Notifications
Clear all
Topic starter
07/06/2026 8:16 pm
TL;DR: PAM has moved beyond administrator credentials into identity security, with modern deployments integrating ITDR, CIEM, and SOAR as agentic AI, NHI growth, zero trust, and post-quantum concerns reshape access control, according to SSH Communications Security. The real change is that access governance now has to account for machine identities and decision-making systems, not just human administrators.
NHIMG editorial — based on content published by SSH Communications Security: Cybersecurity in 2026 looks very different from just a few years ago
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Questions worth separating out
Q: How should security teams govern privileged access as NHI use expands?
A: Treat privileged access as a lifecycle issue, not a credential vault problem.
Q: Why do NHI and zero trust change the way PAM should be designed?
A: Zero trust assumes continuous verification, but NHI access often persists across systems, sessions, and automation flows.
Q: What do teams get wrong about PAM in collaboration and OT environments?
A: They often treat PAM as a login-control layer instead of a governance layer.
Practitioner guidance
- Re-map privileged access to runtime enforcement points Inventory where privileged actions actually occur across admins, service accounts, collaboration tools, and OT remote sessions.
- Separate human admin access from machine privilege governance Track service accounts, API keys, and certificates as distinct governance objects with their own approval, rotation, and revocation paths.
- Define sovereignty requirements before choosing collaboration deployment models Document where communication data must reside, who can administer it, and what audit evidence regulators or auditors will expect.
What's in the full article
SSH Communications Security's full article covers the operational detail this post intentionally leaves for the source:
- The article's vendor-specific view of how PAM is being positioned alongside ITDR, CIEM, and SOAR in current deployments.
- The collaboration-security discussion around secure communication, sovereignty, and federation choices in more operational detail.
- The OT access angle, including how the vendor frames secure remote access for industrial environments and control systems.
- The post's broader cybersecurity narrative for 2026, which links identity, resilience, and post-quantum concerns to product direction.
👉 Read SSH Communications Security's perspective on PAM, NHI, and secure access in 2026 →
PAM and NHI governance in 2026: are your controls keeping up?
Explore further
07/06/2026 10:06 pm
PAM is becoming the enforcement layer for identity security, not a separate admin tool. Once PAM integrates with ITDR, CIEM, and SOAR, it starts governing privilege as a live security state rather than a static entitlement. That aligns PAM with how modern attacks actually unfold across human admins, service accounts, and automation. Practitioners should treat privileged access as a runtime control plane, not a vault with better branding.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: What frameworks should guide PAM programmes that now cover NHI and operational access?
A: Use NIST CSF for programme structure, ZT-NIST-207 for continuous verification, and OWASP NHI guidance for machine credential governance. If OT or collaboration is in scope, add sector and data-residency requirements so privileged access, sovereignty, and auditability are managed together rather than as separate workstreams.
👉 Read our full editorial: PAM shifts to identity security as AI and NHI expand risk
