Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

PAM and NHI coverage: where are your privileged controls failing?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9773
Topic starter  

TL;DR: Privileged access now includes service accounts, API keys, SSH keys, and cloud identities, while identity-based attacks account for 30% of cybersecurity incidents and stolen-credential logins continue to dominate the threat landscape, according to IBM's 2025 X-Force Threat Intelligence Index. Standing privilege and incomplete coverage are the real problem, not password vaulting.

NHIMG editorial — based on content published by Infisical: The Best Privileged Access Management Solutions

By the numbers:

Questions worth separating out

Q: How should security teams implement PAM for both human and non-human privileged access?

A: They should build one privileged access model that includes administrators, service accounts, API keys, SSH keys, and cloud entitlements.

Q: Why do service accounts and API keys increase the risk of lateral movement?

A: Because they often have standing permissions that remain valid after initial exposure, giving attackers reusable access without needing to break in again.

Q: What do organisations get wrong about zero standing privilege?

A: They treat it as a human admin control instead of an access model that should apply to non-human identities too.

Practitioner guidance

  • Inventory all privileged identities Map human admins, service accounts, API keys, SSH keys, certificates, and cloud entitlements into one privileged inventory so access reviews cover the actual attack surface.
  • Eliminate permanent elevation paths Replace always-on admin grants with time-bound elevation and make revocation proveably effective across cloud, on-prem, and DevOps environments.
  • Validate coverage across pipelines and code Check whether privileged secrets still exist in CI/CD, configuration files, and automation scripts, then move them behind controlled injection and rotation.

What's in the full article

Infisical's full blog post covers the operational detail this post intentionally leaves for the source:

  • A vendor-by-vendor evaluation of PAM capabilities across cloud-native and legacy environments
  • Specific feature comparisons for session recording, JIT access, rotation, and audit logging
  • Implementation-oriented discussion of developer-first secrets workflows and Kubernetes support
  • Product positioning details for teams choosing between infrastructure access and secrets-management approaches

👉 Read Infisical's analysis of modern privileged access management choices →

PAM and NHI coverage: where are your privileged controls failing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9257
 

Privileged access management is now an identity governance problem, not a vaulting problem. The article correctly treats privileged access as a control plane issue across humans and non-human identities. Once service accounts, API keys, and cloud entitlements are in scope, PAM has to align with lifecycle, inventory, and auditability rather than only credential storage. Practitioners should judge PAM by how completely it governs all privileged subjects, not by how many passwords it hides.

A few things that frame the scale:

  • Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
  • A separate finding shows that 97% of NHIs carry excessive privileges, which broadens the attack surface even when teams think access is controlled.

A question worth separating out:

Q: How do teams know whether PAM is actually covering their real attack surface?

A: They should measure privileged identity inventory completeness, approval coverage, session visibility, and revocation effectiveness across human and non-human accounts. If any privileged subject cannot be seen, reviewed, and removed, PAM is partial and the attack surface remains open.

👉 Read our full editorial: Privileged access management now has to cover non-human identities



   
ReplyQuote
Share: