric PAM for NHIs and AI agents is reaching its limit
