Many organizations still treat shadow AI as a data exposure problem, while it is really becoming an identity governance issue. Every unsanctioned AI integration silently creates new accounts, credentials and identities that operate beyond traditional access controls. Organizations must extend identity-first security controls across every human and Non-Human Identity (NHI) connected to their systems to regain visibility, enforce governance and reduce overall security risks.

What shadow AI actually creates

Shadow AI spreads quickly because modern AI tools require little to no setup. Employees can connect applications, automate workflows and process data almost instantly without involving IT. The tools themselves are rarely the problem. The risk comes from what employees connect them to. Once AI platforms gain access to SaaS platforms, cloud environments and internal databases, they introduce credentials and identities that most security teams don’t know exist and have no framework to govern.

Every unsanctioned AI integration creates new identities and credentials that no one is auditing. Each one adds to a growing inventory of accounts, access points and secrets that IT never provisioned and therefore cannot revoke. When employees create accounts for AI tools, they create identities with their own access scope, data permissions and session histories. These multiply quickly. IT ends up with an invisible cluster of unmanaged identities spread across external platforms, no visibility into what they can access, no way to audit usage and no deprovisioning process when the employee moves on.

When employees go further and connect AI tools to internal systems, they introduce service accounts into organizational environments. These NHIs typically operate entirely outside lifecycle management, credential rotation and access governance. And every integration generates credentials such as API keys, tokens and secrets, that often end up stored in browser extensions or configuration files outside the security perimeter. These credentials are rarely rotated and almost never audited.

The identity governance gap this creates

Traditional identity security was built for human users, IT-provisioned access and defined network perimeters. Shadow AI undermines all three assumptions simultaneously. 

In many enterprise environments, NHIs already outnumber human identities. AI agents with access to a production database represent the same level of privileged access risk as a human administrator with equivalent permissions, but they’re often provisioned without the same scrutiny, monitored without the same consistency and deprovisioned without the same process. 

Our own research reinforces this. Keeper Security’s Identity Security at Machine Speed report found that 43% of cybersecurity decision-makers globally identify AI-related NHI management as a top gap in their identity governance programs. The organizations that recognize this gap are ahead of the ones that haven’t looked yet.

What organizations need to do differently

The response to shadow AI isn’t stricter policies or broader bans. It’s extending identity-first security controls to account for every identity AI tools create, both human and machine, and making governance continuous rather than periodic.

Gain full visibility over AI usage

Organizations cannot govern what they cannot see; they must continuously discover every sanctioned and unsanctioned AI tool, agent, automation and integration operating across their environments. By monitoring their networks, organizations can track application usage and develop controls to limit unapproved AI tools while identifying every NHI those tools create that was never originally provisioned through IT. Beyond discovery, organizations must implement real-time privileged session monitoring and recording to maintain full visibility over AI-driven workflows for continuous audits rather than periodic, retrospective reviews.

Apply identity security to both humans and machines

Every NHI should be subject to the same authentication, authorization and lifecycle management as a human identity with least-privilege access, automated credential rotation and defined deprovisioning tied to the lifecycle of the associated human owner or workload. The same controls that apply to privileged human accounts must also apply to the AI agents and service accounts operating alongside them.

Give employees a viable path

Employees who contribute to shadow AI often do so not because they’re circumventing security but because they don’t know a governed alternative exists. Clear guidance on which tools are approved, for what use cases and under what conditions, and combined with accessible, approved alternatives, addresses the root cause rather than the symptom.

Enhance your identity security to manage shadow AI

Traditional security models were built for human users, IT-provisioned access and defined network boundaries. Shadow AI undermines those assumptions by introducing unmanaged machine identities, credentials and integrations across cloud and SaaS environments each time an employee connects an unapproved AI tool to infrastructure. Organizations that view shadow AI solely as a data leakage issue will miss the underlying danger: uncontrolled identity expansion. To manage shadow AI more effectively, organizations must have full visibility into AI-driven access, governance over both human and machine identities and automated controls for credentials and privileged access. To learn how organizations are adapting their identity security strategies for AI-driven environments, read our latest report.

This is the reality enterprises must now prepare for. Organizations are being targeted regardless of their proximity to conflict, and the assumption that only government agencies are at risk has become increasingly dangerous. The cyber attack surface has expanded, tactics continue to evolve and enterprise security posture must evolve with them.

How cyber warfare is reaching enterprises

The tactics driving modern cyber warfare are no longer aimed solely at federal targets. Nation-state actors increasingly target enterprises as a pathway to broader disruption, whether to access supply chains, exfiltrate sensitive data or cause collateral damage across interconnected infrastructure. At the same time, criminal threats have scaled independently. AI automation has made sophisticated attacks cheaper and faster to execute, and Ransomware-as-a-Service (RaaS) platforms have turned what once required significant resources into an accessible playbook. AI-generated phishing campaigns and autonomous attack tooling are now standard, not exceptions. Enterprises are facing both threats simultaneously, and the defenses required to address them overlap significantly.

The supply chain dimension makes this particularly dangerous. A single compromise can affect every enterprise connected to it, and many of those organizations never considered themselves a target. That assumption is exactly what attackers rely on. Enterprises are not bystanders; they are often the pathway through which attacks succeed at scale. Access to an enterprise network means access to customers, partners, sensitive data and financial systems. Any organization embedded in a complex supply chain can become an attack vector.

Enterprises underestimate the impact of identity on the attack surface

In most large-scale cyber attacks, compromised identities are the primary targets. Cyber attackers use techniques like password spraying and credential harvesting to breach organizations across industries, including healthcare and financial services. In many cases, the entry point can be traced back to a compromised identity, including Non-Human Identities (NHIs) such as service accounts and AI agents.

Keeper Security’s research report, Identity Security at Machine Speed, reinforces this trend, finding that legacy tools and unchecked AI adoption are accelerating identity-based attacks at a pace that many organizations cannot address. In fact, 43% of the 3,200 cybersecurity decision-makers surveyed globally identify AI-related NHI management as a top gap in identity governance. Service accounts with stale permissions, API keys embedded in code repositories and AI agents provisioned outside established governance processes are all gaps cyber attackers exploit, and most organizations don’t have clear visibility into how many of these exist in their environments.

Legacy PAM wasn’t designed for this environment

Most enterprises still govern privileged access using an architecture structured for a traditional era of on-premises environments, human administrators and set network perimeters. That model no longer reflects how modern enterprises actually operate. Organizations must now account for cloud-native environments, distributed workforces, third-party integrations and AI-driven workflows that have dissolved the perimeters legacy Privileged Access Management (PAM) solutions were designed to protect. AI agents, service accounts and other machine identities often remain outside its scope.

The gap isn’t just technical, it’s structural. Organizations that haven’t revisited their PAM architecture in the last 3 years are likely governing only a fraction of their actual privileged-access footprint.

What enterprises must do differently to stay secure

For most enterprises, the gap between their current security posture and what the threat environment entails is wider than it appears. Closing that gap requires a stronger focus on zero-trust security, PAM and least-privilege access.

Adopt zero-trust security

Zero-trust security is built on the principle that no user, device or system is implicitly trusted, regardless of whether it operates inside or outside the network perimeter. Access is granted through continuous verification of identity, context and risk, and revoked as soon as verification fails. For enterprises facing attackers who move laterally through environments using legitimate credentials, zero trust provides a stronger security model by ensuring every authentication decision is continuously validated rather than assumed. 

Extend PAM to NHIs

PAM that stops at human users does not manage all privileged access; it governs only part of it. Administrative and machine-level access to AI training data, deployment environments and critical production systems must be managed with the same level of control applied to privileged human accounts. In practice, that means having unique, verifiable identities for every service account and AI agent, enforced access boundaries and zero standing privileges. 

Enforce least-privilege access

Overpermissioning is generally addressed retroactively through periodic access reviews. Least-privilege access should instead be embedded directly into development and deployment pipelines from the beginning so human and machine identities are provisioned with only the access required for a specific task — nothing more. Preventing unauthorized access at the point of provisioning is much more effective than trying to contain a supply chain compromise after the fact. 

Monitor and audit all activity

Full visibility isn’t optional when cyber attackers can operate within environments using compromised yet legitimate credentials. Human and NHI activity must be continuously monitored, recorded and logged across all privileged sessions and automated workflows. The goal is to detect privilege misuse, data exposure and suspicious behavior before incidents escalate and cause broader damage. 

Demand supplier assurance

An enterprise’s security posture is only as strong as the weakest link in its supply chain. Any vendor with access to your infrastructure through data, software or integrations can become an entry point for attackers. Self-attestation is not enough. Suppliers should be required to demonstrate compliance through independent assessments and verifiable controls. 

Prepare for cyber warfare’s collateral damage

Cyber warfare reaching enterprises is nothing new. What has changed is the level of automation behind these attacks and the scale at which they can now operate. There is no practical reason to assume an enterprise will be overlooked. Organizations must evaluate whether their current security strategy is equipped to withstand modern cyber threats. If your organization still operates with tools that were never designed for cloud-native environments or NHIs at scale, the governance gap in identity access and supply chain security may be wider than it appears. KeeperPAM is built to help close that gap.

Hosted by National Technology News, the National Technology Awards celebrate organisations and technology leaders driving excellence, innovation and transformation across the UK technology sector.

The award recognises Keeper’s commitment to helping organisations strengthen cybersecurity through a unified platform built on zero-trust and zero-knowledge architecture.

What the judges said

The judges selected Keeper Security for delivering:

A highly innovative toolset designed to address the complexity of a challenging sector with strong effectiveness and impact.

As organisations face growing cybersecurity complexity, the need for unified, enterprise-ready security platforms has never been greater. From credential-based attacks and privileged access risks to compliance pressures and hybrid work environments, IT and security teams are being challenged to secure critical systems without slowing down the business.

Keeper Security was recognised for helping address these challenges with a platform that simplifies identity and access security while giving teams greater visibility and control. 

An innovative toolset for modern organisations

Keeper Security provides integrated tools for managing and protecting access across the enterprise, including:

• Enterprise password management
• Privileged access management
• Secrets management
• Endpoint privilege management
• AI threat detection and response

Trusted by organisations worldwide, Keeper Security helps reduce cyber risk while supporting productivity and day-to-day operational efficiency.

Built for scalability and ease of use, the platform enables organisations to enforce least-privilege access, secure critical infrastructure and manage identity security without introducing unnecessary friction for end users or IT teams.

This recognition from the National Technology Awards reflects Keeper Security’s continued commitment to delivering innovative cybersecurity solutions that help organisations defend against modern cyber threats.

Book a demo to see how Keeper Security can help your organisation reduce cyber risk and secure access across your enterprise.

The concentration of access to critical systems is what makes MSSP security uniquely high-stakes. Since MSSPs centralize administrative access across multiple client environments, one breach can expose multiple organizations simultaneously. This reinforces the need for strong security practices. 

Continue reading to learn more about MSSPs, how they support organizations and how Keeper^® helps protect client environments.

What do MSSPs do in cybersecurity?

MSSPs protect client IT environments by delivering a variety of security services. From monitoring networks to managing access, MSSPs help organizations reduce risk, detect threats early and maintain compliance across systems.

Network security monitoring

MSSPs continuously monitor network traffic to identify unusual patterns and potential threats. By analyzing behavior across environments and systems, MSSPs can detect suspicious activity, such as unauthorized access attempts or data exfiltration, before it escalates into a breach.  This proactive approach is crucial for securing multiple client environments at once.

Identity and Access Management (IAM)

One of the main responsibilities MSSPs have is controlling who can access data and systems. This includes managing user identities, assigning permissions and enforcing access policies consistently across environments. Strong IAM practices help minimize the risk of unauthorized access, limit credential abuse and ensure users have only the access they need.

Endpoint management

MSSPs help secure endpoints, including laptops and servers, by monitoring for threats, identifying vulnerabilities and helping organizations maintain strong security configurations. Depending on the MSSP, some also provide vulnerability and patch management services.

Threat detection and incident response

MSSPs work to identify threats early and help contain potential damage. This includes monitoring alerts, investigating behavioral anomalies and taking initial action to contain security incidents. Early detection is critical – but full remediation typically involves coordination between the MSSP, the client and, in serious cases, dedicated incident response resources.

Compliance and reporting

Many organizations must meet regulatory requirements such as SOC 2, HIPAA, PCI DSS and CMMC frameworks. MSSPs support those efforts by maintaining detailed audit trails, generating reports and helping verify that security controls are in place. Compliance remains the client’s responsibility; MSSPs help simplify the process by providing visibility, reporting and documentation. 

How MSSPs secure client environments

To effectively protect client environments, MSSPs must enforce strict security measures around credential management and privileged access. Because MSSPs often have privileged access across systems, even a small security gap can create devastating consequences. Here are the top ways MSSPs can reduce risk for their clients:

Top cybersecurity tools MSSPs need

MSSPs rely on a combination of cybersecurity tools to protect their clients’ identities, credentials and infrastructure. These solutions collaborate to reduce risk, control access and provide visibility across all managed environments.

Password management

A password manager provides secure storage and sharing of credentials across teams and clients. Instead of using insecure methods like spreadsheets, MSSPs can centralize credentials in an encrypted vault, ensuring they are protected and accessible when necessary. Strong password management helps eliminate password reuse and significantly reduces the likelihood of credential-based attacks.

Privileged Access Management (PAM)

A PAM solution enables organizations to control and monitor access to critical systems and sensitive data. MSSPs can enforce Just-in-Time (JIT) access, grant elevated permissions only when necessary and revoke access afterward. PAM solutions also enable session monitoring and recording, providing full visibility into privileged activity.

Secrets management

A secrets manager protects sensitive data, including API keys, service accounts and other Non-Human Identities (NHIs). By centralizing and securing these secrets, MSSPs can prevent secrets sprawl and reduce the risk of exposure in scripts, code and infrastructure, which is especially important in DevOps environments.

Endpoint privilege management

Endpoint privilege management helps MSSPs control local administrative rights on devices. MSSPs can enforce least-privilege access on endpoints to better prevent unauthorized privilege escalation and reduce the attack surface, ensuring that users and applications are assigned permissions strictly based on operational need.

How Keeper^® supports MSSPs

Keeper’s unified identity security platform combines the fundamental tools that MSSPs need to secure client environments. By consolidating password management, secrets management, privileged session management and endpoint privilege management into a single solution, Keeper helps MSSPs simplify and enhance security across all managed client environments. Here are the key areas in which Keeper supports MSSPs:

Secure client environments with KeeperMSP

MSSPs play a major role in helping organizations defend against modern cyber threats. By managing complex infrastructure, monitoring systems and controlling access across environments, MSSPs enable organizations to stay secure without requiring large internal teams.

However, this responsibility requires MSSPs to have strong access controls, secure credential management and full visibility into user activity. Keeper offers a unified identity security platform ideal for MSSPs seeking to strengthen their security posture. By combining multiple essential cybersecurity tools into one solution, Keeper enables MSSPs to secure client environments and reduce security risks with confidence.

Start your free trial of KeeperMSP today to strengthen access controls, protect credentials and secure client environments.

We’re excited to announce Workflow for KeeperPAM — a new capability that eliminates standing privilege by ensuring every access request is explicitly made, approved and time-bound. This capability ensures that access to PAM resources is time-bound, eliminating standing privilege, mitigating unnecessary risk and simplifying least-privilege compliance. 

With Workflow enabled, users must request or check out a resource, and an authorized approver grants or denies the request, with access automatically expiring at the end of the configured window. Single User Mode with Check-In/Out restricts access to one user at a time, while exclusive access control enforces a mandatory approval gate to keep every access event authorized and auditable. Optional Multi-Factor Authentication (MFA) re-authentication adds an extra layer of identity verification at the point of access. By leveraging Workflow, organizations gain the enforcement layer needed to strengthen privileged access governance and operationalize least privilege directly inside the Keeper Vault.

Automatically convert Keeper security alerts into actionable Jira tickets 

The Keeper Security ITSM Integration is a Forge-based application that automatically converts security alerts from Keeper into actionable Jira tickets. Security alerts are received from Keeper via webhooks and automatically create Jira issues with complete alert details, including raw JSON payloads for full audit trails. This integration enables security teams, IT administrators and compliance officers to respond to security incidents immediately without manual ticket creation.

Achieve passwordless zero-trust database access, monitoring and AI-assisted administration with KeeperDB

We’re excited to introduce KeeperDB — a secure, full-featured database management tool built natively into the Keeper zero-knowledge platform. Traditional clients like MySQL Workbench, DBeaver and SSMS leave credentials sprawled across endpoints and database connections unmonitored. KeeperDB eliminates that tradeoff entirely: Every privileged session is visually recorded, every credential is kept off the endpoint and zero driver installation is required. 

KeeperDB supports PostgreSQL, MySQL/MariaDB, SQL Server, Oracle, Amazon Redshift and SQLite through a single interface. It also includes KeeperAI, an embedded DBA co-pilot for natural-language queries, chart generation and performance triage. Teams that prefer existing tools can use KeeperDB Proxy, which injects Gateway-fetched credentials at connection time without exposing them to users. A built-in real-time performance monitor with process lists, blocking chain analysis and one-click session termination gives DBAs the operational visibility they need without ever leaving the platform. KeeperDB is available as an embedded session launched directly from KeeperPAM records and as a standalone desktop app for macOS, Windows and Linux.

Keeper Secrets Manager SDK and integration highlights

Two powerful updates introduced earlier this year to Keeper Secrets Manager (KSM) make the platform more secure and easier to deploy. KSM CLI 1.3.0 raises the bar on credential protection by leveraging your operating system’s native secure storage, including macOS Keychain, Windows Credential Manager and Linux Secret Service, to safeguard Keeper device identity information by default. This eliminates the risk of sensitive credentials being stored in a plain keeper.ini file on disk. Ansible Integration 1.4.0 removes a key friction point for teams running KSM in Ansible Automation Platform. The update bundles essential system packages (openssh-clients, sshpass, rsync and git) directly into the Tower Execution Environment Docker image so automation pipelines are ready to go right out of the box.

New in Keeper Secrets Manager: Cloud Integrations, AI Workflows & Security Hardening

In April we expanded KSM’s reach across cloud, CI/CD, and AI workflows. JavaScript Cloud KMS Storage 1.0.0 delivered encryption integrations for all four major cloud providers — AWS KMS, Azure Key Vault, GCP Cloud KMS, and Oracle Cloud Infrastructure Vault — with support for symmetric and asymmetric keys, key rotation, and flexible authentication. The KSM GitHub Action 1.3.0 added write-back capability, enabling pipelines to generate and persist credentials to the vault, not just retrieve them. The Go SDK 1.7.0 brought HTTP proxy support, automatic region detection, and GraphSync link sharing, while the Terraform Provider introduced ephemeral resources for all 25 record types, keeping secrets out of state files entirely. The new KSM AI Agent Kit rounded out the release, connecting Keeper directly to AI coding agents including Claude Code, Cursor, Codex, and GitHub Copilot, so developers can retrieve secrets and execute admin workflows from the terminal.

Updates in May focused on security hardening across the Python KMS storage layers for Oracle and GCP, with AES-GCM nonce corrections, SHA-256 upgrades, thread-safety improvements, and a safer default that prevents plaintext credentials from being written to disk. The Rust SDK resolved critical OpenSSL CVEs and migrated its TLS backend to aws-lc-rs, laying the groundwork for FIPS 140-3 compliance.

Streamline privilege management with centralized approvals

Endpoint Privilege Manager (EPM) approvals are now unified in a single global “Approvals” screen within the Admin Console, consolidating elevation requests across all request types and platforms into one streamlined workflow. Administrators can configure team-based approvers and escalation rules to reduce administrative overhead while ensuring consistent governance and access control across the organization.

Multi-account switching, PAM session launch and smarter URL linking on browser extension

Have more than one account? Keeper supports multiple vaults in the same browser, making it easy to seamlessly switch between personal and business accounts without logging out of an active session. Simply click the user icon in the upper-right corner of the extension window and select the account you want to switch to. Keeper also now supports launching privileged access management sessions, including Machine, Database and Browser record types, directly from the browser extension. A new Launch button on eligible records redirects users to the web app to initiate sessions instantly, bringing PAM access one step closer to wherever you’re already working. Additionally, users can now quickly link multiple websites to a single record for autofill. When editing a record in the browser extension, the current site’s base URL is suggested under the matching record’s “Additional URL” field for easy one-click adding.

Never miss an important Keeper notification on mobile

Stay on top of vault activity with the new in-app Notification Center on iOS and Android, a centralized hub for managing security alerts, access requests, device approvals and more in one place. Users can filter between all and unread notifications at a glance and approve or deny sharing requests and new device login attempts with a single tap. Unread indicators help ensure time-sensitive updates are not missed, while seamless navigation allows users to return to records without losing their place.

Everything you need to manage enterprise subscriptions, now built into the console

Keeper Admin Console 17.8.0 delivers meaningful upgrades for enterprise and MSP administrators. In-Console Checkout allows eligible administrators with a valid credit card on file to purchase additional licenses, upgrade plans and add new products without leaving the Admin Console. MSP administrators can also activate the PAM add-on directly from the Subscriptions page using a consumption billing model with configurable license limits, consistent with the existing Keeper EPM experience. 

Launch multiple concurrent sessions from a single PAM resource

Users can now launch multiple simultaneous sessions from a single PAM resource or Template without duplicating resources. All active sessions are grouped under their parent resource in the Connection Dock, each with unique session details and handled independently, so closing one session does not affect the others. From the resource record, users can search for and focus on any active connection or terminate all associated sessions at once.

Keeper Secrets Manager integration with Harness CI for dynamic secrets retrieval

The Keeper Secrets Manager Harness CI Plugin enables secure, dynamic retrieval of secrets directly within Harness CI pipelines. Teams can pull credentials and secure files from the Keeper Vault, set secrets as build arguments and authenticate using a One-Time Access Token, Base64 token or JSON config file. Secrets are written to a shared workspace path and automatically masked in pipeline logs to help prevent exposure.

Empower administrators and security teams to manage Keeper Vault operations directly within ServiceNow

The Keeper Vault ServiceNow Workflow App brings enterprise secrets management directly into your existing workflows with no context switching required. Security teams and administrators can approve or deny EPM requests in real time, grant or revoke user access to records and folders (including one-time shares) and search, store and manage secrets across the Keeper Vault without leaving the ServiceNow platform.

Automate password rotation across leading SaaS platforms

Automated password rotation for cloud-based services is a powerful new capability designed to strengthen your security posture and simplify compliance. The feature enables teams to define custom rotation criteria and trigger password updates on a schedule or on demand, eliminating the risks associated with static, long-lived credentials. Automated rotation is now supported across a broad range of SaaS platforms, including Okta, Snowflake, REST, AWS Access Key, Azure Client Secret, Cisco IOS XE and Cisco Meraki, with logic tailored to each service’s unique requirements. Whether managing a handful of integrations or a complex multi-cloud environment, teams gain greater control over credential security without the manual overhead.

Introducing the Discovery Rules Engine for automated resource management

The new Discovery Rules Engine gives administrators fine-grained control over how Discovery jobs enumerate, process and store resources. Ordered rule sets are assigned to Gateways and evaluated sequentially during Discovery execution, automatically adding eligible resources, filtering out noise or prompting for action on specific entities. Administrators can create, edit, copy, enable/disable and delete rules through a dedicated management surface with built-in draft/deploy states, validation and auditing. Only users authorized to run Discovery jobs can create and manage rules, ensuring governed, streamlined onboarding with fewer false positives.

Experience frictionless authentication to the Keeper Vault with biometric login

The Keeper Web Vault now supports biometric login with a passkey, allowing users to authenticate using a device-bound passkey that replaces all traditional login methods, including a master password, Single Sign-On (SSO) and Two-Factor Authentication (2FA). Users can log in to the web vault or desktop app using supported biometric authentication, including facial recognition or fingerprint scanning. When biometric login is enabled, users can sign in instantly without entering a master password or navigating SSO. This feature is now aligned with Keeper’s browser extension, which launched biometric login with a passkey last year. This increases the convenience of using Keeper while enhancing account security.

Effortless WiFi record creation and sharing, now on Keeper web and desktop

The WiFi Login record type that first launched on Keeper’s iOS app is now available on the web and desktop app, making it easier than ever to securely store and share WiFi credentials. Each record captures essential details, including the network name, password, encryption type and network visibility. Users can also generate a shareable QR code directly from the record, allowing iOS devices to join the network instantly by scanning the code.

Manage Keeper as code with the Terraform Provider for Commander

Terraform Provider for Commander enables organizations to manage Keeper Security enterprise and MSP configuration as infrastructure-as-code. The provider uses the Keeper Commander Service Mode REST API to manage your Keeper resources from Terraform, providing declarative config, version control and a clear audit trail while maintaining Keeper’s zero-knowledge infrastructure.

Browser extension eliminates autofill conflicts, adds anti-phishing alerts and custom fields 

The Keeper Browser Extension now prompts users to set Keeper as their default password manager, eliminating conflicts with built-in password managers across Chrome, Edge, Firefox, Brave and Opera for a seamless autofill experience. A new Verify Mode anti-phishing feature monitors paste actions and warns users in real time before credentials are submitted to an unrecognized or mismatched site, with three configurable protection levels (Medium, High and Maximum) to suit different security preferences. Users can also add Custom Fields directly from the browser extension to store masked sensitive data like PINs, security questions or private notes alongside any login record, with drag-and-drop reordering for easy organization.

Redesigned Security Audit for iOS 

Your view into your vault’s security health just got even better. The fully redesigned Security Audit on Keeper’s iOS app features a new, easy-to-understand security score and actionable dashboard that gives you an instant snapshot of your overall security posture. Use the new action cards to quickly boost your score by updating weak passwords, enabling two-factor authentication or rotating reused credentials in just a few taps. The refreshed records list also makes it easier to prioritize what matters most, with clear password strength icons and improved sorting and filtering options.

Control how you view your vault with Dark Mode, now available in the Keeper Web Vault and Desktop App

Keeper Web Vault now offers Dark Mode, addressing the growing market demand for greater user interface customization and visual comfort. Dark mode has become a staple expectation across modern applications, and this addition aligns Keeper with evolving user preferences and industry trends. The benefits are also practical, including reduced eye strain in low-light environments, improved readability and a more personalized experience overall. Dark mode also ensures a consistent look and feel across platforms, allowing users to move seamlessly between web, desktop and mobile environments.

Seamless session continuity and new in-session controls

The Vault 17.6 release brings a set of meaningful improvements to active KeeperPAM sessions. Connections that are unexpectedly interrupted now automatically attempt to reconnect after a timed countdown, with no configuration required, allowing users to resume work without manually re-establishing the session. RDP sessions now support file transfer, making it easier to move files between a local machine and a remote environment without leaving the active connection. A new action button in remote connections also lets users send specific key events (such as Ctrl+Alt+Delete) directly from the session, giving administrators finer control during live privileged sessions.

Remote Browser Isolation gets a major upgrade

KeeperPAM’s Remote Browser Isolation (RBI) experience has been substantially enhanced in the latest release, making it a more capable and intuitive environment for privileged web-based access. Users can now open and manage multiple tabs within an RBI session, upload and download files directly from the remote browser and take advantage of persistent sessions configured per-user or per-resource to reduce the friction of repeated logins. Day-to-day usability improvements include a right-click context menu for copy, paste, and opening links in a new tab, as well as native JavaScript alert support for more complete website compatibility. Security and access control have also been strengthened. HTTP Basic Auth now autofills within RBI sessions, and the new Launch-As option allows shared users to select their own credentials at session launch, ensuring access is properly attributed without requiring separate records.

Expanded SSH authentication and native CLI access

KeeperPAM now supports a significantly expanded set of SSH authentication options delivered through both the Vault and Keeper Gateway 1.8.0. Teams can authenticate SSH connections using Public Key Certificates and Private Key Passphrases, and organizations that rely on CA-signed keys now have full certificate-based authentication support. PAM Users also gain Private PEM Key support, mirroring the Service Account Keys capability available for Google Cloud PAM Configurations — making SSH credential management more consistent across environments. Together with KeeperDB, these enhancements extend native CLI-level access to both SSH and database resources, allowing privileged users to connect through their preferred tools while Gateway 1.8.0 handles credential injection, session recording and zero-trust enforcement behind the scenes.

Various improvements to the Commander CLI

Keeper Commander is constantly improving. Here is our latest set of new commands:

• Automation Commands – AD user creation via Gateway with support for username templates
• Domain Alias Commands – Commands for managing domain aliases
• PAM Launch – Added “Connect As” options to pam launch
• PAM Tunnel – Enhanced pam tunnel diagnose with full gateway readiness testing

For a full list of Keeper Commander updates, visit our Release Notes.

Today’s cyber threats rarely begin with sophisticated malware or brute-force attacks against firewalls. Instead, cybercriminals target the easiest and most effective entry point into any organization: identities.

IBM’s 2025 Data Breach Report reinforces the growing emphasis on identity-based attacks, pointing out how attackers are simply “logging in rather than hacking in.” Compromised credentials, weak passwords, phishing attacks and unmanaged privileged access are now fueling the majority of successful breaches. Once attackers gain access to a legitimate account, they can often move through systems undetected, bypassing traditional security controls entirely.

This shift has created a new reality for MSPs. Businesses are looking for more than providers that solely troubleshoot IT issues and keep systems running smoothly. Managed companies as a whole have elevated their expectations. They’re gravitating toward strategic providers that can help secure access to critical systems, applications and data in an environment where identities have become a primary target.

Identity security has transitioned beyond a standalone add-on service. It’s a key component of modern cybersecurity strategy and a major opportunity for MSPs initiating the conversation.

The cybersecurity perimeter has changed

Traditional cybersecurity strategies were originally formed to protect the network perimeter. Firewalls, VPNs and endpoint protection platforms were built to block unauthorized access and prevent attackers from infiltrating corporate environments. 

Since then, cloud adoption, hybrid work and SaaS sprawl have fundamentally changed how organizations operate. Employees now access business-critical systems from anywhere, often across hundreds of applications and environments.

As a result, identity has become the new perimeter.

Consider a typical SMB client environment managed by an MSP today: Microsoft 365, Salesforce, QuickBooks, VPN access, RMM platforms, remote desktop tools and dozens of SaaS applications, all accessed remotely across countless devices and locations.

In many cases, compromised credentials grant attackers broad access into environments without triggering traditional malware alerts. Rather than attempting to break through hardened infrastructure, attackers target employees through phishing, baiting and pretexting tactics. 

A single compromised password can potentially expose:

• Email platforms
• Cloud storage
• Financial systems
• Administrative consoles
• Remote access tools
• Customer databases

Since login attempts often appear legitimate, traditional security tools may fail to detect a compromise until severe damage has already occurred.

For MSPs, this means security conversations must expand beyond traditional topics like endpoint protection, firewall management, network monitoring and infrastructure maintenance. Protecting identities and controlling access has become just as critical as securing infrastructure. 

Traditional password practices are still failing

Although cybersecurity technology continues to advance rapidly, many organizations still rely on their employees to manage credentials manually.

The results are predictable:

• Weak, overused passwords
• Many shared accounts
• Credentials stored in spreadsheets or browsers
• Limited visibility into privileged access
• Inconsistent Multi-Factor Authentication (MFA) adoption

MSP technicians frequently inherit systems filled with shared admin credentials, spreadsheets containing passwords, unmanaged service accounts and former employee logins that were never properly deprovisioned. As MSPs onboard more customers and technicians, credential sprawl and inconsistent access management become increasingly difficult to control. 

According to Verizon’s 2025 Data Breach Investigations Report, stolen credentials remain the leading access vector in security breaches, accounting for 22% of incidents. Employees are also overwhelmed by the number of accounts they manage daily. Human behavior naturally prioritizes convenience, which often leads to security gaps.

This places MSPs in a challenging position. Clients expect stronger security outcomes, yet many still lack the foundational controls required to reduce identity-related risk.

Maintaining strong passwords no longer suffices. Businesses need centralized identity security strategies that combine:

• Secure credential management
• Multi-factor authentication
• Privileged access controls
• Secure credential sharing
• Access visibility and auditing
• Zero-trust principles

Modern phishing kits now include Adversary-in-the-Middle (AiTM) capabilities that intercept MFA sessions and steal authenticated tokens in real time. Verizon’s report also highlights the continued rise of token theft and MFA bypass attacks targeting  Microsoft 365 environments. Just as importantly, these controls must be simple enough for users to adopt consistently.

MSPs are transforming into security advisors

Customers are increasingly turning to providers for cybersecurity guidance, compliance readiness and risk management expertise. According to the 2025 Global MSP Benchmark report, 76% of MSPs recognize their clients are most concerned about security, while 64% state their clients expect guidance on security best practices, not just tools. 

In many scenarios, MSPs are functioning as outsourced security teams for small and midsize businesses that lack internal resources. This kind of opportunity comes with an even greater responsibility.

The MSPs gaining traction today are the ones transitioning from reactive support models to become strategic security advisors. They are proactive in their approach, posing vital questions like:

• Who in your organization has access to sensitive systems?
• How is privileged access controlled?
• Are credentials being shared securely?
• Can access be revoked immediately when employees leave?
• Is your organization prepared for upcoming compliance audits?
• Are identity-related risks being actively monitored?

These types of questions resonate because they connect cybersecurity directly to immediate and long-term business outcomes.

Security is no longer limited to just preventing attacks. It’s also about:

• Ensuring customer trust
• Minimizing operational disruption
• Supporting compliance requirements
• Prioritizing cyber insurance readiness
• Enabling stronger security at scale 

Identity security lives at the center of all of it.

Since MSPs maintain elevated administrative access across so many client environments, they too have become high-value targets for attackers. A single compromised technician credential can create downstream risk across an entire customer portfolio.

That reality is driving increased investment in Privileged Access Management (PAM) and identity security controls.

Simplicity matters as much as security

One of the most inaccurate assumptions organizations make is that stronger security brings greater complexity. Effective PAM solutions are designed to eliminate burden through cloud-native, agentless architecture that won’t disrupt operations. Deployment can be completed in days, not months.

