Why cloud-native demands an API-led approach to PAM

I recently did an interview with Cyber Symposium about how cloud-native adoption has fundamentally changed the privileged access landscape. The question I wanted to answer: how should organizations think about securing privileged access, in a world where the number and types of identities, as well as the access paths to sensitive systems has exploded? It’s a topic that really gets to the heart of what’s driving the next evolution of identity security.

The new identity landscape

Over the past 15 years, cloud-native adoption has reshaped production environments. What was once a handful of servers in a data center is now a sprawl of virtual machines, databases,Kubernetes clusters, and microservices.

Two changes stand out:

1. Explosion of identities. Access is no longer just humans — service accounts, NHIs, and increasingly AI agents make up the bulk of actors.  
   
2. Explosion of access methods. Root credentials and SSH keys have given way to tens of thousands of entitlements, ephemeral tokens, keys and permissions.

This complexity has broken the traditional privileged access management (PAM) model.

The productivity–security trade-off

Most organizations struggle with a familiar tension. Security teams want every access to be short-lived,least-privileged, and fully auditable. Developers want fast, frictionless access to get their jobs done. Historically, enforcing security has slowed teams down, creating pressure to grant standing access and let privilege creep set in.

The path forward is to eliminate this trade-off: provision the right access instantly, revoke it automatically when the task ends, and preserve productivity while enforcing least-privilege.

Why legacy PAM falls short

Traditional PAM tools fall into two categories:

●     Vault-led solutions. These rely on storing and rotating static credentials. Effective for root passwords in data centers, but obsolete in cloud-native environments where entitlements — not passwords — define access.

●     Bastion-led solutions. These insert a proxy or jump server in front of environments. But they grant standing access and often still depend on SSH keys, failing to deliver true just-in-time (JIT) access.

Neither approach aligns with the API-driven nature of modern infrastructure.

The API-led model

An API-led PAM approach provisions and revokes access through native cloud and infrastructure APIs. This model:

●     Covers every category of access, from VMs to cloud databases to Kubernetes.

●     Eliminates static keys and credentials.

●     Provides a user experience far superior to vault- or bastion-based solutions.

The result is privileged access that is short-lived, least-privileged, and auditable by design.

Three core benefits

Organizations adopting this API-led model report gains across three dimensions:

1. Security posture. By eliminating static credentials and operationalizing least privilege, they cut off common attack vectors.
2. Operational efficiency.  Automating workflows for provisioning and deprovisioning access, and  rotating secrets saves hours of engineering time and removes friction for developers.‍
3. Compliance acceleration. Requirements in SOC 2, FedRAMP, and ISO 27001 — from identity inventories to access controls — are metautomatically, reducing audit overhead.

Closing thought

I believe great work is already happening with early adopters of this new way of thinking and the new identity stack. For CISOs who want to dive deeper, I recently wrote a paper on first principles for identity security, designed to give CISO’s a practical framework for tackling these challenges head-on. Check it out.

‍