Privileged actions, not accounts: what IAM teams need to know

TL;DR: Privileged access management is moving beyond administrator accounts toward action-based governance across humans, service accounts, APIs, workloads, and AI-driven systems, according to SSH Communications Security’s coverage of Alejandro Leal’s EMEA Partner Summit remarks. The shift makes visibility, short-lived access, and context-aware authorization the control points that matter most.

NHIMG editorial — based on content published by SSH Communications Security: analysis of PAM beyond administrator accounts

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• Only 5.7% of organisations have full visibility into their service accounts.
• NHIs outnumber human identities by 25x to 50x in modern enterprises.

Questions worth separating out

Q: How should security teams govern privileged access across service accounts and AI-driven systems?

A: Security teams should govern privileged access by focusing on the actions an identity can perform, not only on the account it uses.

Q: Why do non-human identities change the PAM risk model?

A: Non-human identities change the PAM risk model because they authenticate continuously, operate at machine speed, and often lack stable human ownership.

Q: What breaks when privilege is still managed as an account problem?

A: When privilege is still managed as an account problem, security teams miss the action-level permissions that actually create risk.

Practitioner guidance

• Map privileged actions before privileged accounts Create an action inventory for the top sensitive operations in your environment, then map humans, service accounts, APIs, workloads, and AI-driven systems to each one.
• Assign clear owners to every non-human identity Require a business or technical owner for each service account, token, workload identity, and automation path.
• Replace standing access with task-scoped controls Use short-lived credentials and real-time policy enforcement for privileged operations that do not need persistent access.

What's in the full article

SSH Communications Security's full article covers the operational detail this post intentionally leaves for the source:

• How the article frames identity fabric as a practical operating model for PAM, IGA, secrets management, and cloud entitlements
• The specific posture shifts Leal recommends for short-lived credentials, just-in-time access, and real-time policy enforcement
• The article's discussion of digital sovereignty, cryptographic transition planning, and post-quantum preparation
• The source commentary on how AI changes both privilege escalation speed and identity governance assumptions

👉 Read SSH Communications Security's analysis of PAM beyond administrator accounts →

Privileged actions, not accounts: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →