Skip to content

AI agents and NHIs: What KuppingerCole’s 2026 PAM Leadership Compass Says on the Future of Privileged Access

AI agents and NHIs: What KuppingerCole’s 2026 PAM Leadership Compass Says on the Future of Privileged Access

Privileged access is changing fast. AI agents, service accounts, cloud workloads, and automation now generate far more privileged activity than traditional administrator accounts, making static credentials and password vaults increasingly difficult to manage and secure.

KuppingerCole's Leadership Compass for Privileged Access Management 2026 explores how PAM must evolve to meet this challenge. We're proud that SSH Communications Security's PrivX platform is recognized as an Overall Leader, Product Leader, and Innovation Leader in this year's report.

Download your complimentary copy here >>>

More importantly, the report explains why traditional PAM is reaching its limits and what organizations should do next. Here are the key trends shaping the future of privileged access.

Trend 1: Privilege is about actions, not accounts

Privilege is being redefined as no longer “access granted to a small set of administrative accounts” but “the ability of any identity to perform actions that affect systems, security controls, infrastructure, or other identities.”  That shifts PAM’s job from managing privileged accounts to controlling and governing privileged actions.

Instead of maintaining a list of privileged accounts and their passwords, modern PAM solutions should fetch roles and permissions from your identity sources at the moment of access and refresh them continuously. This means privileges change in line with policy, risk, and user state at all times, in real-time.

Trend 2: Non-human identities and AI agents now dominate privileged activity

 KuppingerCole notes that AI agents, service accounts, automation pipelines, APIs, and workloads often significantly outnumber human users. Since these often run unattended with broad permissions, they represent a substantial share of privileged activity. For AI agents especially, the report argues that dynamic, context-based privilege enforcement at the point of action matters far more than authentication alone.

Modern PAM solutions, such as PrivX apply the same just-in-time, ephemeral-certificate model to non-human identities as to human identities. Short-lived credentials are granted and issued when needed, and will automatically expire, leaving nothing behind except for full audit trails

Trend 3: From vaulting toward just-in-time and zero standing privileges

Ttraditional PAM core capabilities, comprising credential vaulting, password rotation, and session monitoring now “address only a portion of the privileged activity taking place,.” according to the report. Innovation Leaders are the vendors “accelerating the adoption of short-lived credentials, JIT access, and granular, policy-based entitlement control.” KuppingerCole names SSH in that group.

PrivX PAM’s passwordless zero-standing-privileges (ZSP) approach is cited in the report. KuppingerCole’s notes, its distinctive value lies not only in a passwordless approach but also in “managing, auditing, rotating, and gradually replacing SSH key-based access with certificate-based authentication.”

PrivX can still vault passwords where needed, but that gradual path matters, since organizations cannot rip out their vault on day one but need time to migrate to a ZSP model.

Trend 4: PAM is merging into the identity security fabric

PAM is “no longer a standalone domain,” the analysts write. The boundaries with Identity Governance and Administration (IGA), access management, secrets management, and cloud entitlements are blurring, and governance is moving to real time.

The leading PAM soluions need to plug into that fabric rather than competing with it by integrating with identity providers like Microsoft Entra ID, Okta, and Google Workspace, supporting single sign-on (SSO), integrating with identity and access management (IAM)/IGA systems, and adding phishing-resistant, continuous verification of user validity and device posture.

Trend 5: Sovereignty and deployment flexibility are decisive

KuppingerCole highlights that deployment flexibility is critical in regulated and data-sensitive sectors, and notes SSH’s strong fit for sovereignty-sensitive deployments. Leonardo S.p.A becoming SSH’s largest shareholder in 2025, the analysts say, gives SSH “added weight in sectors where sovereignty, defense, and critical infrastructure concerns shape technology decisions.”

PrivX deploys the way you need it: self-hosted, public or private cloud, SaaS through partners, virtual appliance, or MSP-hosted. The solution boasts FIPS 140-3 validated cryptographic modules and ISO 27001 certification.

And with PrivX OT, the same just-in-time, least-privilege model extends into industrial and industrial control system (ICS) environments without relying on legacy VPNs.

A trend few are talking about yet: quantum-safe PAM

Harvest-now-decrypt-later attacks make the cryptography protecting your most privileged connections a today problem, not a 2035 problem.

KuppingerCole recognizes “SSH also brings quantum-safe cryptography into the PAM discussion in a way few vendors currently do.” Quantum-safe support takes future-proofing to another level, so should not be an afterthought, but a current requirement.

The bottom line

If your PAM strategy still centers on a password vault, the 2026 Leadership Compass is a map of what comes next.

KuppingerCole’s verdict: “SSH presents a thoughtful PAM offering for organizations that want to move from vaulted credentials toward short-lived, policy-driven access with unusually strong SSH key governance and credible quantum-safe capabilities.”