At this year’s EMEA Partner Summit, Alejandro Leal, Senior Analyst at KuppingerCole, delivered a clear message: privileged access management is evolving far beyond administrator accounts and password vaults.
“Attackers don’t hack, they log in,” he reminded the audience, reinforcing how identity has become the primary attack surface in modern cybersecurity. But according to the expert, the bigger transformation happening in the PAM market is the redefinition of privilege itself.
One of the key themes of the session was that privilege should no longer be tied only to accounts, but to what an identity is capable of doing inside an environment. That changes the role of PAM significantly.
Instead of focusing purely on privileged accounts, organizations now need to govern privileged actions across:
As Alejandro explained, PAM is evolving from a standalone security tool into a broader identity control layer.
A major focus of the presentation was the rapid growth of non human identities.
Service accounts, machine identities, API tokens, workloads, and AI agents now drive a significant portion of privileged activity across enterprise environments. Yet many remain poorly discovered, unmanaged, or continuously overprivileged.
According to Leal, organizations are still trying to apply human identity governance models to machine driven environments. But machines behave differently.
They authenticate continuously, operate dynamically, and often lack clear ownership. That creates visibility gaps attackers increasingly exploit.
“They don’t go for the most protected identity,” Alejandro said. “They go for the least visible one.”
The rise of AI agents is accelerating identity related risks even further. Alejandro highlighted how AI is enabling faster vulnerability discovery, automated privilege escalation, and more adaptive attacks against identity infrastructure itself.
As a result, organizations can no longer rely on static access models.
Modern PAM strategies increasingly require:
An AI agent, for example, may only need permission to execute one specific task under tightly defined conditions rather than broad administrator access.
Another major topic discussed during the session was identity fabric architecture, which connects PAM, identity governance, secrets management, and cloud entitlements into a unified identity security framework.
According to Leal, fragmented identity tooling creates inconsistency and inconsistency creates risk. At the same time, digital sovereignty is becoming an increasingly important conversation across Europe.
The discussion, he explained, is not about isolation, but about maintaining control over infrastructure, data, and identity systems.
“If you do not control identity, you do not control access,” Alejandro noted. “And if you do not control access, sovereignty becomes theoretical.”
The session also touched on post quantum cryptography and its long term implications for identity security.
Identity systems rely heavily on cryptographic trust models, and transitions toward post quantum security will take years to implement. Alejandro’s advice was simple: start the conversations now.
Organizations should begin identifying cryptographic dependencies, testing hybrid models, and building crypto agility strategies before the transition becomes urgent.
The overall message from Alejandro Leal’s presentation was clear: PAM is no longer just about protecting privileged accounts.
It is becoming the foundation for governing identity, trust, and control across humans, machines, AI systems, and cloud environments.
And in a world shaped by AI, machine identities, and increasing digital complexity, that identity control layer is becoming more critical than ever. As privileged access management evolves beyond traditional administrator accounts, organizations need modern identity security strategies that can govern human, machine, and AI-driven identities at scale.