TL;DR: Traditional PAM tools built around static credentials and vault-centric control struggle in hybrid IT, OT and cloud environments, where modern access governance now demands Zero Trust, just-in-time privilege, and short-lived certificate-based authentication according to SSH Communications Security and Info-Tech Research Group. Standing access and long-lived credentials are no longer a defensible baseline; the control model has to shift to ephemeral, auditable privilege.
NHIMG editorial — based on content published by SSH Communications Security: Meeting the New Realities of Privileged Access Management
By the numbers:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
Questions worth separating out
Q: What breaks when privileged access still depends on standing credentials?
A: Standing credentials create a reusable trust path that outlives the task, the operator and sometimes the environment that justified it.
Q: Why do hybrid IT and OT environments make PAM harder to govern?
A: Hybrid environments combine different trust boundaries, protocol requirements and operational tolerances, so a single access model rarely fits cleanly.
Q: How do security teams know whether zero standing privilege is actually working?
A: Look for evidence that elevated access is issued only when needed, expires automatically and leaves a complete audit trail.
Practitioner guidance
- Inventory standing privileged paths Map every admin workflow that still depends on reusable passwords, long-lived keys or manual vault retrieval.
- Replace durable elevation with task-scoped access Move privileged workflows to just-in-time issuance with automatic expiry, then verify that revocation happens when the task completes rather than when a person remembers to close a session.
- Bind privileged sessions to stronger credentials Use short-lived certificate-based authentication for administration wherever possible, and pair it with session recording and command-level restrictions.
What's in the full article
SSH Communications Security's full article covers the operational detail this post intentionally leaves for the source:
- The specific PrivX capability set discussed for zero standing privilege, certificate-based access and session control.
- Info-Tech’s evaluation lens for modern PAM across IT, OT and cloud environments.
- The article’s own comparison points between vault-centric PAM and cloud-native, Zero Trust-oriented access governance.
- The deployment and integration themes around hybrid infrastructure, Kubernetes and CI/CD access workflows.
👉 Read SSH Communications Security's analysis of modern PAM for IT, OT and cloud →
Privileged access across IT, OT and cloud: what changes now?
Explore further
Standing privilege is the failure mode modern PAM is being forced to retire. The article shows that vaulting alone does not solve the core governance problem, because the risk sits in access that remains valid after the task changes or ends. That is especially visible in hybrid estates where human administrators, workloads and OT jump paths all depend on different timing and accountability assumptions. The practitioner conclusion is that standing privilege is no longer an acceptable default in modern identity architecture.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- Only 13% of organisations feel extremely prepared for the reality of agentic AI, which helps explain why privilege controls are moving from static administration to runtime governance.
A question worth separating out:
Q: Who is accountable when privileged access crosses IT, cloud and OT boundaries?
A: Accountability should sit with the team that owns the access lifecycle, not just the system being accessed. That means identity, security and operational owners need a shared control model for provisioning, elevation, logging and revocation. If no one can explain who approved the access and who removes it, the governance model is incomplete.
👉 Read our full editorial: Modern PAM for hybrid IT, OT and cloud access governance