Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Privilege is moving to actions, not accounts. Is PAM ready?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12120
Topic starter  

TL;DR: KuppingerCole’s Leadership Compass for Privileged Access Management 2026 says privileged activity is shifting toward AI agents, service accounts, workloads, and automation, while static credentials and vault-centric models are reaching their limits, according to SSH Communications Security. The real governance problem is that privilege is now contextual and action-based, so access review, vaulting, and authentication alone no longer describe the risk boundary.

NHIMG editorial — based on content published by SSH Communications Security: KuppingerCole Leadership Compass for Privileged Access Management 2026

By the numbers:

Questions worth separating out

Q: How should security teams govern non-human identities that have persistent access?

A: Security teams should treat every non-human identity as a managed asset with an owner, an explicit purpose, a scoped privilege set, and a defined offboarding path.

Q: Why do non-human identities change the PAM risk model?

A: Non-human identities change the PAM risk model because they authenticate continuously, operate at machine speed, and often lack stable human ownership.

Q: What breaks when organisations rely on password vaults for every privileged identity?

A: Password vaults still help, but they break down when the real risk is persistent authorisation rather than secret storage.

Practitioner guidance

  • Map privilege by action, not by account Inventory the systems and workflows where identities can make security-relevant changes, then classify those actions as privileged even when the actor is a service account or AI agent.
  • Replace standing access with task-scoped access paths Prioritise the most sensitive non-human and administrator flows for just-in-time access, ephemeral credentials, and expiry by default.
  • Unify PAM, IGA, and secrets governance Create one policy model for credential issuance, entitlement approval, and audit evidence so that human and non-human identities are governed consistently.

What's in the full article

SSH Communications Security's full article covers the operational detail this post intentionally leaves for the source:

  • KuppingerCole’s vendor-by-vendor discussion of PAM capability changes across the 2026 Leadership Compass
  • The report’s commentary on SSH key governance, certificate-based authentication, and migration from vaulted credentials
  • Deployment and sovereignty considerations for regulated environments, including self-hosted, cloud, SaaS, and appliance options
  • The report’s treatment of quantum-safe cryptography as a current PAM requirement rather than a future add-on

👉 Read SSH Communications Security’s analysis of PAM’s shift toward short-lived privileged access →

Privilege is moving to actions, not accounts. Is PAM ready?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11695
 

Privilege is being redefined around action, and that changes the control boundary. When privilege is attached to the action instead of the account, vault-first PAM becomes only one layer of control, not the core model. The article accurately reflects a market shift toward runtime entitlement decisions, which is where modern IAM and PAM governance now has to live. The practical conclusion is that policy evaluation must sit closer to execution than credential storage does.

A few things that frame the scale:

A question worth separating out:

Q: Who is accountable when AI or machine identities are over-privileged?

A: Accountability sits with the teams that provisioned, approved, and operated the identity, but governance ownership must be explicit. If a machine identity or AI system can act beyond its intended scope, the organisation needs a named control owner, a revocation path, and evidence that access was reviewed against actual use.

👉 Read our full editorial: PAM is shifting from accounts to actions in privileged access



   
ReplyQuote
Share: