Enterprises’ continued adoption of AI – and now agentic AI – into development and products workflows and its growing use by threat actors are
creating gaps where traditional security techniques can’t keep pace with the technology’s maturity.
When it comes to identity security, this has led to what
Charles Chu, general manager of IT and developer solutions at cybersecurity vendor
CyberArk, called a “clear gap between intent and reality” when it comes to identity security in this time of AI-driven cyber threats.
In a report released this month, CyberArk outlined how organizations are trying to protect identities and access in an increasingly complex IT landscape that not only includes the rise of generative AI and AI agents but also cloud and Internet of Things (IoT) and persistent cyber threats by leaning on the same privileged access management (PAM) methods they’ve been using for years.
According to the 500 U.S. PAM practitioners surveyed for the vendor’s “
Secure Every Identity with the Correct Privilege Controls” report, only 1% said their companies implemented
just-in-time (JIT) privileged access, while 91% said at least half of their privileged access is always on, opening up sensitive systems to unrestricted and persistent access.
In addition, 76% of respondents said their PAM strategies were ready for AI, cloud, and hybrid IT environments, despite their always-on nature.
“This means that most organizations still rely on persistent, elevated rights, even as they talk about least privilege and zero trust,” Chu told MSSP Alert.
JIT Access a Must for Zero Trust
CyberArk’s report came out around the same time that
Check Point Software Technologies and JIT specialist
Apono announced an integration to move access away from persistent permissions and
closer to real-time decisions.
JIT access is a key feature of
zero-trust architectures, granting users and systems the temporary and limited access to systems or data for their specific tasks only when needed. Once the work is complete, the access automatically goes away. It supports critical parts of zero trust, a never-trust method that requires any users, system, or application to be authenticated and verified before being granted access to corporate networks.
It also eliminates the eliminates the practice of standing privileges and always-on admin rights.
“These frameworks create a security model built around continuous verification, a feature that JIT access supports perfectly,” security vendor
Delinea wrote last year. “The message is clear: JIT access isn't just a nice-to-have; it's essential. It's quickly becoming table stakes for modern cybersecurity.”
Slow Adoption
However, adoption of JIT isn’t happening quickly, according to CyberArk’s research. Chu said there are three key reasons, including that many critical systems were built for time-bound access, so users view standing privilege as a way to ensure production isn’t interrupted.
Complexity and tool sprawl are another reason, with Chu noting that 88% of organizations manage two or more identity tools and more than half are still uncovering unmanaged privileged accounts and secrets weekly, making it difficult to see the entire picture. There also is friction, with 66% say traditional privilege access review delay project and 63% adding that employees bypass controls to save time.
“These data points imply that modern IT needs to consider its users’ experience and adopt new technologies that make security controls as seamless and invisible to end users as possible,” he said.
AI 'Raising the Stakes'
In addition, “AI is raising the stakes on identity in two ways: it increases the potential impact of a single identity, and it introduces powerful non‑human identities that many organizations are not treating differently from people,” Chu added.
That report’s numbers also illustrate those struggles, with 45% of respondents saying they use the same privileged access controls for AI agents that they do for humans and 33% say they have no clear AI access policies.
“Giving AI agents broad, long‑lived permissions in that context significantly expands the blast radius if something goes wrong,” he said.
Evolving Threat Landscape
And things can go wrong very quickly. The report’s authors noted that today’s threat landscape is vast and dynamic and evolving quickly via tech innovation, new identities, and new environments. More than 90% of organization experienced at least one identity-related incident in the past year, they wrote, noting that such high-profile breaches at Okta, LastPass, Microsoft, and Uber were the result of compromised identities of support and software engineers, who aren’t usually privileged users.
“As privileged access evolves and continues to be targeted, there is a need to embrace a defense-in-depth strategy for identities with high-risk that haven’t always been secured by PAM programs, such as third-party vendors, developers and cloud operations teams,” they wrote. “Similarly, as technology keeps evolving, PAM continues to be a critical component of any cybersecurity strategy and fundamental for on-premises, hybrid and cloud environments.”
Report a 'Roadmap' for MSSPs, MSPs
Chu said that for MSSPs and MSPs, “the report is essentially a roadmap for where organizations are struggling and where service providers can add immediate value.”
Given what the CyberArk survey found, it’s clear that identity and privilege need to be treated as core managed services rather than edge cases. Given that, MSSPs and MSPs should make identity and privilege central to their offerings by helping clients reduce standing privilege and move toward JIT access, treat AI as a top identity problem with reference architectures and managed controls for AI identities, and rationalize tool sprawl.
“With such clear data, it’s evident that the path forward for MSSPs and MSPs is to assess each customer’s unique position and truly partner in closing those specific gaps,” Chu said. “This would allow MSSPs and MSPs to maintain their position as the trusted advisor on resilience and AI readiness that many enterprises are now looking for.”
