PAM, NHIs, and AI agents: what changes for IAM teams?

TL;DR: Privileged access management is shifting from isolated credential vaulting to an embedded identity fabric as cloud, DevOps, NHIs, and AI agents expand the access surface, according to SSH Communications Security's Customer Advisory Board presentation with KuppingerCole analyst Alejandro Leal. Access review and static privilege models assume stable, human-paced administration, but that assumption breaks when ephemeral workloads and autonomous systems move faster than review cycles.

NHIMG editorial — based on content published by SSH Communications Security: a Customer Advisory Board analysis of PAM, NHIs, and AI agents

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes , and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should security teams govern non-human identities in PAM programmes?

A: Treat non-human identities as governed principals with owners, purpose, and expiry conditions.

Q: Why do ephemeral workloads create problems for traditional privilege management?

A: Because traditional PAM assumes access persists long enough to be reviewed, but ephemeral workloads can create and consume privilege inside a short runtime window.

Q: What do organisations get wrong about crypto agility in identity systems?

A: They treat it as a cryptography project instead of an access architecture issue.

Practitioner guidance

• Unify privilege telemetry across identity tools Join PAM, IGA, CIEM, and authentication signals into one view of who or what can act, where privilege is used, and which paths remain exposed.
• Inventory non-human identities as governed principals Create a separate register for service accounts, workloads, bots, and APIs with named owners, purpose, and expiry conditions.
• Redesign access reviews for machine privilege Replace human-centric recertification assumptions with checks that verify runtime use, dependency ownership, and credential persistence for NHIs.

What's in the full article

SSH Communications Security's full article covers the operational detail this post intentionally leaves for the source:

• The full presentation context around Alejandro Leal's identity-fabric framing and how the audience discussion unfolded.
• The specific PAM architecture patterns the speaker associates with context-aware and risk-adaptive access.
• The quantum-readiness and crypto-agility reasoning behind the future-state PAM model.
• The broader advisory board discussion that ties machine identities, ephemeral workloads, and privileged access together.

👉 Read SSH Communications Security's presentation on PAM, NHIs, and AI agents →

PAM, NHIs, and AI agents: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →