Modernizing PAM for the Identity Era: Expanding Beyond Traditional Privileged Accounts

July 16, 2026
|
Duration:
7
min READ

Privileged Access Management (PAM) has long been a foundational component of enterprise security programs, helping organizations secure administrator accounts, vault credentials, and meet audit requirements.

Today's environments demand a broader approach. Cloud adoption, automation, machine identities, and dynamic infrastructure have fundamentally changed what privileged access means. Organizations now face the challenge of securing every identity and entitlement that can access critical systems and data.

Modernizing PAM is no longer just about deploying a tool. It's about building a scalable identity security program for the future.

Video Insight from Dan Ross

In a recent discussion with Palo Alto Networks, Dan Ross shared his perspective on how PAM is evolving beyond traditional administrator accounts and becoming a core component of modern identity security strategies.

Modern PAM in Practice: Automating Privilege Without Slowing the Business
"If you're thinking about just admin accounts and privileged IDs, you're only looking at a very small piece of the puzzle."
— Dan Ross, Director of IAM, MajorKey Technologies

The Definition of Privileged Access Has Changed

For years, PAM programs focused on a relatively narrow scope. Most implementations centered around securing administrator credentials used to manage servers and infrastructure.

Organizations must account for a growing ecosystem of identities that interact with critical resources, including:

  • Human administrators
  • Cloud permissions and entitlements
  • Service accounts
  • Application identities
  • APIs
  • Machine identities
  • Automated workloads
  • Ephemeral cloud infrastructure

Perhaps the clearest sign that privileged access is evolving is the rise of non-human identities. According to Palo Alto Networks' 2026 Identity Security Landscape Report, machine identities now outnumber human identities by 109 to 1, driven by cloud services, automation, APIs, workloads, and AI agents. Security teams can no longer focus solely on administrator accounts. They must secure an increasingly complex ecosystem of machine identities and privileged access paths.

The first step in modernization is understanding what identities exist across the enterprise and recognizing that privileged access extends far beyond traditional administrator credentials.

The Problem with Treating PAM as a Tool

Many organizations invest in PAM to meet a compliance requirement or address a specific security concern. They deploy a solution, onboard accounts, and consider the project complete.

One of the most common mistakes I see is organizations treating PAM as an isolated project. Six months after completion, cloud adoption accelerates, new machine identities appear, and the original design no longer reflects reality. Instead of focusing only on today's requirements, it is important to develop a roadmap that aligns PAM with broader identity security goals and future business needs.

This mindset is especially important as cloud-native environments continue to evolve. Servers and workloads may exist for only hours or days, making static privilege models increasingly difficult to manage. Organizations that design PAM programs around future growth are less likely to find themselves rebuilding access models every time a new cloud platform or automation initiative is introduced.

Why Just-in-Time Access and Zero Standing Privilege Matter

The growth of cloud infrastructure and dynamic workloads has accelerated interest in concepts such as Just-in-Time (JIT) access and Zero Standing Privilege (ZSP). These approaches address a fundamental challenge: permanent privileged access can create unnecessary risk.

In large environments, organizations can quickly accumulate thousands of privileged accounts, creating governance and security challenges. JIT access addresses this by granting privileges only when needed and removing them when the task is complete.

The benefits are significant:

  • Reduced attack surface
  • Lower administrative overhead
  • Stronger adherence to least-privilege principles
  • Improved auditability
  • Better scalability

As organizations continue adopting cloud-native architectures, JIT and ZSP are becoming foundational components of mature PAM programs.

"Having it set up properly means you have zero accounts on those servers that get made as soon as they are needed, and then when they're no longer needed, they go away."
— Dan Ross, Director of IAM, MajorKey Technologies

PAM's Role in the Bigger Identity Security Picture

Identity has increasingly become the primary control plane for cybersecurity. As a result, PAM can no longer operate in isolation. Today, privileged access must be considered as part of a broader identity security strategy.

Modern PAM programs should align with:

  • Identity Governance and Administration (IGA)
  • Workforce identity initiatives
  • Access management programs
  • Cloud security strategies
  • Machine identity security
  • Threat detection and response initiatives

Frameworks such as Idira Blueprint provide valuable guidance for organizations pursuing PAM modernization. However, no framework should be viewed as a one-size-fits-all solution.

