Identity & access
What is PAM?
Also known as: Privileged Access Management
Systems and processes that control, monitor, and audit privileged human access to critical systems. PAM does not generally cover NHIs; machine identities need their own lifecycle tooling, which is where Cremit Argus focuses.
More terms in Identity & access
- Non-Human IdentityAny identity that authenticates or authorizes without a human at the keyboard. Includes API keys, service accounts, OAuth tokens, signing keys, SSH keys, workload identities, and CI runner credentials. NHIs typically outnumber human identities in modern infrastructure by 10x to 50x.
- IAMThe discipline of managing digital identities (human and non-human) and controlling what each identity can do. In cloud context (AWS IAM, GCP IAM), it refers specifically to the policy and role systems that govern resource access.
- Least PrivilegeA security principle: every identity should have the minimum permissions required to do its job, and nothing more. The most common NHI failure is an API key with full admin rights when it only needs to read one bucket.
- Zero TrustAn architectural pattern that treats every request as untrusted by default, regardless of network location, and verifies identity and authorization on every call. For NHIs, this means continuous verification instead of "once issued, always trusted."
- Service AccountA non-human account used by an application, script, or cloud workload to authenticate to other services. Often long-lived, often broadly scoped, often unaudited. A high-value target and a common NHI failure mode.
- Workload Identity FederationA mechanism that lets a workload in one environment (for example, GitHub Actions) assume an identity in another (GCP or AWS) by exchanging short-lived tokens, without needing a long-lived service account key. Removes the most commonly leaked NHI.