Cyber-attacks in the UK have shifted from episodic to relentless, affecting organizations of every size and stature. The UK’s National Cyber Security Centre recently reported a dramatic rise in major cyber incidents, noting that nationally significant attacks now occur almost every other day.
This trend underlines how traditional security defenses are routinely failing us. Business leaders relying on outdated access controls or traditional perimeter defenses should reconsider their definition of a “privileged user” or risk falling even further behind when it comes to outpacing cybercriminals.
Findings from Keeper Security’s latest global research show that UK organizations are already less prepared than their international peers when it comes to defending against identity-based threats.
Many still struggle to implement zero trust consistently, enforce strong authentication or deactivate privileged credentials when employees depart. With identity now a primary target of attackers, these shortcomings are creating fertile grounds for intrusion.
Every User is a Privileged User
Historically, Privileged Access Management (PAM) was designed to protect a small group of system administrators with elevated rights. This made sense when infrastructure was on-premises, access was tightly controlled and the corporate network served as a reliable perimeter.
But today’s largely hybrid environment looks nothing like the corporate networks of old. The modern enterprise is a sprawling web of cloud services, SaaS platforms, remote workers, partner integrations and machine identities. In this highly integrated environment, privilege is contextual and transient. It is constantly in flux, shaped by the task a user performs, the system they access and the context in which they operate. A marketing executive connecting to a SaaS CRM, an engineer accessing source code, a contractor logging in to a shared platform or an automated workload retrieving secrets from an API can all become privileged access points in an instant.
Attackers no longer only target the small group of admins once labelled “privileged.” Compromising any identity can serve as the first domino. Modern intrusions often begin with something as simple as a phishing email, deepfake voice call or malicious Multi-Factor Authentication (MFA) prompt, culminating in a full-blown compromise through lateral movement and privilege escalation.
We are witnessing the old model of PAM collapsing under its own limitations, reduced to protecting the few, while attackers exploit the many.
A Universal Approach to Identity-Based Threats
Security teams across the UK report that their greatest concerns today are not exploit kits or sophisticated malware, but phishing, impersonation, deepfake-enabled social engineering and supply-chain compromise. These threats all share a common target – people – and they only succeed when organizations rely on fragmented identity controls or inconsistent enforcement.
One of the most troubling patterns we see today is the number of organizations that fail to apply strong authentication across their most sensitive systems. Others keep privileged credentials active long after employees leave, unknowingly leaving doors open for attackers. Even now, with a series of recent high-profile breaches in the UK, too many companies continue to believe they have implemented zero trust successfully, when in reality only fragments of the framework are in place.
Organizations that still view privilege as static are being left behind. In today’s environment, any identity can become privileged in an instant, which is why PAM has to apply to everyone, everywhere. Recognizing this shifts the entire conversation. PAM cannot remain a siloed IT tool. It must become a universal control layer that governs how every identity – human or machine – interacts with corporate resources.
Extending PAM to Everyone Does Not Need to Add Complexity
One of the most common objections to this approach is the fear that treating every user as privileged will increase friction or overwhelm security teams, which stems from outdated assumptions about how PAM works.
Traditional PAM tools required complex vaulting, manual credential rotation and clunky workflows. Applying that model to all users would be impractical, but modern PAM has evolved well beyond legacy limitations.
Today’s cloud-native, zero-trust and zero-knowledge platforms can assess risk in real time with AI, automatically grant just-in-time access and revoke credentials the moment they are no longer needed. They do this without exposing passwords or secrets and, crucially, without requiring users to alter their natural workflows.
In other words, extending PAM to everyone is not the presumed source of complexity it once was. The true complexity comes from clinging to outdated tools that cannot meet the scale, speed or fluidity of today’s access patterns and complex cloud, hybrid and multi-cloud environments.
Modern PAM
If organizations wholly embrace the idea that every user can be privileged, they can adopt PAM designed for this expanded scope. A modern approach should assume that no identity, device or connection is inherently trustworthy. Every request must be authenticated and authorized, and credentials should be encrypted in a way that even the PAM provider cannot access.
Critically, this must happen without impeding productivity. The most effective modern PAM solutions work quietly in the background, adapting to risk and applying least privilege automatically. When access becomes time-bound and credentials ephemeral, organizations eliminate stagnant entry points and dramatically reduce the opportunities for attackers to infiltrate, escalate or persist.
“PAM for all” should be a fluid, intelligent and universal identity control layer that protects organizations without slowing them down.
Identity is the Perimeter
With major cyber-attacks accelerating and identity-based threats becoming the norm, the defensive mindset can no longer focus on a narrow group of administrators. The perimeter has dissolved, and identity is the new battleground. PAM must therefore apply everywhere, to everyone, in every environment.
By treating privilege as dynamic rather than static and by embracing a universal, cloud-native approach, organizations can significantly reduce risk, contain intrusions faster and remove the blind spots that attackers continuously exploit. In a world where identities are the new perimeter and every access point matters, extending PAM to the many and not just the few is the surest path to stronger, more resilient security.