The Dynamic World

The Dynamic World: Why Privileged Access Must Evolve from Vaults to Just-in-Time

Indigo Consulting Canada  —  IAM & Governance Practice  

July 9th, 2026

Picture of Nicolas Seigneur
Nicolas Seigneur

Chief Technology Officer

The Dynamic World

The cloud did not simply change where workloads run. It changed the fundamental nature of work itself
— ephemeral compute, elastic infrastructure, services that exist for seconds and vanish. We adapted. We
built identity controls for a world where nothing stays still.

Now Agentic AI is applying the same force to privilege. Autonomous agents acting on behalf of users, making decisions, calling APIs, writing to databases, and operating across systems — at machine speed, with minimal human oversight. The question is no longer whether your privileged access model needs to
change. It is whether it will change deliberately, under your governance — or be overwhelmed by a dynamic reality that has already arrived.

The Convergence: Cloud, AI, and the End of Standing Privilege

Three forces are converging to render the traditional vault-and-rotate PAM model structurally inadequate.

Force 1 — Cloud Made Workloads Ephemeral

Cloud-native infrastructure is defined by impermanence. Containers spin up, execute, and terminate. Serverless functions exist only for the duration of a request. Infrastructure-as-code provisions and destroys environments in minutes. Yet many organizations still manage cloud privilege through static assignments — persistent admin accounts, long-lived service account keys, standing entitlements that exist around the clock for workloads that run for seconds.

The data is stark. Gartner research finds that more than 95% of identities use less than 3% of the cloud entitlements they are granted. This is not a misconfiguration problem. It is an architectural one. Standing privilege was designed for a static world. The cloud is not static.

Force 2 — Non-Human Identities Exploded Beyond Human Scale

The fastest-growing identity population in every enterprise is not human. Service accounts, API keys, OAuth tokens, pipeline credentials, Terraform service principals, CI/CD bot accounts — these now outnumber human identities by ratios of 10:1 to 45:1 in mature cloud environments. 94% of organizations report an increase in machine identities, and 26% of organizations believe that over half of their service accounts are over-privileged.

Traditional PAM was never designed for this volume or velocity. Vaulting and rotating credentials for thousands of ephemeral workloads is operationally unsustainable. The paradigm must shift from storing and rotating secrets to eliminating them — delivering credentials dynamically, for the duration of the task, then revoking them.

Force 3 — Agentic AI Introduced Autonomous Actors with Variable Behaviour

AI agents represent something genuinely new in the identity landscape. They are not static scripts executing deterministic logic. They are autonomous actors that reason, adapt, and make decisions — often with access to restricted systems. Their behaviour changes over time as models are updated, prompts are refined, or context shifts.

Gartner projects that 15% of day-to-day work decisions will be made autonomously through agentic
AI by 2028, up from effectively 0% in 2024. And 33% of enterprise software applications will include Agentic AI by 2028, up from less than 1% today.

These agents inherit real privilege: write access to code repositories, query access to production databases, execute permissions on cloud infrastructure. When an AI agent holds standing privilege, the blast radius of a compromised or misbehaving agent is unbounded. The access exists whether the agent is actively working or not.

As Gartner VP Analyst Homan Farahmand frames it: “Our current IAM controls are not built for AI agents.” The challenges are structural — siloed identities, over-permissioning, visibility gaps, delegation complexity, and poor context-awareness.

The Governance Imperative: Auditors Are Already Asking

This is not a future-state concern. Auditors, regulators, and boards are already asking questions that most organizations cannot answer:

  • Who approved their privilege and under what policy?
  • Which AI agents exist in our environment and what can they access?
  • Can we demonstrate that access was appropriate at the time of use — not just at the time of provisioning?
  • What happens when an agent’s behaviour drifts or a model is updated — does its access posture automatically adapt?

Gartner’s research warns that 50% of successful cybersecurity attacks against AI agents will exploit access control issues, using direct or indirect prompt injection as an attack vector. The risk is not theoretical. It is the direct consequence of granting standing privilege to autonomous systems that
operate outside traditional session-based controls.

The convergence is clear: dynamic workloads require dynamic privilege. Non-human identities require
programmatic, not manual, lifecycle management. Autonomous AI agents require governance that adapts
as quickly as the agents themselves.

All of this points to one architectural direction: Zero Standing Privileges — where no identity, human or machine, holds persistent privileged access. Access is granted just-in-time, scoped to the task, and revoked upon completion.

We Do Not Need to Rewrite the Playbook

There is a temptation to treat Agentic AI as requiring an entirely new identity discipline. It does not. The principles we have applied to human identity governance for decades — least privilege, separation of duties, access certification, lifecycle management — remain sound. The challenge is extending them to populations and patterns they were not originally designed for.

We have been here before. When cloud infrastructure first emerged, we did not abandon identity governance — we adapted it. When non-human identities grew to dominate the identity population, we did not discard our frameworks — we extended them.

Agentic AI is the next adaptation. The fundamentals remain:

  • Least privilege — now applied dynamically, not statically
  • Lifecycle governance — now spanning agents whose behaviour evolves over time
  • Audit and accountability — now requiring continuous posture assessment, not periodic review
  • Delegation and ownership — now requiring clarity on who is responsible when an agent acts autonomously

 
The CyberHUT research on Agentic AI identity security frames it precisely:  Agentic AI presents both scale
challenges (like typical NHI) and human-esque behavioural challenges that require a hybrid governance approach. The answer is not a new playbook. It is an evolved one.

From “What If” to “What Now” — Actionable Steps for Your Organization

The industry has produced enough webinars explaining what AI identity risk is. Clients do not need another explanation of the problem. They need direction. They need a plan. They need to know what to do on Monday morning.

Here is what actionable looks like:

Step 1 — Know Where You Stand: Maturity Assessment

You cannot govern what you have not inventoried. The first action is an honest assessment of your current privilege posture:

  • Human privilege exposure
    Where do standing admin accounts exist? Which are used daily versus dormant?autonomously
  • Non-human identity footprint
    How many service accounts, API keys, and bot identities exist? Which hold privileged access? Which are orphaned?
  • AI agent inventory
    Which AI agents are deployed or in development? What systems can they access? Who approved that access?
  • Cloud privilege sprawl
    Across AWS, Azure, GCP — what standing entitlements exist that violate least privilege?

This is not a theoretical exercise. It produces a scored, risk-ranked view of your identity attack surface — the foundation for every decision that follows.

Step 2 — Operationalize What You Already Have

Most organizations own more capability than they are using. Before acquiring new tools, operationalize the ones you have:

  • Human privilege exposure
    Where do standing admin accounts exist? Which are used daily versus dormant?autonomously
  • Non-human identity footprint
    How many service accounts, API keys, and bot identities exist? Which hold privileged access? Which are orphaned?
  • AI agent inventory
    Which AI agents are deployed or in development? What systems can they access? Who approved that access?
  • Cloud privilege sprawl
    Across AWS, Azure, GCP — what standing entitlements exist that violate least privilege?

This is not transformation. It is activation — extracting value from investments already made.

Step 3 — Build the ZSP Blueprint: Assessment to Roadmap to Implementation

Zero Standing Privileges is a destination that requires a sequenced approach. The blueprint must answer:

  • Where to start
    Human or non-human identities first? Cloud or on-premises?
  • How to sequence
    Which identity populations carry the highest risk and should migrate first?
  • Phased migration
    What does the path from a legacy Active Directory environment to dynamic, just-in-time access actually look like?
  • Cloud privilege sprawl
    Across AWS, Azure, GCP — what standing entitlements exist that violate least privilege?
  • AI agent governance
    How are autonomous agents registered, granted access, monitored, and revoked as their behaviour evolves?

The output is not a slide deck. It is a risk-ranked roadmap with clear phases, defined success criteria, and a governance framework that sustains the posture over time.