However, overly complicated security environments often produce new vulnerabilities. If employees find tools too difficult to use, they work around them. If technicians struggle to manage security policies at scale, enforcement becomes inconsistent.

For MSPs, operational simplicity speaks volumes. And the most successful security solutions will:

• Easily scale across client environments
• Reduce administrative overhead
• Improve user adoption rates
• Simplify onboarding and offboarding
• Decrease help desk burden
• Integrate seamlessly into existing workflows

This is particularly crucial for providers trying to balance growth, staffing constraints and recurring revenue.

The security solutions that stand out are those that enhance protection while reducing operational friction.

Why identity security has become a growth opportunity for MSPs

As businesses face growing pressure from attackers, cyber insurance providers and compliance mandates, demand for identity-centric security services continues to skyrocket. Organizations are interested in reliable partners that can secure access across increasingly complex infrastructures. 

Cyber insurance providers and compliance frameworks are also compelling businesses to strengthen identity security controls, particularly around MFA, privileged access management and credential governance.

This heightened demand creates new opportunities for MSPs to: 

• Boost profitability
• Attract more prospects
• Strengthen their reputation 
• Differentiate themselves from competitors
• Deepen existing customer relationships

In many ways, identity security has become the primary foundation for modern managed security services.

How KeeperMSP fits in

As MSPs adopt identity-first security strategies, they need platforms that are powerful, highly compliant and operationally efficient.

KeeperMSP is designed specifically to help providers secure and manage identities across their customer base through a centralized, multi-tenant platform.

With KeeperMSP, providers can deliver:

• Enterprise password management
• Privileged access management
• Secure credential sharing
• Zero-trust security architecture
• Role-based access enforcement
• More visibility and detailed audit reporting
• Agentic AI threat detection and response

Instead of technicians manually distributing credentials through spreadsheets, ticket notes or chat platforms, MSPs can streamline access across internal teams and customer environments through Keeper’s zero-trust architecture.

This not only improves security posture, but streamlines onboarding, offboarding and daily access management across tenants.

Security tools that are tough to deploy, manage or adopt ultimately increase friction for both providers and their customers. KeeperMSP eliminates common barriers while improving visibility and control across every managed environment. 

For MSPs, that means:

• Faster deployment and onboarding
• Simplified administration
• Reduced support overhead
• Scalable security operations
• Higher recurring revenue 

For customers, it means better protection against credential-based attacks.

The future of MSP security is identity-first

Managed companies no longer need providers that simply oversee infrastructure and endpoints. Ensuring operational uptime and handling routine support requests are nothing more than standard practice. Delivering exceptional IT support isn’t unique anymore.

Small to medium-sized businesses need partners who can confidently guide them through a cybersecurity landscape where identities, access and privileged credentials are among the top targets for attackers.

That is why identity security has become the new MSP imperative.

The MSPs that succeed in the next phase of cybersecurity will not be the ones offering the most tools. They will be the ones that simplify security, minimize identity-related risk and scale zero-trust principles across their client portfolios. 

Start your KeeperMSP free trial today. 

Continue reading to learn more about PAM, ITDR and why organizations should combine them to strengthen their response to identity-based threats.

What is Privileged Access Management (PAM)?

Privileged Access Management (PAM) secures, controls and monitors access to an organization’s most critical systems and sensitive data. It focuses on privileged accounts, including administrator and service accounts, that have elevated permissions and can make major changes across IT environments. These accounts are valuable targets for cybercriminals because they provide direct access to sensitive data and enable lateral movement across networks. If compromised, privileged credentials can give attackers broad access to significant portions of an organization’s infrastructure. Key capabilities of modern PAM solutions include:

• Credential vaulting: Securely stores and manages privileged credentials
• Secrets management: Protects human and machine credentials, including API keys
• Just-in-Time (JIT) access: Grants temporary access only when necessary, eliminating standing privileges
• Least-privilege access: Ensures users have the minimum level of access needed to perform their tasks
• Session monitoring and recording: Tracks and records privileged sessions to provide full visibility and auditing
• Password rotation: Automatically updates credentials to prevent reuse

What is Identity Threat Detection and Response (ITDR)?

Identity Threat Detection and Response (ITDR) is a security layer focused on monitoring, detecting and responding to identity-based cyber threats. As organizations increasingly rely on cloud applications, Identity Providers (IdPs) and Identity and Access Management (IAM) solutions, cybercriminals have begun shifting their focus from endpoints to identities.

While IAM solutions act as preventative controls, they are not built to detect or respond to attacks that use compromised identities, which is where ITDR becomes essential. Unlike traditional security tools such as Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR), which focus on endpoint activity and network telemetry, ITDR protects identity infrastructure by analyzing authentication activity and user behavior. Several key capabilities of modern ITDR include:

• Behavioral anomaly detection: Identifies suspicious login patterns, privilege escalation or privileged activity after business hours
• Real-time alerts of suspicious activity: Flags potential threats like credential misuse or unauthorized access attempts as they happen
• Risk scoring and identity correlation: Aggregates identity signals to assess risk levels and connect related activities across multiple systems
• Automated responses for remediation: Terminates sessions, revokes access or locks accounts to stop potential threats quickly

Why PAM and ITDR should work together

PAM and ITDR are most effective when implemented together because they address both access control and threat detection. Because identity is such a valuable attack vector, organizations need both capabilities to protect against identity-based threats. PAM focuses on limiting access to critical systems, while ITDR continuously monitors activity; together, they create a holistic identity security strategy. However, relying on only one of these approaches creates significant security gaps:

• Without ITDR, PAM has no real-time threat detection. If a cybercriminal compromises privileged credentials, they can operate with approved access and go undetected.
• Without PAM, ITDR generates alerts without the ability to act. Security teams may detect suspicious activity, but they cannot enforce least-privilege access or prevent further privilege escalation.

Together, PAM and ITDR also satisfy compliance requirements that neither can meet on its own. CMMC requires both privileged account monitoring and detailed audit logging of privileged activity, capabilities that span both disciplines. SOC 2, HIPAA and ISO 27001 similarly require granular access controls alongside continuous monitoring. PAM and ITDR together provide the audit trails, access governance and real-time oversight these frameworks demand. 

How Keeper^® delivers PAM and ITDR capabilities

Keeper delivers PAM and ITDR capabilities through a unified, cloud-native platform built on a zero-knowledge architecture. Vault contents are end-to-end encrypted and inaccessible to Keeper. Session recordings, audit logs and behavioral alerts are available to authorized administrators, giving security teams full visibility without compromising the zero-knowledge model for stored credentials. KeeperPAM covers the access control layer: credential vaulting, secrets management, JIT access, automated password rotation, privileged session management and MFA.

For ITDR, KeeperAI^® provides session-level behavioral analytics, builds per-user and per-account baselines and flags activity that deviates from expected patterns in real time. Keeper Endpoint Privilege Manager extends this to the endpoint level, enforcing least-privilege controls and monitoring privilege elevation events across protocols, including SSH, RDP, VNC and database sessions. Together, they enable organizations to identify privilege misuse even when legitimate credentials are used.

Looking ahead, Keeper will continue to strengthen these capabilities with the upcoming addition of User and Entity Behavior Analytics (UEBA), expanding visibility into identity-based risks and enabling more advanced detection of unusual behavior.

Enhance your identity security strategy with Keeper

Securing modern organizations requires controlling both who or what has access and how that access is used. PAM reduces risk by enforcing granular access controls and limiting credential exposure, while ITDR provides the visibility needed to detect and respond to suspicious activity in real time. Together, PAM and ITDR create a comprehensive security strategy that addresses both prevention and detection. Keeper’s unified identity security platform brings these capabilities together for enterprise-scale security by combining PAM controls with ITDR functionality to protect critical systems.

Start your free trial of KeeperPAM today to strengthen your identity security strategy.

Gartner is the world’s leading technology research and advisory firm, and this report tracks revenue growth across the global security software market annually.

Ready to see KeeperPAM for yourself and understand how you can secure every human, machine and AI agent across your organization? Request a demo today.

What drove the growth

Organizations are moving away from point solutions and separate tools for password management, secrets management, privileged access and remote connections in favor of integrated platforms that handle all of these capabilities within a single architecture.

Security buyers are also paying closer attention to how AI is actually embedded into products. The vendors gaining ground in 2025 were those that used AI to make security teams faster and more effective, not the ones that applied an “AI-powered” label to existing features without changing the underlying capability.

What this means for organizations evaluating PAM

The PAM market is consolidating. Buyers increasingly want a single vendor that can manage credentials, secrets, privileged sessions and infrastructure access with audit trails, zero-knowledge architecture and enterprise-grade controls built in from the start.

KeeperPAM delivers all of these capabilities through a unified platform. There’s no need to stitch together separate tools, manage fragmented audit logs or deal with gaps where credentials fall through the cracks.

Keeper Forcefield protects Windows endpoints from memory-based attacks. These attacks target application memory directly, where data is temporarily unencrypted during use. Forcefield blocks malicious processes attempting to extract passwords and session tokens at the process level before they can reach that data.

KeeperAI brings real-time AI threat detection and response to privileged sessions by analyzing live session activity, classifying behavior by risk level and terminating sessions when critical threats are detected. Security teams receive detailed forensic summaries without manually reviewing hundreds of session recordings.

Why zero-knowledge architecture matters more now

Traditional password management and PAM tools store encryption keys on their own servers, meaning the vendor can theoretically access your data. Keeper’s zero-knowledge model ensures that encryption keys never leave your control and that no one has access to your unencrypted data except you – not even Keeper itself.

As cyber attacks grow more sophisticated and supply chain risks become a mainstream concern, organizations are scrutinizing the security posture of every vendor in their security stack. A zero-knowledge platform eliminates an entire category of risk.

The market context

Gartner placed Keeper second among the fastest-growing security companies globally, ahead of Fortra and behind only Google. We believe Google’s growth is driven by its scale and breadth across the entire security stack. Keeper’s growth is concentrated in PAM, secrets management and enterprise credential security. In our view, in that specific market, Keeper’s 53.42% revenue growth reflects strong product-market fit.

Want to see how KeeperPAM can protect your organization? Request a custom demo.

Source: Gartner, Market Share Analysis: Security Software, Worldwide, 2025, Rahul Yadav and Deepali, 11 May 2026, G00846661.

GARTNER is a trademark of Gartner, Inc. and/or its affiliates. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

In the latest independent comparison, CHIP evaluated nine leading password managers across Android, iOS and Windows. Keeper ranked #1 overall with a score of 1.3 (“very good”) and was recognized as the “best overall package” in the test.

CHIP Magazine is a leading consumer technology publication across Europe and Asia, known for its independent testing and trusted recommendations. Its German-language website, CHIP.de, is the top consumer tech portal in Germany. 

This continued recognition reinforces Keeper’s position as a global leader in password management and zero-trust security.

Top marks for security and ease of use

CHIP assessed each solution across three key categories: Security (50%), Usability (30%) and Features (20%).

The security category evaluates encryption architecture, including zero-knowledge security, along with protection mechanisms such as Multi-Factor Authentication (MFA) and breach detection. Usability focuses on how easily password managers can be deployed and used across devices, while features cover advanced capabilities such as synchronization and password management tools.

Keeper delivered strong results across all categories, including a 1.1 rating for security and 1.0 for usability, the highest usability score out of all password managers tested. These results highlight Keeper’s ability to deliver both strong protection and a seamless user experience.

What sets Keeper apart

CHIP’s review highlights the importance of modern password security, including support for passkeys, MFA and proactive protection against credential-based attacks. The publication also notes that all products included in the test undergo regular third-party security audits, reinforcing a high standard of trust.

Keeper stands out by delivering powerful security in an intuitive platform, making it easy to strengthen password practices without adding friction for end users.

Key capabilities include:

• Zero-knowledge security architecture
• End-to-end encryption
• Passkey support
• Security key support
• Password breach monitoring and alerts
• Dark web monitoring 

The report also highlights Keeper as one of the few providers supporting Post-Quantum Cryptography (PQC), helping organizations prepare for emerging threats.

Security built to scale for organizations

As credential-based attacks, password reuse and phishing risks continue to rise, secure and usable password management has become a critical part of modern cybersecurity strategy. 

Beyond individual use, Keeper delivers enterprise password management designed to meet the security and compliance needs of modern organizations.

Keeper’s Enterprise Password Manager enables IT and security teams to enforce strong password policies, securely share credentials and gain visibility through centralized reporting and auditing.

Keeper also extends beyond password management with Privileged Access Management (PAM) capabilities that help organizations secure privileged credentials, enforce least-privilege access and monitor access to critical infrastructure.

With robust security, streamlined deployment and advanced enterprise capabilities, Keeper helps organizations reduce risk, protect credentials and scale securely.

Protect your organization’s passwords, credentials and secrets with Keeper’s zero-trust and zero-knowledge platform. Start a free trial of Keeper Enterprise Password Manager or request a demo to explore how KeeperPAM can secure administrative access and critical infrastructure. 

Continue reading to learn more about Keeper’s Discovery Rules Engine, what it helps solve within organizations and its benefits.

What is Keeper’s Discovery Rules Engine?

Keeper’s Discovery Rules Engine is a rules-based automation capability within KeeperPAM^® that governs how discovered resources are processed. Instead of requiring administrators to review discovery results manually, it applies predefined logic so that every asset is handled according to a consistent security policy.

Each rule is tied to a specific PAM configuration and built using filtering criteria (field, operator and value). For example, “hostname contains ‘prod'” or “OS equals Windows Server 2019.” Rules are evaluated in order, and the first matching rule determines how a resource is handled, underscoring the importance of rule ordering. An asset matched by rule 2 will never reach rule 3, so administrators should order rules from most specific to least specific. All rules are managed centrally within the Keeper Vault.

The engine supports a rich set of fields covering hostnames, operating systems, database types, directory types, cloud provider regions, instance IDs and more, with operators ranging from simple equality checks to pattern matching, starts/ends with, contains and full regex search. This makes it possible to build precise rules that target exactly the resources you care about across any infrastructure type.

What does the Discovery Rules Engine do in Keeper?

Keeper’s Discovery Rules Engine automates how discovery results are processed, enabling organizations to handle large amounts of assets quickly, securely and consistently.

Uses rule-based logic to evaluate every discovered asset

Administrators define rules tied to specific PAM configurations using filtering criteria based on infrastructure metadata, such as hostnames, operating systems or resource types. Rules are evaluated sequentially against each discovered resource. The first match wins and determines the action taken.

Applies rules in priority order

By default, rules follow creation order. Administrators can manually reorder them at any time to reflect changing organizational priorities. Rules can also be enabled or disabled individually without deleting them, giving administrators flexibility to adjust rule sets without losing configuration work.

Executes actions automatically

When a rule matches a discovered resource, the Discovery Rules Engine automatically applies one of these three configurable actions:

• Add: Automatically applies rule logic and onboards the resource directly into the vault, bringing it under PAM policies, including access control and session monitoring
• Ignore: Excludes matching resources to reduce unnecessary results and false positives
• Prompt: Flags the resource for administrator review when the rule identifies an asset that requires human judgment before onboarding. For example, resources with ambiguous ownership or resources that span multiple environments

What challenges Keeper’s Discovery Rules Engine helps solve

Without automation, security teams typically struggle to efficiently act on discovery results that may contain hundreds or thousands of assets. Here are the key security challenges that Keeper’s Discovery Rules Engine addresses:

• Manual processing errors: Reviewing every discovered asset manually is tedious and error-prone. Critical resources may be overlooked or handled improperly simply due to the large volume of data, slowing response times and introducing new security gaps.
• Alert fatigue: Discovery results often include irrelevant or low-priority data. With no way to automatically filter and prioritize these results, security teams can become overwhelmed, making it challenging to identify which assets require immediate attention.
• Inconsistent decision-making: When discovery results are processed manually, different administrators may apply varying criteria when evaluating the same types of resources. Over time, these inconsistencies can create security gaps, uneven policy enforcement and a lack of standardization across environments.
• Delayed security actions: In manual workflows, sensitive assets aren’t always secured immediately following discovery. These delays create exposure windows where unmanaged resources can be exploited before they’re brought under control.

Benefits of using Keeper’s Discovery Rules Engine

The Discovery Rules Engine extends KeeperPAM’s capabilities by enabling centralized, policy-driven control over infrastructure assets. As part of a zero-trust, cloud-native PAM solution, it helps organizations enforce consistent security workflows while reducing operational complexity.

Scales discovery across complex environments

The Discovery Rules Engine automatically processes large volumes of discovery results across on-prem, hybrid and cloud environments. It eliminates manual classification and scales automatically across different types of modern, complex environments.

Reduces manual workload

By removing repetitive review tasks from security teams, the Discovery Rules Engine minimizes human intervention in discovery workflows. This allows teams to focus on higher-priority strategic security initiatives instead of manual processing.

Accelerates time to secure assets

Keeper’s Discovery Rules Engine automatically onboards critical resources into the Keeper Vault using predefined rules. Through automation, it accelerates integration into PAM workflows such as access control and session monitoring, reducing the time between discovery and asset protection.

Improves accuracy and consistency

Standardized rules applied uniformly across all discovered assets eliminate the unpredictability of manual decision-making. Every asset is evaluated against the same predefined security policies, supporting zero-trust principles and improving overall visibility and control.

Automate discovery with Keeper

Discovery without automation doesn’t scale for modern organizations managing complex, multi-cloud environments. As infrastructure grows, security teams need a faster, more reliable way to process and secure newly discovered assets; rule-based automation provides that capability. Keeper’s Discovery Rules Engine integrates automated decision-making directly into discovery workflows, eliminating manual bottlenecks and enabling consistent policies at scale.

Start your free trial of KeeperPAM today to help automate discovery and secure your infrastructure.

Having earned Test Winner recognition for its Password Manager and a ‘sehr gut’ rating for KeeperPAM, Keeper’s Endpoint Privilege Manager now adds a ‘gut’ rating from connect professional — a third independent validation of Keeper’s innovation across enterprise security.

What connect professional highlighted

In its review, connect professional takes a detailed look at how Keeper EPM approaches endpoint privilege management, with a focus on control, structure and applicability in real-world IT environments.

The evaluation points to several notable aspects:

• Policy-based privilege management
  The platform enables granular control over user privileges, allowing organizations to define precisely when and how elevated rights are granted.
• Centralized administration model
  Privilege policies and endpoint controls are managed through a unified interface, providing oversight across users and devices.
• Alignment with zero-trust principles
  Access is governed by defined rules and conditions, supporting a security model in which privileges are not permanently assigned but are controlled dynamically.
• Designed for structured IT environments
  The solution offers a level of configurability and control that supports organizations with more complex requirements around access governance and compliance.

Overall, the review presents Keeper EPM as a well-structured solution for managing endpoint privileges, particularly in environments where consistent policy enforcement and visibility are essential.

Secure endpoint privileges with Keeper

Managing endpoint privileges is one of the most effective ways to reduce an organization’s attack surface. Overprivileged users, standing admin rights and uncontrolled software installations remain common entry points for cyber attacks.

Keeper EPM addresses these challenges by enabling organizations to:

• Enforce least privilege across all Windows, Linux and macOS endpoints
• Grant temporary, policy-based privilege elevation
• Reduce standing privileges and insider risk
• Maintain full visibility into user activity and access

As part of Keeper’s unified, cloud-native security platform, Keeper EPM extends zero-trust and zero-knowledge principles to the endpoint layer, complementing solutions like KeeperPAM to secure both infrastructure and user activity.

Request a demo today to see how Keeper EPM can strengthen your endpoint security strategy.

Here’s a look at what SaaS Configuration is, how it works and whether it’s the right fit for your organization.

What is SaaS Configuration in Keeper?

SaaS Configuration is a feature within KeeperPAM that enables automated password rotation for cloud-based services. It provides a scalable approach to managing any number of PAM User records that require automated rotation, not just a handful of manually managed accounts.

Static and stale passwords in cloud applications create credential exposure risks. When passwords aren’t rotated regularly, compromised credentials stay valid longer, giving attackers more time to cause damage. Rotating passwords on a defined schedule or on demand when a threat is detected closes that window.

Security frameworks, including PCI DSS, SOC 2 and NIST 800-53, require organizations to enforce consistent credential hygiene. SaaS Configuration supports those requirements by making rotation a systematic, repeatable process rather than something that happens whenever someone remembers to do it.

How SaaS Configuration works

SaaS Configuration uses a PAM gateway to securely connect to the target service and update the password or secret. When rotation is complete, Keeper automatically updates the stored credential in the vault. The gateway must be running version 1.6 or newer and must be online during setup.

Keeper provides a pre-defined catalog of available rotations for a wide range of cloud services, including Okta, Snowflake, AWS, Azure, Cisco, ServiceNow and Splunk, among others. Select the service, configure the rotation schedule or trigger and Keeper handles the rest. For services not covered by the catalog, admins can build their own rotation plugin using custom development templates from Keeper’s GitHub repository. This makes SaaS Configuration extensible to virtually any cloud service an organization relies on, not just those pre-configured out of the box.

Rotation runs on a defined schedule or can be triggered on demand when immediate action is needed. Either way, the process is automated, logged and consistent.

Setting up SaaS Configuration is a two-step process:

1. Create a SaaS Configuration record in the vault and save it to a shared folder associated with your PAM Configuration. 
2. Assign that record to the target PAM User record under its Rotation Profile. Once saved, Keeper uses that configuration every time the user’s password rotation runs. Admins who prefer working in a Command-Line Interface (CLI) can also configure SaaS rotations using Keeper Commander.

Who should use SaaS Configuration?

SaaS Configuration is built for teams managing privileged access at scale. It’s worth a close look if any of the following applies to your organization.

You’re rotating SaaS passwords manually or not at all

Managing a large number of cloud app accounts without a structured rotation process is a security gap. SaaS Configuration closes it.

You need a documented and repeatable rotation process

Security and compliance teams often need to demonstrate that rotations are consistently occurring. Because SaaS Configuration is automated and auditable, it’s easy to prove.

You’re already using KeeperPAM

SaaS Configuration extends rotation coverage to the SaaS layer without adding a new tool or workflow to your existing privileged access management stack.

Your tech stack runs on Okta, Snowflake or similar platforms 

If these tools sit at the center of your identity or data infrastructure, keeping their credentials secure and up to date is non-negotiable.

Stop managing SaaS credentials manually

The more cloud services an organization uses, the harder it gets to stay on top of credential hygiene without automation. SaaS Configuration provides a scalable, auditable approach built directly into KeeperPAM.

Start your free KeeperPAM trial and put SaaS credential rotation on autopilot.

Continue reading to learn more about shadow IT, shadow AI and how to detect and manage shadow AI effectively.

What is shadow IT?

