Privileged access across IT, OT and cloud: what changes now?

TL;DR: Traditional PAM tools built around static credentials and vault-centric control struggle in hybrid IT, OT and cloud environments, where modern access governance now demands Zero Trust, just-in-time privilege, and short-lived certificate-based authentication according to SSH Communications Security and Info-Tech Research Group. Standing access and long-lived credentials are no longer a defensible baseline; the control model has to shift to ephemeral, auditable privilege.

NHIMG editorial — based on content published by SSH Communications Security: Meeting the New Realities of Privileged Access Management

By the numbers:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.

Questions worth separating out

Q: What breaks when privileged access still depends on standing credentials?

A: Standing credentials create a reusable trust path that outlives the task, the operator and sometimes the environment that justified it.

Q: Why do hybrid IT and OT environments make PAM harder to govern?

A: Hybrid environments combine different trust boundaries, protocol requirements and operational tolerances, so a single access model rarely fits cleanly.

Q: How do security teams know whether zero standing privilege is actually working?

A: Look for evidence that elevated access is issued only when needed, expires automatically and leaves a complete audit trail.

Practitioner guidance

• Inventory standing privileged paths Map every admin workflow that still depends on reusable passwords, long-lived keys or manual vault retrieval.
• Replace durable elevation with task-scoped access Move privileged workflows to just-in-time issuance with automatic expiry, then verify that revocation happens when the task completes rather than when a person remembers to close a session.
• Bind privileged sessions to stronger credentials Use short-lived certificate-based authentication for administration wherever possible, and pair it with session recording and command-level restrictions.

What's in the full article

SSH Communications Security's full article covers the operational detail this post intentionally leaves for the source:

• The specific PrivX capability set discussed for zero standing privilege, certificate-based access and session control.
• Info-Tech’s evaluation lens for modern PAM across IT, OT and cloud environments.
• The article’s own comparison points between vault-centric PAM and cloud-native, Zero Trust-oriented access governance.
• The deployment and integration themes around hybrid infrastructure, Kubernetes and CI/CD access workflows.

👉 Read SSH Communications Security's analysis of modern PAM for IT, OT and cloud →

Privileged access across IT, OT and cloud: what changes now?

Explore further

View Full Forum →  |  NHI Foundation Course →