Every organization has unique business priorities, risk profiles, regulatory requirements, and operational objectives. Success comes from adapting proven methodologies to fit organizational needs while maintaining a long-term vision.

Security and Agility Are Not Opposing Goals

One of the biggest misconceptions about PAM is that stronger controls inevitably create more friction.

When organizations invest the time to understand their access requirements, define the appropriate entitlement models, and design their PAM architecture properly, they often improve both security and operational efficiency.

A more sustainable approach includes:

  1. Identifying all privileged identities and access requirements
  2. Defining appropriate entitlements and governance controls
  3. Establishing lifecycle management processes
  4. Implementing automation wherever practical
  5. Aligning PAM initiatives with broader business objectives

When PAM is designed around both security and usability, organizations can strengthen controls without slowing down the business.

Building a PAM Strategy for What's Next

The reality is that most privileged access environments have become far more complex than the PAM programs originally designed to protect them. Machine identities, cloud entitlements, short-lived workloads, and AI agents have expanded the attack surface in ways many organizations are still struggling to address. The teams succeeding today are treating PAM as part of a broader identity security strategy rather than a standalone technology project. That's where the next generation of identity security is heading.


Frequently Asked Questions

What is modern Privileged Access Management?

Modern Privileged Access Management (PAM) is a broader identity security strategy that protects not only administrator accounts, but also cloud entitlements, service accounts, application identities, APIs, machine identities, automated workloads, and ephemeral infrastructure. The blog explains that privileged access now extends across every identity and entitlement that can reach critical systems and data.

Why does PAM need to expand beyond administrator accounts?

Traditional PAM programs were often designed around securing administrator credentials used to manage servers and infrastructure. Today, cloud adoption, automation, machine identities, and dynamic infrastructure have changed what privileged access means, requiring organizations to secure a much larger and more complex identity ecosystem.

What types of identities should a modern PAM program include?

A modern PAM program should account for human administrators, cloud permissions and entitlements, service accounts, application identities, APIs, machine identities, automated workloads, and ephemeral cloud infrastructure. The blog emphasizes that privileged access now includes far more than traditional privileged IDs.

Why is treating PAM as a one-time tool deployment a problem?

Treating PAM as a standalone project can leave organizations with access models that quickly become outdated as cloud adoption accelerates and new machine identities emerge. A stronger approach is to build a roadmap that aligns PAM with broader identity security goals and future business needs.

What are Just-in-Time (JIT) access and Zero Standing Privilege?

Just-in-Time access and Zero Standing Privilege are approaches that reduce the risk of permanent privileged access by granting elevated permissions only when needed and removing them when the task is complete. These models are becoming important as cloud infrastructure and dynamic workloads continue to grow.

How do JIT access and Zero Standing Privilege reduce risk?

Just-in-Time access and Zero Standing Privilege can help reduce attack surface, lower administrative overhead, strengthen least-privilege practices, improve auditability, and support better scalability. The blog positions these benefits as especially important for large and complex environments with many privileged accounts.

How does PAM fit into a broader identity security strategy?

PAM should be aligned with Identity Governance and Administration, workforce identity, access management, cloud security, machine identity security, and threat detection and response. The blog notes that identity has become a primary control plane for cybersecurity, which means PAM can no longer operate in isolation.

Can organizations strengthen PAM without slowing down the business?

Yes. When organizations understand access requirements, define appropriate entitlement models, and design PAM architecture properly, they can improve both security and operational efficiency. The blog emphasizes that PAM should be designed around both security and usability.

Where should organizations start with PAM modernization?

Organizations should start by identifying privileged identities and access requirements across the enterprise, then defining entitlement models, governance controls, lifecycle processes, and automation opportunities. The blog notes that the first step is recognizing that privileged access extends well beyond traditional administrator credentials.

What is the future of PAM?

The future of PAM is tied to broader identity security. As machine identities, cloud entitlements, short-lived workloads, and AI agents expand the attack surface, successful teams are treating PAM as part of a long-term identity security strategy rather than a standalone technology project.

Authors

Dan Ross

Director of IAM
linkedin logo
Connect on LinkedIn

Recent Blogs

Blog

Make AI Boring

Make AI Boring

As AI becomes more deeply embedded across the enterprise, leaders must focus on the decisions, tradeoffs, and accountability required to scale responsibly.