Shadow IT refers to any software or cloud service that employees use without IT’s knowledge or approval. This can include using personal email accounts to share work files, installing unauthorized browser extensions or connecting personal devices to a company network. Because these actions bypass formal approval processes, they are not vetted by security teams before use. Although shadow IT is mainly driven by productivity instead of malicious intent, it can introduce a variety of security risks:

• Limited visibility: When IT teams are unaware of unauthorized applications, they cannot monitor usage or protect company data. Any security vulnerability in those applications can become a hidden entry point into a network.
• Compliance violations: Unauthorized software rarely meets the data handling criteria of regulations like GDPR or HIPAA. If data is handled improperly, organizations can face serious penalties and fines.
• Expanded attack surface: Each unapproved application is a potential attack vector for cybercriminals. As shadow IT grows, especially in cloud environments, securing the organization’s perimeter becomes more difficult.

What is shadow AI?

Shadow AI refers to the use of AI tools or applications without IT’s knowledge or approval. Common examples include employees using generative AI to draft internal communications with confidential data or developers running code through AI tools using personal accounts. What makes shadow AI particularly challenging is that employees aren’t always intentionally bypassing security measures. Many modern applications have AI features embedded by default, so employees may not realize they’re using AI at all.

Shadow AI introduces risks that go beyond what many organizations are prepared to address:

• Untraceable data leaks: When employees use AI tools through personal accounts, organizations typically have no access to interaction logs, even on platforms that offer logging at the enterprise tier. There is no audit trail of what data was entered, how it was processed or whether it was retained.
• Identity security implications: Shadow AI introduces new security risks that traditional security models weren’t designed to handle, mainly with the rise of autonomous AI agents. When employees create accounts on external AI platforms, organizations lose control over how those identities access sensitive data.

Key differences between shadow IT and shadow AI

Shadow IT and shadow AI share the same root cause of employees adopting tools to work more productively, but they differ in how they introduce risk.

Data processing and sharing

With shadow IT, data typically follows a structured process such as file uploads or document sharing. These actions create predictable patterns that security tools can detect. Shadow AI, on the other hand, operates through unstructured, conversational inputs. Employees enter sensitive data into prompts that are processed in real time and transmitted over standard HTTPS traffic, making it challenging to distinguish this traffic from normal activity.

Visibility and auditability

Shadow IT activity typically generates audit trails through application usage, file transfers or network monitoring, so security teams can investigate security incidents. In contrast, shadow AI often lacks centralized visibility since many AI platforms don’t provide organizations with detailed interaction logs. When employees use external AI tools, especially through personal accounts, organizations may have limited or no access to interaction data, making it difficult to determine how information is used or stored.

Data retention risk

Shadow IT introduces risks around unauthorized data storage, sensitive data ending up outside approved systems in identifiable locations. Shadow AI introduces a different kind of risk. On consumer-tier AI platforms, data entered into prompts may be used to train future models by default, though most enterprise-tier platforms disable this. The risk is highest when employees use personal accounts on consumer tools, bypassing the data protections enterprise licensing provides.

How to detect and manage shadow AI

Because shadow AI exposes sensitive data in ways that are difficult to detect, organizations must take a proactive approach to managing it. Traditional tools used to manage shadow IT do not address the same risks associated with employees entering sensitive data into AI platforms or granting AI access to internal systems. While many organizations jump to banning AI tools altogether, this often backfires because it drives employees to find unapproved tools without visibility. Organizations should focus on governance by doing the following:

• Create an AI acceptable use policy: Establish clear guidelines that define which AI tools are approved, what data can be shared and the consequences of misuse.
• Build an internal AI app catalog: Provide employees with a list of vetted AI tools they can use so they do not seek out unapproved and potentially risky alternatives.
• Deploy enterprise-grade AI solutions: Enterprise AI solutions offer greater control over data handling and storage compared to consumer-grade AI tools.
• Conduct regular AI compliance audits: Monitor which AI tools are being used and identify emerging security risks.
• Train employees on AI usage: Ongoing education builds organizational awareness that employees may not fully understand from reading a policy alone. Organizations with active training programs help employees understand how to use AI safely.

Take control of shadow AI

Shadow AI spreads quickly, operates through channels that are difficult to monitor and introduces risks that traditional security tools weren’t designed to catch. Governing it effectively requires visibility into every identity — human and machine — that interacts with AI systems and the data they access. As AI agents become embedded in enterprise workflows, the machine identities they rely on (i.e., API keys, service account tokens and infrastructure secrets) need the same governance as human user accounts. An AI agent with excessive permissions and no audit trail is the shadow AI risk at its most dangerous.

With a zero-trust Privileged Access Management (PAM) solution like Keeper^®, organizations can gain centralized visibility and control over users, systems and identities. Whether risk comes from unauthorized applications or unsanctioned AI usage, Keeper helps ensure that all access is closely monitored and secured.

Start your free trial of KeeperPAM today to ensure all identities in your environment are properly managed.

Continue reading to learn about some of the most notable public sector data breaches of the year so far and the lessons they reveal for organizations tasked with protecting critical data.

Federal

Two major federal-level incidents in early 2026 underscore how vulnerable even the most sensitive government systems remain. In March, the Federal Bureau of Investigation (FBI) launched an investigation into suspicious cyber activity affecting systems tied to wiretaps and surveillance warrants. Just weeks later, a credential exposure report revealed thousands of U.S. state legislators’ email addresses were on the dark web, including hundreds with plaintext passwords, dramatically expanding the risk of unauthorized access across government networks. 

FBI systems compromise 

In March 2026, the FBI disclosed that it was investigating “suspicious cyber activity” affecting internal systems used to manage highly sensitive surveillance operations, including court-authorized wiretaps.

Early reporting indicated that attackers may have gained access to a network responsible for processing and storing lawful interception requests. These systems contain sensitive investigative data, targets and communications tied to national security cases. The bureau said it had identified and contained the activity but did not disclose the full scope, including whether data was exfiltrated. While some external reporting pointed to likely China-linked actors, the FBI did not publicly confirm attribution.

U.S. legislators’ credential exposure 

In April, TechRadar reported that a recent security research report found over 3,500 U.S. legislators’ email addresses and credentials, including plaintext passwords in some cases, were exposed on the dark web. The report states:

In fact, of the 5,312 US state legislator emails searched, 3,568 were discovered in a breach. The truly scary part is that 750 email addresses also had their passwords compromised.

If Multi-Factor Authentication (MFA) isn’t in place, attackers could use these credentials to gain direct access to email accounts. Even a single compromised email account could escalate quickly, allowing an attacker to impersonate a government official and send phishing messages. The risk increases further if passwords are reused across other accounts, potentially granting access to high-level government systems and applications.

State and local government

Local municipalities and critical infrastructure providers are often targeted in cyber attacks. Here are a few examples from the first few months of 2026. 

City of Los Angeles

A massive data breach in March at the Los Angeles City Attorney’s Office compromised 7.7 terabytes of data, exposing over 337,000 files, including sensitive Los Angeles Police Department (LAPD) records. The source of the breach was unauthorized access to a third-party file-transfer system used by the City Attorney’s Office.

The stolen data includes unredacted personnel files, internal investigations and confidential witness information. Multiple reports have tied the breach to a ransomware group called World Leaks, and the group itself has claimed responsibility for the attack. However, LAPD officials have not confirmed attribution to a specific group at this time.

City of Minot, ND, water treatment plant

A water treatment plant in the city of Minot, ND, suffered a ransomware attack in March, forcing facility operators to use manual gauge readings for almost a full day before a replacement server could be installed. The attack targeted a computer server tied to its Supervisory Control and Data Acquisition (SCADA) system, which operates as an industrial control “dashboard.”

Fortunately, city officials confirmed the region’s water supply was “safe at all times” during the incident. However, the attack highlights ongoing vulnerabilities in critical infrastructure, especially smaller or rural utilities with limited cybersecurity resources. In this case, the operational impact was limited, but the city is reviewing its cybersecurity practices, including training, system design and incident response improvements.

Winona County, MN

A cyber attack struck Winona County, MN, in early April 2026, forcing officials to shut down parts of the county’s computer network to contain the incident. The disruption took key public services offline, including DMV operations and access to vital records like birth and death certificates, while emergency services continued to function normally. The county declared a local emergency and brought in state and federal assistance, including the Minnesota National Guard, to support, investigate and restore systems.

As of now, authorities have not publicly identified who was responsible for the attack. The incident is the second cybersecurity attack in Winona County in 2026. The county was also the target of a ransomware incident in January that affected its network.

Education

Cyber threats targeting K-12 schools are widespread, with ransomware and other cyber attacks affecting districts across the country.

Alamo Heights ISD

A ransomware attack hit the Alamo Heights Independent School District in Texas in March 2026, forcing the district to shut down its network and leaving students and staff without internet, email and classroom tools for a full week. The disruption significantly affected instruction and day-to-day school operations, requiring a shift to limited or offline learning while systems were restored. The district brought in outside cybersecurity experts and notified law enforcement, including the FBI, to investigate the incident. 

While systems have since been recovered, officials are still determining whether any sensitive student or staff data was accessed, raising concerns about potential data exposure and identity risks. The district has declined to say whether it paid a ransom, and no responsible group or individual has been publicly identified.

Spring Lake Park Schools, Minnesota

A school district in Minnesota faced a suspected ransomware incident in April. The technology team shut down its systems for several days to contain the threat after an unauthorized party accessed the network. Because some of the affected systems were necessary for safe school operations, the district canceled classes districtwide, along with child care, community education and after-school activities for two days. The district brought in third-party cybersecurity experts and contacted law enforcement, including the FBI, to investigate and restore services.

While classes resumed once systems were restored, the incident raised concerns about operational vulnerability and potential data exposure. Officials noted they had no evidence that personal data was compromised, and no individual or group has been publicly identified as responsible for the attack.

Protect against cyber attacks with Keeper Security

Keeper Security Government Cloud (KSGC) enables government agencies and educational institutions to secure and manage access to critical systems, including servers, web applications and databases. Keeper reduces ransomware risk by eliminating credential exposure, limiting lateral movement and controlling privileged access. KSGC meets rigorous standards, including FedRAMP High, GovRAMP High, FIPS 140-3 and ITAR, while supporting compliance with frameworks such as NIST 800-63B, CMMC, HIPAA, FISMA, DPA, FITARA, SOC and FINRA. Built-in logging, session recording and reporting tools strengthen audit readiness and compliance oversight. In addition, delegated administration and Role-Based Access Controls (RBAC) give system administrators comprehensive visibility and control over identity security and organizational risk.

Learn how Keeper can help protect your organization’s critical data. Request a demo today.

A security researcher recently published a working tool called EdgeSavedPasswordsDumper that extracts credentials stored in Edge directly from the browser’s parent process memory. There is no exploit needed, just sufficient system privileges. Microsoft says the behavior is by design and hasn’t committed to fixing it, which means organizations that rely on Edge’s built-in password manager are left with an open exposure and no patch coming.

Here’s what the vulnerability actually is, why browser-based password storage creates this kind of risk in the first place and how Keeper handles it differently.

What is the Microsoft Edge password vulnerability?

When you save a password in Edge, it doesn’t just hold that credential in memory when you’re logging in somewhere. Edge loads all of your saved passwords into its parent process memory at once – every username and password sitting there in plain text any time the browser is open. An attacker, or malware with local access to the machine, can dump that memory and walk away with the full set of credentials.

The researcher also tested Chrome and Brave and didn’t see the same behavior, which suggests this is specific to how Edge integrates with Microsoft Password Manager rather than a flaw shared across Chromium-based browsers.

Standard Windows tools like Task Manager are enough to identify the right process and dump its contents. The researcher also built the Proof-of-Concept (PoC) in .NET Framework 3.5, a deliberate choice to avoid triggering modern security scanning tools like AMSI, meaning the attack can run on a compromised machine without setting off the defenses most organizations rely on.

Microsoft’s position, that this behavior is by design, leaves no remediation path for organizations waiting on a vendor fix. The only real answer is to remove passwords from being stored in Edge entirely.

Why storing passwords in your browser is a security risk

Edge’s vulnerability is a sharp example of a risk that comes with browser-based password storage. When credentials live inside a browser, they’re tied to that browser’s process. The question isn’t whether they’re in memory; they are whenever the browser is running. It’s how exposed that memory is and how hard it is to access.

Edge’s tight coupling with Microsoft Password Manager appears to make it significantly more vulnerable than other Chromium-based browsers. But the underlying problem, credentials accessible in browser memory to anyone with local access, isn’t unique to Edge. Infostealers, a category of malware built specifically to harvest credentials from browsers, have been targeting this attack surface for years. 

Browser-based password management is convenient, and that’s exactly why people use it. But convenience and security pull in opposite directions here, and the Edge vulnerability is a useful illustration of what that trade-off actually looks like in practice.

How Keeper Forcefield protects against browser password theft

This is exactly the type of attack Keeper Forcefield is built to block.

On Windows, applications running under the same user account can access each other’s memory by default, which is precisely what EdgeSavedPasswordsDumper exploits. Keeper Forcefield addresses this at the kernel level by installing a lightweight driver that monitors and restricts memory access to protected applications. When an untrusted process attempts to read the memory of a protected app, the driver blocks it. Trusted system processes continue to function normally; only unauthorized access is stopped.

Where this becomes concrete is at the OpenProcess call highlighted in the code screenshot above. That’s the step where the dumper attempts to attach to Edge’s parent process and read its memory. On a machine running Keeper Forcefield, that call fails. The kernel driver intercepts the access request before any memory can be read, cutting the attack off at the step it depends on.

Keeper Forcefield protects both Keeper’s own applications and major browsers, including Chrome, Firefox, Edge, Brave, Opera and Vivaldi, so the protection applies regardless of which browser your organization uses. It runs silently in the background without affecting system or application performance and can be activated directly from the Keeper Desktop app or deployed silently across endpoints via Intune, Group Policy or an RMM tool.

How to protect your passwords from the Microsoft Edge vulnerability

If your organization uses Edge’s built-in password manager, any machine with Edge open has your credentials sitting in plain-text memory. On a compromised or shared machine, that’s a straightforward path to a breach.

The practical fix is to move passwords out of the browser and into a dedicated password manager like Keeper that operates independently of the browser process. If credentials are never stored in browser memory, there’s nothing to pull from it. Enabling Keeper Forcefield on top of that adds kernel-level protection across your browsers, blocking unauthorized processes from reading application memory even if malware is already running on the machine.

The bottom line

Organizations can’t wait for a vendor patch that isn’t coming. If your team uses Edge’s built-in password manager, the exposure is active right now. Move credentials into a dedicated password manager and deploy Keeper Forcefield to ensure that even if a machine is compromised, there’s nothing in browser memory to extract.

To see how Keeper Forcefield protects your organization’s endpoints, start a free trial of Keeper today.

According to Microsoft’s 2024 Work Trend Index Annual Report, 78% of employees reported using their own AI tools at work. This unapproved use of AI tools highlights how widespread shadow AI has become. Identity security provides the foundation to address this challenge by helping organizations establish visibility into who accesses AI tools and under what conditions, giving security teams the control they need to govern AI usage.

Continue reading to learn more about shadow AI, why it’s a major identity security risk and how to govern identity-centric shadow AI.

Shadow IT vs shadow AI

Shadow AI expands on the existing risks of shadow IT but introduces more modern, complex threats. Shadow IT refers to the unauthorized use of software or systems within an organization. For example, an employee may use their personal email account to share work files, creating access control and visibility gaps. Shadow AI takes this threat a step further because AI tools not only store data, but they also actively process and may retain it. This creates a new level of data exposure, where sensitive information can be deeply embedded into external models beyond an organization’s control. Two factors that make AI especially difficult to govern include:

• Use of personal accounts or devices: Employees accessing AI tools outside company-provisioned environments via personal accounts and devices disconnect their activity from their organizational identity, eliminating transparency and traceability.
• Browser-based AI tools: Browser-based AI tools require no installation, making them harder to detect in environments that rely on endpoint-based controls alone.

This combination of data exposure at such a large scale and tools that are capable of evading traditional detection makes shadow AI a particularly challenging security problem.

Why shadow AI is an identity security issue

When employees use unapproved AI tools, security teams have no visibility into what data was shared, who accessed the tool or what the tool does with that data. This lack of identity visibility is the main reason why shadow AI is so challenging to detect, let alone manage. Traditional Identity and Access Management (IAM) solutions were designed for human users with predictable behavior and defined roles, but modern organizations must adjust their security strategies to account for Non-Human Identities (NHIs), including AI agents and service accounts. These machine identities can access systems and execute tasks across multiple critical systems autonomously, and they are growing in popularity within enterprises. In fact, according to senior leaders surveyed in McKinsey’s 2025 State of AI Global Survey, 62% reported that their organizations were at least experimenting with AI agents. Unlike human users, AI agents can operate continuously, scale rapidly and interact across many systems at once. Without identity security controls that can govern both human and machine identities, organizations lose control over how their data is accessed and used.

Top identity-related shadow AI risks

Weak identity security not only makes shadow AI harder to detect but also exacerbates the damage shadow AI can cause.

Unmonitored data access

Employees who share sensitive data with unapproved AI tools create data exposure that traditional monitoring systems may not detect. Data loss prevention tools can only monitor channels they have visibility into; shadow AI operates outside those boundaries. If an employee uses an unapproved AI tool through an unmonitored personal account, organizations have no way to monitor, record or log the activity. If privileged data or credentials are exposed, cybercriminals can gain access to critical systems without a clear audit trail.

Machine identity sprawl

Unlike human employees who undergo formal onboarding and offboarding processes, AI agents and service accounts often lack structured lifecycle management. As a result, a growing number of machine identities operate across multiple environments with excessive permissions and limited oversight, leading to machine identity sprawl. Without visibility into machine identities, organizations cannot verify what systems are accessed or whether they have been compromised.

Compliance and audit gaps

Regulatory frameworks like the GDPR, HIPAA and PCI DSS require organizations to track how sensitive data is accessed and processed, regardless of whether a human or machine is responsible. If identity security only covers human users, organizations cannot produce complete audit trails accounting for AI activity, exposing them to regulatory penalties and audit findings that are increasingly difficult to remediate after the fact. 

How to govern identity-centric shadow AI

Managing shadow AI should not involve blocking all AI tools from members of your organization; it should start with gaining full visibility into who is accessing critical systems and data. Here are some key steps your IT and security teams should follow to take an identity-centric approach to governing shadow AI:

Secure human and machine identities with Keeper^®

As AI adoption grows, shadow AI will grow with it. Organizations need an identity security platform that delivers visibility, control and governance across every identity — both human and machine. 

Keeper secures privileged access for both human users and machine identities, enforces least-privilege policies and provides real-time session monitoring across critical systems. It governs the infrastructure secrets and API keys that AI agents rely on, ensuring that NHIs operate within defined boundaries and that credentials are rotated automatically. KeeperAI enhances this visibility by analyzing privileged sessions in real time and surfacing high-risk activity as it happens. Built on a zero-trust, zero-knowledge architecture, Keeper provides the audit trails and access controls organizations need to govern AI usage without blocking the productivity it enables.

Start a free trial of Keeper today to gain full visibility and control over every identity in your environment.

Continue reading to learn how agencies can secure privileged access with an identity security platform and how Keeper^® applies zero-trust principles to protect access across federal and enterprise environments.

Why zero-trust security is important for government agencies

Zero-trust security is no longer simply a recommendation for government agencies; it’s federally mandated. Executive Order 14028, issued in 2021, directed agencies to modernize their cybersecurity practices, including adopting a zero-trust architecture. In 2022, the Office of Management and Budget (OMB) issued Memorandum M-22-09, ordering federal civilian agencies to meet specific zero-trust security requirements and implement them across their environments. The Department of War (DoW) also released its Zero Trust Strategy in 2022, outlining its plan to fully implement an enterprise-wide, zero-trust cybersecurity framework by September 2027. As the DoW moves towards implementation, there are still gaps around data visibility, identity governance — especially for Non-Human Identities (NHIs) and AI agents — and applying zero-trust to legacy and operational systems. These mandates and strategies demonstrate a shift away from traditional perimeter-based security toward a data-centric model.

Since federal environments are now distributed across on-premises, hybrid and cloud systems, it is essential to continuously verify every user, device and session. Federal systems support public services, national security operations and sensitive data, meaning a single compromised privileged account can lead to lateral movement, operational disruption or unauthorized access to classified information. Zero trust helps agencies reduce risk, enforce granular access controls and meet federal requirements at scale.

The pillars of zero trust in federal environments

The Cybersecurity and Infrastructure Security Agency (CISA) defines zero trust through five pillars in its Zero Trust Maturity Model. Here are the ways PAM plays a role across all five pillars of zero trust:

Challenges federal agencies face when adopting zero trust

Implementing zero trust across federal environments is complex due to legacy systems, strict compliance requirements and distributed infrastructure.

Legacy systems limit modern authentication

Many agencies still rely on legacy systems that do not support modern authentication like Multi-Factor Authentication (MFA). Updating these systems can be difficult and risky since changes could disrupt critical operations. For example, systems supporting citizen records or benefits processing often run on older on-prem infrastructure that cannot easily integrate with modern controls, creating exploitable security gaps.

Complex compliance requirements

Federal organizations must comply with frameworks such as the Federal Information Security Modernization Act (FISMA) and meet authentication requirements informed by NIST Special Publication 800-63B. Defense organizations and contractors must also meet the Cybersecurity Maturity Model Certification (CMMC), which applies to those protecting Controlled Unclassified Information (CUI) under DoW contracts. Proving least-privilege access and maintaining audit trails are typically manual and tedious processes that require significant time and resources.

Decentralized, multi-cloud environments

Federal IT environments are very decentralized, spanning on-prem and cloud platforms with remote users and third-party contractors distributed across regions. This perimeterless architecture makes it challenging to enforce consistent access controls and maintain visibility across supply chains, increasing the risk of misconfigurations and unauthorized access.

Unmanaged privileged credentials increase risk

Privileged credentials grant access to critical systems, including public service infrastructure, financial systems and identity platforms. If compromised, they can enable cybercriminals to move laterally and access sensitive data, such as citizens’ records or health information. Without proper controls in place, compromised privileged accounts with broad administrative access can jeopardize the security of critical systems and sensitive data.

Benefits of a zero-trust PAM solution for government agencies

While zero trust requires users and devices to be continuously verified, PAM ensures that privileged access is closely monitored, controlled and limited. The main benefits of implementing a zero-trust PAM solution in federal environments include:

How Keeper enables zero-trust security for federal agencies

By consolidating enterprise password management, secrets management, privileged session management and endpoint privilege management into a FedRAMP High Certified, cloud-native platform, Keeper enables agencies to secure critical systems and control privileged access across the entire supply chain.