Step 4 — Integrate the Ecosystem: No Single Vendor Solves This Alone

Zero Standing Privileges does not live in a single product. It lives in the seams between your governance platform, your credential management system, your cloud IAM controls, and your access policy engine. The architecture requires:

  • Governance layer
    Identity lifecycle, certification, and policy (IGA platforms)
  • Credential layer
    Dynamic secret delivery, JIT access grants, automated revocation (cloud-native PAM)
  • Access layer
    Authentication, authorization, and session management across human and non- human identities
  • Signal layer
    Shared context between systems (risk scores, session state, behavioural anomalies) that enables adaptive, context-aware access decisions


The importance of shared signals cannot be overstated. An identity governance platform that cannot
consume a risk signal from your threat detection system — or a PAM platform that cannot signal a revocation event back to your governance layer — creates blind spots that autonomous agents will exploit.

Ecosystem integration is not a nice-to-have. It is the architectural requirement that makes Zero Standing Privileges operationally sustainable.

Indigo’s Methodology: From Assessment to Blueprint to Execution

Indigo Consulting Canada operates as the independent strategic layer between the problem and the solution. We do not sell a single vendor’s product. We design the architecture that makes multiple vendors work together toward a coherent privilege posture.

Phase 0

 Discover


Map the current privilege state across human, non-human, and AI agent identities. Score risk by identity
type and environment. Identify the gaps between current posture and ZSP readiness.

Output: Current-state privilege map, risk-ranked identity inventory, readiness score.

Phase 0
Phase 1

Design


Develop the ZSP Blueprint — a phased implementation plan that sequences the journey by risk priority.
Define the target architecture: which capabilities are handled by which platforms, how signals flow
between systems, and what governance sustains the posture over time.

Output: ZSP Blueprint, multi-vendor architecture design, phased roadmap.

Phase 1
Phase 2

Implement

Execute the roadmap. Integrate the governance, credential, access, and signal layers. Deploy just-in-time
access for priority identity populations. Validate audit trail completeness. Establish the ongoing
certification cadence.

Output: Operational ZSP for prioritized environments, integrated vendor ecosystem, governance
automation.

Phase 2
Phase 3

Extend and Govern

Expand the discipline to remaining identity populations — on-premises legacy, additional cloud providers,
newly deployed AI agents. Transition to a continuous posture management model where privilege is governed as a living system, not a project.

Output: Enterprise-wide ZSP coverage, continuous privilege posture management, ongoing advisory.

Phase 3

The Vendor Landscape: Integration Over Replacement

Indigo’s practice spans the major platforms that underpin enterprise identity and privilege:

Capability DomainWhat It Solves Integration Imperative
Identity GovernanceLifecycle, certification, policy enforcement Must consume signals from PAM and threat systems
Cloud-Native PAM / JITDynamic privilege, zero standing access, NHI credential delivery Must integrate with governance for policy and with cloud IAM for enforcement
Workforce & Customer IdentityAuthentication, federation, session management Must share context with PAM and governance layers
Cloud Security PostureEntitlement visibility, drift detection, remediation Must feed risk signals into access decisions


No single vendor covers all four domains comprehensively. The organizations that achieve durable Zero
Standing Privileges are the ones that design the integration deliberately — shared signals, common policy
language, and a governance layer that sees across the entire ecosystem.

The Moment of Adaptation

We are living through the same kind of structural shift that cloud computing introduced a decade ago. The workloads are dynamic. The identities are multiplying. The actors are autonomous. The privilege model must match the world it governs.

The organizations that move deliberately — assessing their current posture, building a sequenced
roadmap, and implementing with ecosystem integration in mind — will achieve a durable security posture
that adapts as the world continues to change. The organizations that wait will find their standing privilege
architecture overwhelmed by the very agents and workloads it was never designed to govern.

Gartner’s prediction is pointed:

“Through 2028, over 50% of AI initiatives will halt, becoming unmanageable, because of unresolved agentic identity challenges.”

The identity challenge is not a secondary concern. It is the constraint that will determine whether your AI investments deliver value or become ungovernable liabilities.

The playbook is not new. The adaptation is. And the time to begin is now

Indigo Consulting Canada helps organizations navigate the transition from static privilege to Zero
Standing Privileges — from maturity assessment through blueprint development to multi-vendor
implementation. For organizations ready to move from awareness to action, Indigo delivers the strategic
layer that turns a product deployment into an enterprise transformation.

Indigo Consulting
Bridging the gap between business strategy and Identity security. Global experts in CIAM, IGA, and Agentic Governance.