Notifications
Clear all
Topic starter
22/06/2026 1:44 pm
TL;DR: PAM rollouts fail less because of vaulting technology than because enterprises cannot reliably identify, own, or map the privileged accounts they are trying to control, according to SPHERE Technology Solutions. Identity hygiene is the gating control: without clean attribution and dependency context, onboarding stalls, automation breaks, and audit trust erodes.
NHIMG editorial — based on content published by SPHERE Technology Solutions: identity hygiene as the prerequisite for PAM success
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: What breaks when PAM is deployed on dirty identity data?
A: PAM breaks first at onboarding and then at enforcement.
Q: Why do privileged service accounts need ownership before vaulting?
A: Because vaulting changes how the account is handled, and that change must be validated against business purpose and operational dependency.
Q: How do organisations know if PAM coverage is actually working?
A: They should look for fewer orphaned accounts, fewer ambiguous mappings, and fewer exceptions during onboarding.
Practitioner guidance
- Establish a privileged identity inventory first Create a single inventory for privileged accounts across AD, cloud roles, local admin accounts, sudoers, databases, and embedded credentials before expanding PAM scope.
- Require explicit ownership before onboarding Block vaulting until each account has a named owner, support team, or business unit and the ownership is documented in a system of record.
- Map dependencies before rotation or vaulting Document which applications, jobs, and integrations depend on each privileged identity so that vaulting or rotation does not break critical automation.
What's in the full article
SPHERE Technology Solutions' full article covers the operational detail this post intentionally leaves for the source:
- The discovery logic used to identify privileged accounts across Windows, UNIX, cloud roles, and embedded credentials.
- The attribution workflow that links each privileged account to a responsible owner before onboarding.
- The dependency-mapping approach used to avoid outages during vaulting and rotation.
- The post-onboarding hygiene loop that keeps PAM aligned to changing identity conditions.
👉 Read SPHERE Technology Solutions' analysis of identity hygiene for PAM success →
PAM on dirty identity data: what IAM teams need to fix first?
Explore further
This topic was modified 3 hours ago by Mr NHI
22/06/2026 1:50 pm
Dirty identity data is the real blocker in PAM programmes. PAM is often treated as a vaulting problem, but this article shows that onboarding fails earlier, at identity understanding. If the account cannot be owned, classified, and mapped to a dependency graph, the control stack has no reliable input to govern. The implication is that PAM maturity starts with identity hygiene, not with broader policy enforcement.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- Another finding from the same research shows that 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
A question worth separating out:
Q: Who is accountable when a PAM rollout breaks a critical system?
A: Accountability sits with the programme owner only if the identity data was complete enough to support the change. If ownership, dependency mapping, or business sign-off was missing, the failure is a governance failure, not just an operations issue. That is why PAM and identity hygiene must be managed together.
👉 Read our full editorial: Dirty identity data is the hidden blocker in PAM rollouts
