Modernising Privileged Access Mangament for 2026 Author: Tim Schindler, Principal Consultant at CyberIAM Beyond the Vault:

For a long time, privileged access management (PAM) has meant one thing. The Vault. This is also known as Legacy PAM. The vault allowed you to store credentials securely, rotate them on a schedule, and control who checks them out. All of which worked well when everything sat in a data centre and didn't change much.

 

That is now not the world that we live in anymore.

 

We now have cloud environments, hybrid setups, DevOps pipelines, and service accounts everywhere.

 

The way that privileged access works has changed, and a lot of management programs haven't kept up.

 

If you’re wondering if your privileged access infrastructure is enough or whether you need to explore alternative PAM solutions, this article is for you

Author:

Tim Schindler

Principal Consultant at CyberIAM

What Do We Mean by Legacy Privileged Access Management (PAM)?

When we talk about legacy PAM, we're referring to programs where the vault is the centre of everything.

 

This includes:

  • Check-in/check-out workflows for credentials
  • Users and service accounts with standing privileges that are always on
  • Passwords rotating on fixed schedules (30, 60, 90 days)
  • Multiple vaults scattered across business units with no central governance
  • Manual onboarding that takes forever
  • Session monitoring that exists but lacks real-time risk context

 

These approaches made sense when access patterns were predictable. Relying on them alone is no longer sufficient.

What Does Modern PAM Look Like?

Modern PAM flips the focus from ‘where are the credentials stored?’ to ‘who needs access to what, and when?’. It's less vault-centric and more identity-centric, aligning with Zero Trust principles.

 

The core principles of modern PAM are easy to understand if you have the right guide.

 

They include:

  • Zero Standing Privileges (ZSP): No single identity keeps consistent elevated access. An individual receives privileges when they need them, and they're revoked when that access is no longer required.This is the direction the industry has been moving in for years, and for good reason. Standing privileges give attackers time to move laterally once they're in

 

  • Just-in-Time (JIT) access: JIT is how you implement ZSP. Credentials or access rights are provisioned at the moment of need, for a specific duration. When that period of necessity runs out, access expires automatically. This dramatically shrinks the window an attacker has to exploit compromised credentials

 

  • Continuous authorisation: Rather than a single check at login, access decisions are evaluated throughout the session. Device posture, location, and behaviour patterns are monitored in real time. If something looks off, access can be revoked or stepped up without waiting for the next login
  • Least privilege: Access is scoped to the minimum needed for a specific task, both in breadth (which resources are needed) and depth (what level of access). Essentially, this means granting ‘read-only’ when ‘read-only’ suffices, and granting ‘standard user’ when admin isn't needed

 

Modern PAM also needs to work across cloud platforms, SaaS apps, containers, and ephemeral infrastructure without requiring agents at every point. A modernised PAM solution should integrate with secrets management, session management, and Identity Threat Detection and Response (ITDR). The lines between these disciplines are blurring.

 

For clarity, vaults aren't going anywhere.

 

There will always be accounts where standing privileges cannot be removed, such as local built-in administrator accounts, root accounts for cloud service providers, and break-glass accounts for emergency access. These still need to be vaulted, rotated, and protected. The difference is that in modern PAM, the vault is no longer the primary focus. It's one component of a broader identity-centric strategy.

Why This Matters Now

We at CyberIAM have observed a few things which are driving this change in the organisations we work with.

 

  • Attackers have adapted. Credential theft and privilege escalation remain top attack vectors. A stolen credential is only as dangerous as the access it provides. When privileges are granted just-in-time and revoked automatically, attackers have far less time to exploit it

 

  • The identity perimeter has exploded. Service accounts, API keys, CI/CD credentials, and other machine identities often outnumber human users. They run continuously, lack clear ownership, and rarely get the same governance. Legacy PAM wasn't built for how these identities operate

 

  • Compliance expectations keep rising. Regulators want to see that access is controlled dynamically and based on risk, not just that controls exist

 

  • Operational friction is costing you. Manual onboarding, access requests stuck in queues, overly broad access granted because it's easier than figuring out the right scope. These are all signs that a PAM program can't keep pace with the business

 

AI Agents Are Next

AI agents are emerging as a new class of identity that requires privileged access management controls. These autonomous systems reason, act, and access sensitive resources, often with elevated privileges. The same principles apply: no standing access, time-limited permissions, continuous authorisation, and least privilege.

 

Most organisations don't yet have adequate controls for AI agent identities, and adoption is accelerating rapidly. If you're deploying agentic AI, extending PAM controls to these identities from day one is worth considering.

How to Migrate from Legacy to Modern PAM and Update Your Privileged Access Management Infrastructure

Good news! You don't need to rip out all of your existing investments overnight.

 

A practical approach usually involves:

  • Understanding where standing privileges exist and where visibility gaps remain
  • Defining a target state around ZSP, JIT, continuous authorisation, and least privilege
  • Prioritising access patterns that present the biggest risk or friction
  • Layering modern capabilities onto existing infrastructure where possible
  • Tracking metrics like reduction in standing privileges and time-to-access

Are You Ready to Assess Your New PAM Program?

The shift from legacy to modern PAM isn't a product swap, it's a change in how you think about privileged access, from static to dynamic, from vault-first to identity-first, from humans-only to all identities, including non-human identities (NHIs).

 

At CyberIAM, we help organisations work through this, whether you're optimising an existing program or building a modern PAM strategy from scratch. If you want to show us where your PAM program status currently stands, our fully trained and highly skilled experts are ready to hear from you.

 

 

Get in touch

If you would like more information about CyberIAM’s Services offering,
contact us here and a member of our specialised team will be in touch as soon as possible

Book a Meeting

Current State Assessment guide

Access our comprehensive current state assessment guide to discover how we
initiate our end-to-end analysis, setting the foundation for providing you with the best possible advice.

Download