Privileged access management was designed for a world that no longer exists. Production environments can cover multiple clouds and thousands of microservices, and AI agents are starting to make decisions and trigger workflows without any admin input. The traditional PAM model of granting standing privileges and hoping someone remembers to revoke them has to change.
Shashwat Sehgal is the CEO and Co-Founder of P0 Security, the AuthZ Control Plane for modern production environments. Alongside co-founders Nathan and Greg, Sehgal spent years watching security teams struggle to enforce least-privilege across an increasingly complex identity landscape, before AI has completely changed the game.
Expert Insights spoke to Sehgal about why traditional PAM is failing in cloud environments, how organizations should be thinking about governing non-human identities, and what it takes to enforce least-privilege at runtime without slowing developers down.
Q. P0 Security is taking a fundamentally different approach to privileged access management for cloud environments. Can you tell us about your background, how the company came together, and what challenges in the PAM space you set out to solve?
I have been in the tech industry broadly for 15+ years, starting out as an engineer and ultimately working my way towards product and the business side. This is where I connect with my co-founders Nathan and Greg, having worked with them both in prior roles, building observability platforms and cloud-managed SD-WAN infrastructure.
We all saw firsthand the exorbitant amount of time that developers spend waiting for access to sensitive production systems, and the frustration and inefficiency that comes with not possessing the right permissions at the right time.
Whether it means troubleshooting an on-call incident, trying to access Snowflake that contains customer data, or deploying a change to a production EKS cluster, developers need access in real time to keep the business moving forward. Our mission is to abstract security away from the developer experience because we believe that they shouldn’t have to think about it. We built P0 to enforce least-privileged access dynamically at runtime so that security is built into the access lifecycle by design, without hindering business velocity.
Q. As organizations shift to cloud and hybrid environments, the footprint that security teams need to protect has changed dramatically: databases, servers, and a much wider range of production resources. What are the challenges facing security teams that make controlling privileged access so difficult today?
The largest shift that we need to acknowledge is that identity is the new perimeter and that privileged production access remains the ultimate prize for attackers.
As the traditional network perimeter dissolves and identity becomes the new frontier, privilege has spread to include new identity types and a proliferation of access paths into sensitive systems. The multi-cloud or hybrid infrastructure that most organizations operate from today makes modern production environments more complex and expansive than ever before. Sensitive systems are now accessed by developers, service accounts, ephemeral workloads and AI agents across vastly distributed environments and dynamic application-layer APIs.
Traditional PAM was designed for static, legacy on-prem infrastructure. Trying to solve today’s reality by retrofitting solutions built for the past has left organizations grappling with static credentials, shared accounts and an unacceptable amount of standing privilege risk.
Q. The concept of Zero Standing Privilege is core to the P0 solution. Can you explain what this means in practice and why you believe this is the future of the PAM space?
Zero Standing Privilege means that no identity maintains excessive or persistent access to sensitive systems. Access is granted just in time, with tightly scoped permissions and automatic revocation once the task is complete. Everything P0 builds aims to support customers in getting to ZSP as efficiently and sustainably as possible.
This model becomes even more important as we move into an agentic future. AI-driven systems are not passive tools. They initiate actions, make decisions and interact directly with production. Authorization becomes the control layer that secures that autonomy.
Securing agent-driven workflows depends on access that is temporary, precise, and fully observable. Permissions should exist only for the exact scope and time needed to complete the task at hand, and every action needs to be fully auditable. Imagine an AI coding assistant embedded in a delivery pipeline that needs permission to release a build into a cloud environment. Instead of holding an always available deployer role, it would request access for that specific action. The authorization layer validates the request, grants leastprivileged and time-bound access, records the session activity, and then automatically revokes access once the job is complete. All within a matter of subseconds to preserve the business agility, these agents are designed to deliver.
As agentic AI becomes more prevalent, this model of dynamic authorization ensures that autonomous systems operate within clear, enforceable boundaries. Zero Standing Privilege has always been best practice but it now becomes mission critical as we address the next generation of access management requirements.
Q. Non-human identities, such as service accounts, API keys, and machine credentials, now vastly outnumber human users in most environments, and AI agents are adding a new layer of complexity. How should organizations be thinking about governing NHIs, and how does P0 approach that problem?
P0 is focused on securing all sensitive systems for our customers – automation, and increasingly AI agents, are a critical part of that infrastructure in modern environments. We don’t see agentic systems introducing new identity problems so much as amplifying existing ones.
Enterprises are increasingly adopting a wider set of automation, internal developer tooling, and AI-driven applications to improve efficiency, automate operational workflows, and accelerate product delivery. The risk is that the technologies often depend on service accounts, workloads, and internal AI agents that operate with excessive and persistent access, creating unacceptable exposure as unfederated adoption scales.
Our platform ensures that agents and all other NHIs operate within the same access constraints as the human end-users that invoke them, enforcing accountability and policy alignment at runtime across every identity type in production. This enables organizations to modernize security alongside business innovation by shifting from reactive monitoring to proactive authorization.
Q. You’ve just announced general availability of NHI Lifecycle Management and Authorization Control for AI Agents ahead of RSAC, with support for AWS Bedrock, Google Vertex AI, and Microsoft Agentic Foundry. Can you tell us about that launch and why you see NHIs and AI agents as an extension of PAM rather than a separate problem?
This launch marks an important inflection point for the market. Organizations are already struggling with fragmentation across identity governance, PAM, cloud security, and now AI security. As agentic AI rapidly moves into production environments, securing it cannot mean introducing yet another standalone tool.
AI agents are identities with delegated authority. They access data, trigger workflows, and act across multiple control planes. From a governance perspective, they are part of the same identity fabric as humans, service accounts, and workloads. Treating them as a separate category only deepens tool sprawl and creates new blind spots.
What the market needs is unification. A single platform that manages the full lifecycle of authorization for every identity, human, non-human, or agentic, with consistent policy enforcement, enforced at runtime. Securing agentic AI is not a future problem. It is very much a present one, and it requires bringing identity governance and privileged access together in a way that reflects how modern systems actually operate.
Q. Enterprise security teams need broad coverage and the ability to govern access across a wide range of production resources and identity types from a single platform. Can you talk about what it takes to deliver that at enterprise scale?
Delivering this at an enterprise scale requires a unified control plane that spans multi-cloud IAM, Kubernetes, SaaS systems, and agentic AI platforms. Modern enterprises need security that keeps pace with the speed, sprawl, and flexibility of today’s environments. Authorization is the layer where you need to control access in order to ensure it is least-privileged, auditable, and as dynamic and scalable as the environments it aims to secure.
By decoupling authentication and authorization, teams can maintain persistent verified identities and introduce dynamic access control, eliminating shared accounts and static credentials while streamlining engineering workflows.
Q. One of the common complaints about PAM tooling is that the user experience is poor, and developers often see security as something that slows them down. How does P0 approach usability, keeping things secure without creating the friction that leads to workarounds?
Security only succeeds when it works with the business, not against it. We integrate access requests and approvals into existing collaboration and development workflows. Least-privileged access is automated wherever possible, so developers can move quickly and securely. Contextual approvals ensure that reviewers understand why access is needed and for how long.
When the secure path is simple and predictable, teams adopt it willingly. Good usability reinforces strong security rather than competing with it.
Q. To close out, for security leaders listening who want to get started on this journey, what are the practical first steps? Where should teams be focusing their priorities when it comes to modernizing their approach to privileged access?
The path forward is incremental but very attainable. Start with gaining visibility across all identities, including non-human identities and especially AI agents. Seek to understand who owns them and what they can access. Next, identify where standing or excessive privilege exists in your sensitive systems. Cloud entitlements, servers, and datastores are good places to start.
Once you have an understanding of where privilege lives, start to remediate that risk by implementing just enough and just-in-time access policies. Most importantly, implement dynamic authorization control that is enforced at runtime rather than relying on static credentials or shared accounts and continuously monitor for anomalous behavior.
If your biggest issue is with non-human identities, start with agents. They’re new, so it’s easier to instrument best practices from the beginning. Teams are paying attention to them right now, and success here builds the muscle for broader NHI governance.
Modernizing privileged access is about taking an identity-first approach to authorization, enforcing least-privilege at runtime so teams can sustainably and securely operate within the realities of cloud and AI-driven environments. Align access decisions with business purposes so that privilege reflects real operational needs.
