TL;DR: Traditional PAM assumptions break down in cloud environments where short-lived workloads, service accounts, and AI-driven infrastructure access outpace manual review and static credential controls, according to Infisical. The real issue is not just modernization, but that legacy privilege models were built for stable endpoints and human-paced access cycles that no longer exist.
NHIMG editorial — based on content published by Infisical: PAM for Cloud Environments: AWS, Azure, GCP & Multi-Cloud
By the numbers:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
Questions worth separating out
Q: How should teams implement just-in-time privileged access in cloud environments?
A: Start by making privilege task-scoped, time-bound, and automatically revoked when the request ends.
Q: Why do multi-cloud environments make privileged access governance harder?
A: Because AWS, Azure, and GCP use different entitlement models, logging formats, and role inheritance patterns, a control that works in one provider can leave blind spots in another.
Q: What breaks when service account permissions are over-provisioned?
A: Over-provisioned service accounts turn a narrow automation identity into a broad escalation path.
Practitioner guidance
- Re-baseline privileged access around ephemeral workloads Map every cloud privilege path to the workload or task it supports, then remove any access that persists beyond that runtime.
- Unify entitlement visibility across AWS, Azure, and GCP Build a single view of role assignments, session activity, and audit logs across all providers so privilege can be reviewed as one governance problem.
- Treat service account impersonation as privileged escalation Inventory where impersonation permissions, role assumption, and cross-account delegation can expose hidden privilege.
What's in the full article
Infisical's full blog post covers the operational detail this post intentionally leaves for the source:
- AWS-specific escalation paths such as iam:PassRole and ec2:RunInstances combinations that can turn low privilege into administrative control
- Azure-specific friction points between Entra ID, ARM, PIM, and Bastion that affect approval, session control, and audit coverage
- GCP-specific service account impersonation risks, key handling pitfalls, and inheritance issues that are easy to miss in reviews
- The implementation mechanics behind dynamic credential generation, session recording, and approval workflow integration across cloud platforms
👉 Read Infisical's analysis of PAM for AWS, Azure, GCP, and multi-cloud →
Cloud PAM and NHI sprawl: what IAM teams need to know?
Explore further
Cloud PAM is now an identity governance problem, not a server administration problem. The article shows that the old model assumed known endpoints, stable credentials, and a manageable list of privileged accounts. That assumption breaks once workloads are ephemeral and identities are mostly non-human. The implication is that privileged access policy has to be designed around runtime identity behaviour, not infrastructure permanence.
A few things that frame the scale:
- 59.8% of organisations see value in a solution that simplifies non-human access management and introduces dynamic ephemeral credentials, according to The 2024 Non-Human Identity Security Report.
- Only 23.7% of organisations share secrets through insecure methods such as email or messaging applications, which shows how much of the exposure still sits in basic handling practices rather than sophisticated attacks.
A question worth separating out:
Q: Who is accountable when privileged cloud access is granted outside normal review cycles?
A: Accountability sits with the programme owner who approved the control design, not just the operator who used the access. Cloud PAM needs clear ownership for who can grant elevation, who can revoke it, and who is responsible for audit completeness when access spans multiple clouds.
👉 Read our full editorial: PAM for cloud environments is being reshaped by NHI sprawl