Mortada Ayad, VP – META at Delinea, explores how “privilege patchwork” a growing web of overextended permissions, shared credentials, and machine identities is creating hidden security risks, and why enterprises must rethink privileged access management for an AI-driven world.
While cybersecurity professionals may debate everything from the greatest threat currently facing enterprises, to cyber resilience priorities or how best to balance risk with innovation, there is near-universal consensus on the fact that today, identity is the new perimeter.
This shift has been a natural consequence of how organisations have evolved. In mitigating single points of failure, businesses embraced hybrid cloud. To safeguard continuity, they enabled remote work. Traditional network perimeters quickly dissolved, leaving identity as the primary control layer where access is defined, enforced, and, at least in theory, governed with precision.
On the surface, this suggests that access management is structured, deliberate, and tightly controlled. But as with those lines of code quietly marked “please don’t touch, this works…”, the reality is often far less orderly.
What Lies Beneath
Scratch beneath the surface and what emerges is not a clean implementation of least privilege, but something far more improvised. Most security professionals will recognise the pattern: access policies extended to avoid delays, service accounts with far broader permissions than intended, credentials embedded into scripts or pipelines because the alternative introduces too much friction. And, if we’re honest, many of us have likely reused shared identities across teams to keep things moving.
These decisions are rarely reckless. They are pragmatic responses to the pressures of tight deadlines, constant uptime expectations, and the need to keep systems running without interruption. But over time, they accumulate and the result is a form of privilege patchwork: a layered mix of access and workarounds that few organisations fully map, and even fewer truly control.
“When access is over-provisioned and rarely revisited, least privilege becomes difficult to enforce in practice. When credentials are embedded or shared, visibility into who, or what, is using them begins to erode. And when machine and AI-driven identities operate at scale, these risks don’t just persist, they compound.” – Mortada Ayad, VP – META at Delinea
The Rise of the Machines
This was never ideal. But what was once manageable is now being pushed to breaking point. Machine identities now outnumber human users by a significant margin. Service accounts, APIs, containers, and CI/CD pipelines operate continuously, interacting across systems in ways that are difficult to track in real time. Increasingly, AI agents are being introduced into this landscape.
These identities don’t behave like humans. They don’t log in at the start of a session and log out when a task is complete. They don’t wait for approvals, nor do they operate within predictable boundaries. If every action required manual authorisation, operations would simply grind to a halt. Instead, these identities act continuously, at machine speed. And yet, much of our approach to access management is still built around assumptions rooted in human behaviour.
Where Traditional Models Fall Short
Privileged access management (PAM) has long been a cornerstone of enterprise security. It has brought structure to how privileged credentials are stored, controlled, and audited. For human users operating within defined sessions, it remains highly effective and therefore continues to be foundational to modern security strategies.
However, modern environments are placing new demands on these models. When access decisions must be made thousands of times per second across ephemeral infrastructure and automated workflows, the concept of granting standing privileges at the start of a session begins to show its limits. A pipeline deploying code at 2:00 AM cannot wait for manual approvals. A container that exists for minutes cannot depend on static credentials provisioned hours earlier. An AI agent executing a multi-step workflow may require different permissions at each stage. The model itself isn’t broken, but it is being stretched beyond its original design.
The Worrisome Workarounds
Faced with this mismatch, teams adapt in the only way they can: by reducing friction. This is where workarounds take hold. Broad roles are created to avoid constant permission updates. Long-lived credentials are reused to ensure continuity. Access is granted “just in case” rather than “just in time.” Over time, these practices become embedded into workflows, not as temporary fixes, but as operational norms.
But there is a high cost to this convenience. When access is over-provisioned and rarely revisited, least privilege becomes difficult to enforce in practice. When credentials are embedded or shared, visibility into who, or what, is using them begins to erode. And when machine and AI-driven identities operate at scale, these risks don’t just persist, they compound.
As a result, many organisations struggle to answer fundamental questions such as which identities are accessing sensitive systems, what permissions are actually being used, and where access has been granted but never exercised.
Without this clarity, governance becomes reactive, and risk accumulates quietly in the background.
Evolving the Model, Not Replacing It
Addressing this challenge does not require abandoning existing security models. But it does require evolving them. The core principles of control, least privilege, and auditability that underpin PAM remain as relevant as ever. What is changing is how those principles must be applied in environments where identities are dynamic, ephemeral, and increasingly autonomous.
This means moving beyond static, standing access towards models that are more contextual and responsive. Access decisions must reflect not just who or what an identity is, but what it is doing in a given moment, under specific conditions. Permissions should be scoped to individual actions where possible, rather than granted broadly in anticipation of need.
Equally important is visibility (across both human and non-human activity) so organisations can understand how access is actually being used, not just how it was intended to be used. And above all, security must operate at the same speed as the systems it is designed to protect.
Closing the Gap
The persistence of workarounds is not a failure of policy but rather a reflection of the pace at which modern environments are evolving. As AI agents become more embedded in enterprise operations, and as automation continues to scale, the gap between how access is intended to work and how it actually works will only widen.
If access management continues to rely on models built for human behaviour, it will increasingly fail to govern identities that don’t behave like humans at all. And in that reality, privilege patchwork won’t just be inefficient, it will be untenable.
