It shows that privileged access management is increasingly being shaped by capital, channel strategy, and regulated-sector distribution, not just by technical features. For practitioners, the key question is whether the vendor's operating model still supports auditability, portability, and long-term control ownership when ownership and market rights change.
Why This Matters for Security Teams
The SSH and Leonardo partnership is a reminder that privileged access governance is no longer decided only by architecture. Distribution, ownership, and regulated-sector reach can shape how PAM is packaged, supported, and audited, which changes who controls roadmap priorities and operational assurances. That matters because privileged access programs depend on continuity, evidence, and revocation discipline, not just feature checklists. Current guidance from the OWASP Non-Human Identity Top 10 and the NIST Cybersecurity Framework 2.0 both point toward governance that can survive vendor and operating-model change. That is especially relevant when privileged workflows increasingly cover NHIs, service accounts, and automation rather than only human admins.
NHIMG research shows how quickly the control problem can widen when identity sprawl is not governed end to end. In The State of Non-Human Identity Security, Astrix Security & CSA found that only 1.5 out of 10 organisations are highly confident in securing NHIs. In practice, many security teams encounter portability and auditability gaps only after a vendor transition, renewal, or ownership change has already altered the control plane.
How It Works in Practice
For practitioners, the partnership should be evaluated as a governance question, not a branding event. The key issue is whether privileged access records, policy logic, session evidence, and credential lifecycle controls remain independently inspectable if commercial rights, support boundaries, or delivery channels change. That means asking who owns logs, how revocation is enforced, what happens to secrets at exit, and whether admin activity can be exported without vendor dependency.
In mature programs, the control model usually spans both human and non-human privileged access. The operational standard is to map the vendor relationship to lifecycle processes such as onboarding, approval, rotation, deprovisioning, and evidence retention, then test them against regulatory and audit expectations. The NHIMG Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here because privileged access governance breaks down when ownership is unclear at any point in the identity lifecycle.
- Confirm whether policy enforcement is exportable or trapped inside a managed service boundary.
- Verify that session recording, command logs, and approval history remain available to the customer after a commercial change.
- Require clear handling for static secrets, short-lived tokens, and emergency access paths.
- Test that a change in channel partner or ownership does not reset audit trails or break revocation workflows.
Best practice is evolving toward zero standing privilege, just-in-time elevation, and workload-aware controls for privileged automation. That aligns with the direction of the Ultimate Guide to NHIs — Regulatory and Audit Perspectives and with the access governance emphasis in the NIST Cybersecurity Framework 2.0. These controls tend to break down when a vendor locks evidence, policy, or revocation into a proprietary operating model because portability becomes a contractual issue rather than a security control.
Common Variations and Edge Cases
Tighter PAM governance often increases procurement friction and integration overhead, requiring organisations to balance operational simplicity against long-term control ownership. That tradeoff becomes sharper in regulated environments, where outsourced delivery can improve speed but also make evidence retention, segregation of duties, and exit planning harder to prove.
There is no universal standard for this yet, but current guidance suggests treating the vendor structure as part of the control environment. If a partnership changes who sells, supports, or operates privileged access tooling, the security team should reassess assurance clauses, data portability, incident notification, and the right to export logs and configuration state. The 52 NHI Breaches Analysis reinforces why this matters: once identity governance is compromised or obscured, detection and recovery are harder than prevention.
This is especially important where PAM also governs service accounts and API credentials, not just human admins. In those cases, the real question is whether the operating model can still support rapid revocation, independent audit, and workload visibility if the commercial relationship changes. For regulated-sector buyers, that is often the difference between a manageable control and a future exit problem.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Credential lifecycle and rotation are central to vendor-portable privileged access governance. |
| NIST CSF 2.0 | PR.AA-01 | Identity proofing and authentication governance apply to privileged admin access and evidence. |
| NIST CSF 2.0 | GV.RM-03 | Vendor and third-party risk governance fits the ownership and channel-change concern here. |
Document who can administer privileged access and ensure authentication evidence stays exportable.
Related resources from NHI Mgmt Group
- What is the difference between role-based access and API key governance for NHI security?
- What does the 144:1 NHI-to-human ratio mean for IAM governance programmes?
- How can organisations tell whether contextual access decisions are improving governance?
- Why does access governance affect software engineer burnout?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
