Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Privilege at runtime: what PAM teams need to do now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9924
Topic starter  

TL;DR: Privilege is shifting from vaulting admin accounts to governing actions taken by service accounts, automation pipelines and AI agents, according to Delinea’s summary of two 2026 analyst reports. Runtime authorisation, not credential storage alone, is now the control point that determines whether privilege is actually constrained.

NHIMG editorial — based on content published by Delinea: Privilege is moving from accounts to actions: Why KuppingerCole and Frost recognized Delinea

By the numbers:

Questions worth separating out

Q: How should security teams govern privileged actions for machine identities?

A: Security teams should govern privileged actions at runtime, not just the accounts that carry them.

Q: Why do service accounts and AI agents break traditional PAM models?

A: Traditional PAM assumes privilege is attached to a human account and can be protected by vaulting and session recording.

Q: What do security teams get wrong about zero standing privilege?

A: They sometimes treat zero standing privilege as a secrets problem only.

Practitioner guidance

  • Move PAM policy from account ownership to action approval Define the privileged actions that matter for each machine identity, then bind policy to those actions rather than to the underlying account alone.
  • Inventory service accounts, automation pipelines and AI agents in one control plane Build a single inventory that maps identity type, privilege scope, owner and runtime dependency.
  • Replace standing privileged credentials with ephemeral access paths Use just-in-time access for database, server and API access wherever the task can be time-bound.

What's in the full article

Delinea's full article covers the analyst-report details this post intentionally leaves for the source:

  • The specific KuppingerCole and Frost criteria used to evaluate PAM platforms in 2026.
  • The platform capabilities Delinea maps to discovery, just-in-time access and zero standing privilege.
  • The analyst language used to describe machine and AI-speed privilege governance.
  • The operational framing behind Delinea Iris AI and how the vendor positions runtime judgment.

👉 Read Delinea’s analysis of PAM shifting from accounts to actions →

Privilege at runtime: what PAM teams need to do now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9408
 

Action-level governance is the new boundary for privileged access. Account-centric PAM was designed for a world where privilege could be inferred from who logged in. That assumption fails when service accounts and AI agents execute independently, because the risky unit is no longer the account but the action. The implication is that privileged access governance must be evaluated as runtime decision control, not just credential containment.

A few things that frame the scale:

  • NHIs outnumber human identities by 25x to 50x in modern enterprises, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which is why runtime governance fails when inventory is incomplete.

A question worth separating out:

Q: How can organisations tell whether privilege governance is keeping up with non-human identities?

A: Look for three signals: whether privileged actions are defined clearly, whether the same policy layer governs service accounts and AI agents, and whether ephemeral access replaces persistent credentials where possible. If privileged decisions are still made only at onboarding or provisioning time, the programme is behind the operational reality.

👉 Read our full editorial: Privilege is moving from accounts to actions in PAM



   
ReplyQuote
Share: