Modern PAM for hybrid cloud access: are your controls keeping up?

TL;DR: Hybrid and multi-cloud environments are pushing privileged access away from VPNs and bastions toward identity-based control, with session brokering, credential injection, and revocation now central to modern PAM, according to Akeyless. The deeper shift is that access review and perimeter trust both break down when infrastructure changes faster than governance cycles.

NHIMG editorial — based on content published by Akeyless: the comparison of HashiCorp Boundary and Akeyless Secure Remote Access for modern privileged access

By the numbers:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.

Questions worth separating out

Q: How should security teams replace VPN-style privileged access in hybrid cloud environments?

A: They should replace broad network trust with identity-based, task-scoped access that brokers a session to a specific target, records the activity, and removes or rotates credentials when the session ends.

Q: Why do static credentials create so much risk in modern privileged access workflows?

A: Static credentials create risk because they persist beyond the task and can be copied, reused, or exposed long after the access request is complete.

Q: What do organisations get wrong when they treat host discovery as access control?

A: They assume that automatically discovering a server or VM means the access model is already governed.

Practitioner guidance

• Map every privileged target to an identity-first access path Document whether each SSH, RDP, database, Kubernetes, and cloud console workflow uses brokering, injected credentials, or direct login.
• Separate discovery from authorization policy Keep cloud host discovery and access authorization as distinct control steps so tagged instances do not become implicitly reachable.
• Standardise session recording and post-session rotation Make sure privileged sessions across all target types produce a usable audit trail and that the credential used in the session is rotated or invalidated immediately after disconnect.

What's in the full article

Akeyless' full article covers the operational detail this post intentionally leaves for the source:

• Exact platform workflow for browser-based access to SSH, RDP, databases, Kubernetes, and cloud consoles
• Feature-by-feature comparison of Boundary editions versus a unified PAM approach
• Demo-specific notes on session recording, credential injection, and live revocation
• Practical examples of how lightweight Gateways are deployed for private targets

👉 Read Akeyless' comparison of Boundary and modern PAM for hybrid cloud access →

Modern PAM for hybrid cloud access: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →