Newsletter
Stay up to date with our monthly newsletter.
Covering the latest thought leadership, events, and news about identity security
What We Do
Partners
© MajorKey 2026

Privileged Access Management (PAM) has long been a foundational component of enterprise security programs, helping organizations secure administrator accounts, vault credentials, and meet audit requirements.
Today's environments demand a broader approach. Cloud adoption, automation, machine identities, and dynamic infrastructure have fundamentally changed what privileged access means. Organizations now face the challenge of securing every identity and entitlement that can access critical systems and data.
Modernizing PAM is no longer just about deploying a tool. It's about building a scalable identity security program for the future.
In a recent discussion with Palo Alto Networks, Dan Ross shared his perspective on how PAM is evolving beyond traditional administrator accounts and becoming a core component of modern identity security strategies.

"If you're thinking about just admin accounts and privileged IDs, you're only looking at a very small piece of the puzzle."
— Dan Ross, Director of IAM, MajorKey Technologies
For years, PAM programs focused on a relatively narrow scope. Most implementations centered around securing administrator credentials used to manage servers and infrastructure.
Organizations must account for a growing ecosystem of identities that interact with critical resources, including:
Perhaps the clearest sign that privileged access is evolving is the rise of non-human identities. According to Palo Alto Networks' 2026 Identity Security Landscape Report, machine identities now outnumber human identities by 109 to 1, driven by cloud services, automation, APIs, workloads, and AI agents. Security teams can no longer focus solely on administrator accounts. They must secure an increasingly complex ecosystem of machine identities and privileged access paths.
The first step in modernization is understanding what identities exist across the enterprise and recognizing that privileged access extends far beyond traditional administrator credentials.
Many organizations invest in PAM to meet a compliance requirement or address a specific security concern. They deploy a solution, onboard accounts, and consider the project complete.
One of the most common mistakes I see is organizations treating PAM as an isolated project. Six months after completion, cloud adoption accelerates, new machine identities appear, and the original design no longer reflects reality. Instead of focusing only on today's requirements, it is important to develop a roadmap that aligns PAM with broader identity security goals and future business needs.
This mindset is especially important as cloud-native environments continue to evolve. Servers and workloads may exist for only hours or days, making static privilege models increasingly difficult to manage. Organizations that design PAM programs around future growth are less likely to find themselves rebuilding access models every time a new cloud platform or automation initiative is introduced.
The growth of cloud infrastructure and dynamic workloads has accelerated interest in concepts such as Just-in-Time (JIT) access and Zero Standing Privilege (ZSP). These approaches address a fundamental challenge: permanent privileged access can create unnecessary risk.
In large environments, organizations can quickly accumulate thousands of privileged accounts, creating governance and security challenges. JIT access addresses this by granting privileges only when needed and removing them when the task is complete.
The benefits are significant:
As organizations continue adopting cloud-native architectures, JIT and ZSP are becoming foundational components of mature PAM programs.
"Having it set up properly means you have zero accounts on those servers that get made as soon as they are needed, and then when they're no longer needed, they go away."
— Dan Ross, Director of IAM, MajorKey Technologies
Identity has increasingly become the primary control plane for cybersecurity. As a result, PAM can no longer operate in isolation. Today, privileged access must be considered as part of a broader identity security strategy.
Modern PAM programs should align with:
Frameworks such as Idira Blueprint provide valuable guidance for organizations pursuing PAM modernization. However, no framework should be viewed as a one-size-fits-all solution.
Every organization has unique business priorities, risk profiles, regulatory requirements, and operational objectives. Success comes from adapting proven methodologies to fit organizational needs while maintaining a long-term vision.
One of the biggest misconceptions about PAM is that stronger controls inevitably create more friction.
When organizations invest the time to understand their access requirements, define the appropriate entitlement models, and design their PAM architecture properly, they often improve both security and operational efficiency.
A more sustainable approach includes:
When PAM is designed around both security and usability, organizations can strengthen controls without slowing down the business.
The reality is that most privileged access environments have become far more complex than the PAM programs originally designed to protect them. Machine identities, cloud entitlements, short-lived workloads, and AI agents have expanded the attack surface in ways many organizations are still struggling to address. The teams succeeding today are treating PAM as part of a broader identity security strategy rather than a standalone technology project. That's where the next generation of identity security is heading.
Modern Privileged Access Management (PAM) is a broader identity security strategy that protects not only administrator accounts, but also cloud entitlements, service accounts, application identities, APIs, machine identities, automated workloads, and ephemeral infrastructure. The blog explains that privileged access now extends across every identity and entitlement that can reach critical systems and data.
Traditional PAM programs were often designed around securing administrator credentials used to manage servers and infrastructure. Today, cloud adoption, automation, machine identities, and dynamic infrastructure have changed what privileged access means, requiring organizations to secure a much larger and more complex identity ecosystem.
A modern PAM program should account for human administrators, cloud permissions and entitlements, service accounts, application identities, APIs, machine identities, automated workloads, and ephemeral cloud infrastructure. The blog emphasizes that privileged access now includes far more than traditional privileged IDs.
Treating PAM as a standalone project can leave organizations with access models that quickly become outdated as cloud adoption accelerates and new machine identities emerge. A stronger approach is to build a roadmap that aligns PAM with broader identity security goals and future business needs.
Just-in-Time access and Zero Standing Privilege are approaches that reduce the risk of permanent privileged access by granting elevated permissions only when needed and removing them when the task is complete. These models are becoming important as cloud infrastructure and dynamic workloads continue to grow.
Just-in-Time access and Zero Standing Privilege can help reduce attack surface, lower administrative overhead, strengthen least-privilege practices, improve auditability, and support better scalability. The blog positions these benefits as especially important for large and complex environments with many privileged accounts.
PAM should be aligned with Identity Governance and Administration, workforce identity, access management, cloud security, machine identity security, and threat detection and response. The blog notes that identity has become a primary control plane for cybersecurity, which means PAM can no longer operate in isolation.
Yes. When organizations understand access requirements, define appropriate entitlement models, and design PAM architecture properly, they can improve both security and operational efficiency. The blog emphasizes that PAM should be designed around both security and usability.
Organizations should start by identifying privileged identities and access requirements across the enterprise, then defining entitlement models, governance controls, lifecycle processes, and automation opportunities. The blog notes that the first step is recognizing that privileged access extends well beyond traditional administrator credentials.
The future of PAM is tied to broader identity security. As machine identities, cloud entitlements, short-lived workloads, and AI agents expand the attack surface, successful teams are treating PAM as part of a long-term identity security strategy rather than a standalone technology project.
