Notifications
Clear all
Topic starter
22/06/2026 3:42 pm
TL;DR: Static PAM models struggle with over-permissioned accounts, limited session visibility, and persistent credentials, while EmpowerID argues for agentless, vaultless, just-in-time privilege and recorded sessions across cloud and on-prem environments. The governance shift is not about faster admin access, but about removing standing privilege assumptions that no longer match how privileged work is executed.
NHIMG editorial — based on content published by EmpowerID: advanced PAM and PSM strategy for modern privileged access governance
By the numbers:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
A: Treat just-in-time access as a revocation problem, not only a provisioning problem.
Q: Why does standing privilege increase the blast radius of privileged accounts?
A: Standing privilege gives attackers a reusable administrative foothold if a credential, token, or session is exposed.
Q: What do security teams get wrong about vault-based PAM?
A: They often assume that storing secrets centrally is the same as governing access lifecycle.
Practitioner guidance
- Map every privileged path to its true lifetime Inventory where elevated access persists beyond the task, including vault entries, session tokens, delegated admin roles, and API-backed workflows.
- Test whether JIT access truly removes reuse risk Run controlled validation against elevated sessions to confirm that credentials, tokens, and role assignments cannot be reused after session termination.
- Consolidate session evidence with approval records Link recorded privileged sessions to the approval event, identity, target system, and command trail so investigations can reconstruct what happened without manual correlation.
What's in the full article
EmpowerID's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step architecture for agentless, vaultless PAM deployment on Kubernetes
- Detailed session flow for RDP and SSH with secure gateway handling and recording
- How the basic vault-based model handles rotation, approval workflows, and policy enforcement
- Connector and API integration detail for Azure, AWS, VMware, and Active Directory
👉 Read EmpowerID's analysis of modern PAM and privileged session management →
Vaultless PAM and JIT access: is your privileged model keeping up?
Explore further
22/06/2026 3:46 pm
Static privileged access is no longer a safe operating assumption: Privileged work now happens across cloud consoles, APIs, session proxies, and identity workflows that change faster than fixed entitlements can describe. The old model assumes privilege can be provisioned once and reviewed later, but that assumption breaks when access must be bounded to a task and withdrawn immediately after use. The implication is that PAM is now a lifecycle discipline, not just a credential store.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when privileged sessions are not properly recorded?
A: The accountable team is usually the one that owns the privileged workflow, not just the infrastructure team that operates the target system. If session logs, approval records, and entitlement data cannot be linked, then no one can reconstruct or defend the access decision after the fact. That is a governance failure, not merely a tooling gap.
👉 Read our full editorial: Why vaultless PAM and JIT access are reshaping privileged governance