Blog

What You Need to Know About Microsoft Entra ID’s SSPR Update and How to Mitigate its Operational Risks

Microsoft Entra ID’s SSPR Update and How to Mitigate its Operational Risks

What C-suite leaders need to know about the upcoming Microsoft Entra ID SSPR changes, its operational risks, and how to mitigate them.

Blog

Why IAM Becomes the Critical Path in Application Delivery

Why IAM Becomes the Critical Path in Application Delivery

IAM isn't why most projects start, but it's often why they stall. Learn how proactive identity governance accelerates application delivery.

Blog

TLS Certificates Are Privileged Credentials, CISOs Must Treat Them That Way

TLS Certificates Are Privileged Credentials, CISOs Must Treat Them That Way

Learn why CISOs must treat TLS certificates as machine identities to reduce outages, enforce governance, and strengthen Zero Trust.

Blog

Identity Modernization Is Dead. Long Live AI Readiness!

Identity Modernization Is Dead. Long Live AI Readiness!

AI readiness succeeds when healthcare organizations take an identity-first approach rather than a model-first one.

Blog

Evidence-Based Identity Governance for Streamlined Audits in Healthcare

Evidence-Based Identity Governance for Streamlined Audits in Healthcare

Auditors don’t just ask who has access today. Identity governance needs to be reframed as a continuous regulatory defense, not a periodic compliance exercise.

Blog

The Cost of Waiting: How Access Delays Erode Clinical Efficiency

The Cost of Waiting: How Access Delays Erode Clinical Efficiency

A modern identity strategy ensures access is there when it’s needed, protects clinical operations, and delivers measurable business value without disrupting care.

Blog

Identity Modernization: The Foundation for AI Readiness in Healthcare

Identity Modernization: The Foundation for AI Readiness in Healthcare

In a healthcare setting, AI failures can cause real harm. A strong identity foundation serves as the operational foundation for AI.

Blog

Decentralized Identity Explained: A Practical Q&A for 2026

Decentralized Identity Explained: A Practical Q&A for 2026

Explore the key concepts, benefits, challenges, and emerging trends shaping decentralized identity in 2026 and beyond.

Blog

IGA and Change Management: A Guide to Successful Engagements

IGA and Change Management: A Guide to Successful Engagements

When effective change management is integrated with IGA implementations from the start, organizations reduce resistance, increase alignment, and ensure new identity processes take root in a sustainable, scalable way.

Blog

Outcome‑Driven IAM: Why Identity Programs Win on Results, Not Tools

Outcome‑Driven IAM: Why Identity Programs Win on Results, Not Tools

Why IAM programs fail despite strong tools, and how outcome‑driven IAM delivers measurable risk reduction, audit readiness, and business value.

Blog

Breaking Down Identity Silos: Why Fragmented Systems Create Risk and Complexity

Breaking Down Identity Silos: Why Fragmented Systems Create Risk and Complexity

Learn about the challenges created by identity silos, the trade-offs between consolidation and governance, and how organizations can determine the most effective path forward.

Blog

Identity Proofing 101: A Practical Guide for Modern Organizations

Identity Proofing 101: A Practical Guide for Modern Organizations

Discover why identity proofing is a foundational security control for modern organizations.

Blog

Preparing your Organization for AI-Driven Identity Threats

Preparing your Organization for AI-Driven Identity Threats

Learn how AI‑driven identity threats are evolving and why governing AI agents as managed, privileged identities is key to secure, responsible AI adoption.

Blog

KPIs for App Onboarding: What to Measure and Why It Matters

KPIs for App Onboarding: What to Measure and Why It Matters

The most useful KPIs for app onboarding include percent of applications onboarded, time‑to‑onboard, and realized business value or ROI. These metrics give stakeholders clear visibility into progress and help keep the onboarding program accountable and predictable.

Blog

Have You Solved Your IAM Problem?

Have You Solved Your IAM Problem?

Struggling to make sense of your IAM ecosystem? Discover how to overcome tool overload, achieve continuous reliability, and align identity management with business outcomes. Learn practical strategies for visibility, observability, intelligence, and action—plus insights on AI’s impact in modern IAM.

Privileged Identity
Advisory
No items found.