Enforce zero trust across legacy and modern systems

Many federal organizations rely on a mix of legacy and modern systems, making consistent security enforcement challenging. Keeper addresses this through encrypted session brokering via the Keeper Gateway, enabling secure access without exposing credentials or requiring infrastructure changes. In addition, agencies can enforce MFA across all systems, including legacy environments that don’t natively support it, while keeping credentials hidden from end users. This allows federal organizations to apply zero-trust controls to outdated legacy systems without disrupting operations.

Implement least privilege with Just-in-Time (JIT) access

Keeper supports zero-trust security by enforcing least-privilege access through Just-in-Time (JIT) provisioning. Instead of granting standing access, privileges are assigned based on role and context for a limited time and are automatically revoked when no longer needed. This helps eliminate standing access, reduce the risk of insider threats and minimize opportunities for cybercriminals to exploit privileged accounts.

Simplify compliance with privileged session management

Keeper provides session monitoring and recording across privileged sessions, capturing screen and keyboard activity for full visibility. Organizations should verify that session recording practices align with applicable agency policies and federal workforce monitoring requirements before deployment. All privileged activity is logged and can be integrated with SIEM tools. KeeperDB extends zero-trust controls to database access through credential injection. Users connect to databases directly from the Keeper Vault without the underlying credentials ever being exposed. This helps federal agencies protect sensitive data and support compliance with FISMA, NIST SP 800-53 and CMMC.

Strengthen Zero-Trust Network Access (ZTNA)

Keeper extends secure access by enabling identity-based connections without traditional Virtual Private Networks (VPNs). Keeper replaces traditional Zero-Trust Network Access (ZTNA) solutions, enabling agencies to ensure users are authenticated and authorized before accessing systems from any location. When combined with PAM, ZTNA ensures both secure access and tight control over user actions within systems.

Extend zero trust to endpoints

Zero-trust security must extend beyond infrastructure to include devices. Keeper Endpoint Privilege Manager enforces least privilege at the endpoint level across Windows, macOS and Linux systems. By removing persistent, broad administrator rights and enabling task-based privilege elevation, agencies can minimize the risk of insider threats and prevent unauthorized changes.

Detect threats in real time with KeeperAI

KeeperAI analyzes privileged sessions in real time using advanced behavioral analytics to detect suspicious activity and classify risk levels. Administrators can configure automated responses, including session termination, based on defined risk thresholds, with controls in place to minimize false positives and support human review. When high-risk activity is detected, KeeperAI can automatically terminate a session before potential cyber threats escalate, helping federal organizations respond faster to security incidents and minimize the impact of cyber attacks.

Enhance federal cybersecurity with Keeper

EO 14028 and OMB M-22-09 established zero trust not as a best practice but as a federal requirement. Meeting those mandates across legacy infrastructure, distributed cloud environments and a complex compliance landscape requires a platform purpose-built for federal security. Keeper is FedRAMP High Certified and designed for today’s federal and enterprise environments, enabling agencies to enforce least privilege and secure access across legacy and cloud infrastructure. To see how Keeper can help your agency enforce zero-trust security and gain real-time visibility into privileged activity, request a demo.

Continue reading to learn eight ways to secure remote vendor access and how Keeper^® can help.

1. Enforce least-privilege access

Vendors should have access only to the systems and data they need to complete their tasks. Granting broad vendor access creates unnecessary security risks and increases the potential impact of a data breach. For example, a core banking vendor performing maintenance on a loan processing system does not need access to unrelated customer records or trading platforms. Restricting vendor access to only the necessary systems ensures that, if the vendor’s credentials are compromised, cybercriminals cannot move laterally across a network or access other sensitive data.

By enforcing least-privilege access, financial institutions can reduce the impact of compromised credentials and prevent privilege creep across critical systems. In financial environments where even limited access can expose vast amounts of sensitive customer data or transactional systems, enforcing least-privilege access is crucial.

2. Eliminate standing privileges with Just-in-Time (JIT) access

Security teams should never grant vendors persistent access to critical systems, sensitive data or trading infrastructure. Standing access creates ongoing risk because active credentials can be exploited long after a vendor’s work is complete. For example, if a vendor needs to troubleshoot a trading platform, they should be granted temporary Just-in-Time (JIT) access only for as long as it takes to complete the task. Once the issue is resolved, vendor access should be automatically revoked, ensuring no lingering permissions remain.

3. Reduce the risk of credential exposure

Employees and vendors should never share credentials, API keys or other secrets through email, messaging platforms or spreadsheets. In financial environments, exposed credentials can lead to unauthorized access, fraud or compromise of customer data. To reduce this risk, all credentials must be stored in an encrypted vault that enforces role-based access, logs all usage and brokers access without revealing the underlying credential to the user. For example, a vendor requiring temporary access to a financial database should connect through the vault using time-limited access, with the credential rotated automatically when the session ends to prevent misuse.

4. Require Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) should be enforced for all employee and vendor logins, especially privileged accounts. In financial environments, compromised credentials alone should never be enough to access payment platforms or customer databases. Without MFA, stolen credentials can give cybercriminals access to critical systems, increasing the risk of fraud and data breaches.

Financial institutions should also extend MFA to systems that don’t natively support it, including legacy core banking platforms and outdated trading systems that handle financial data. Applying MFA across both legacy and modern infrastructure helps strengthen security in complex hybrid environments and better protect vendor access points from unauthorized access.

5. Monitor and record all vendor sessions

Security teams must have full visibility into vendor activity by tracking which systems were accessed, when access occurred and what actions were taken. This level of oversight is essential in financial environments where vendors interact with critical systems like payment processing platforms and trading infrastructure. Real-time privileged session monitoring and recording provide this visibility by capturing vendor activity as it happens. This allows security teams to detect suspicious activity immediately, intervene when needed and maintain accountability. For example, session monitoring can reveal attempts to alter transaction logs or export sensitive financial data. Recording vendor sessions also supports compliance and audit requirements.

6. Prevent lateral movement across financial systems

If vendor credentials become compromised, cybercriminals can use them to access other systems and move laterally through the network. This type of lateral movement can escalate quickly, turning a minor breach into a major incident that affects customer financial data at scale. One of the biggest risks in financial environments is a cybercriminal moving from a vendor-accessible system to critical banking or payment processing infrastructure. To reduce the risk of lateral movement, financial institutions should limit vendor access to only the specific systems they need. Instead of granting vendors access to an entire network, security teams should grant vendors access through secure, session-based methods. Restricting access in this way helps contain threats and reduce opportunities for lateral movement.

7. Centralize access control

Without centralized access control, vendor access is often spread across several disconnected tools and systems, making it harder to enforce policies and monitor activity. Centralizing access management gives security teams better visibility into privileged activity, helps enforce least-privilege access and ensures vendor access is consistently controlled. This level of transparency is vital for meeting strict compliance standards like SOX, PCI DSS and GLBA, since auditors require proof that access controls are enforced and critical systems are protected. For financial institutions operating in the EU or serving European customers, centralized access control is also required under the Digital Operational Resilience Act (DORA), which mandates documented oversight of third-party ICT providers’ access.

8. Establish a formal vendor offboarding process

Financial institutions must ensure that vendor access is immediately revoked once it is no longer necessary for projects or systems. Without a formal offboarding process, dormant vendor accounts and unused credentials can be useful to cybercriminals. An effective vendor offboarding process should include automatically revoking access, disabling or deleting vendor accounts, rotating any credentials the vendor had access to and reviewing audit trails to confirm no unauthorized activity occurred. For example, if a vendor completes a project involving access to customer databases or payment systems, their access should be revoked instantly, and all associated credentials should be rotated. This ensures that even if the vendor’s credentials become compromised or exposed, they cannot be used to access sensitive financial data.

How Keeper secures remote vendor access

Keeper secures remote vendor access by applying zero-trust security principles to every privileged session, meaning every access request is verified, no user is implicitly trusted and credentials are never visible to vendors at any point. With Keeper, credentials are securely stored in an encrypted vault and automatically rotated after each session, ensuring they are never exposed to vendors. For financial institutions, Keeper helps ensure that vendors can securely access critical systems like payment platforms and customer databases without introducing unnecessary security risks.

Grant time-limited access without exposing credentials

Keeper enforces JIT access, allowing vendors to connect to critical systems only when necessary and for a limited time. Sessions are launched directly from the Keeper Vault, and since vendors never see or handle the underlying credentials, this helps prevent credential theft and eliminates standing access.

Monitor and record every session in real time

All vendor activity is tracked through real-time session monitoring and recording, including keystroke logging and screen recording. Financial institutions should verify that session recording practices comply with applicable employment and privacy regulations in their operating jurisdictions before deployment. This feature provides full visibility into actions taken during a vendor session and can be integrated with Security Information and Event Management (SIEM) tools for centralized monitoring. With KeeperAI, security teams can automatically analyze session activity as it occurs and identify suspicious behavior in real time. Session recordings also provide a complete evidence trail for post-incident forensic review.

Prevent lateral movement with zero-trust security

Keeper uses outbound-only gateway connections to provide secure remote access without requiring inbound firewall rules or direct network exposure. By restricting vendor access to certain resources and eliminating direct network access, Keeper helps prevent unauthorized users from moving laterally across financial systems. With KeeperDB, database access is further secured by allowing vendors to manage databases directly from their Keeper Vault in an isolated environment. This ensures credentials remain hidden, activity is fully recorded and vendors cannot create additional pathways for lateral movement.

Support compliance with detailed audit trails

Keeper generates detailed audit trails and session recordings that organizations can use as evidence to meet regulatory standards, including SOX, PCI DSS, GLBA and DORA. With automated reporting and full visibility into vendor access, financial institutions can demonstrate compliance, simplify auditing and ensure that granular access controls are consistently enforced.

Manage remote vendor access with Keeper

Securing remote vendor access is essential for modern financial institutions seeking to protect their critical systems, maintain customer trust and meet regulatory requirements. Vendor access must be carefully and continuously monitored and audited to prevent credential misuse and ensure compliance with strict frameworks like SOX, PCI DSS and GLBA.

A single compromised vendor account can trigger regulatory penalties, customer notification obligations and lasting reputational damage. Keeper provides banks and financial firms with a zero-trust Privileged Access Management (PAM) solution built to address modern security challenges. By combining zero-trust security with a zero-knowledge architecture, Keeper ensures that vendors never see or handle credentials, that every session is verified and that all activity is fully auditable.

Request a demo of KeeperPAM today to discover how to securely manage vendor access without jeopardizing security or compliance.

In modern interconnected banking infrastructure, privileged accounts span across trading platforms, payment systems and banking applications. Without real-time insight into privileged sessions, banks may only discover misuse after transactions have been manipulated, logs have been modified or data has been stolen. Banks need real-time privileged session monitoring to gain full visibility into privileged activity, help prevent fraud, minimize the impact of credential-based attacks and meet regulatory standards that govern financial institutions.

Security risks of privileged access in banking

Privileged access introduces significant security risks in modern banking environments. As financial institutions rely on interconnected systems that support trading, payment processing, loan management and customer data storage, the privileged accounts that maintain these systems often have broad standing access. The main security risks associated with privileged access in banking include:

Why traditional audits are insufficient for modern cyber attacks

Many banks rely on quarterly access reviews and Security Information and Event Management (SIEM) alerts to monitor privileged activity, but these measures are reactive. Audits confirm what happened after a security incident, and alerts typically trigger when predefined thresholds are exceeded. As a result, subtle misuse of legitimate privileged access can remain undetected for long periods.

For example, a compromised administrator account may be used to initiate unauthorized transfers and attempt to modify transaction logs to hide malicious activity. Because the actions appear to come from a legitimate account, some alerts may not trigger, and the fraud may not be discovered until later reviews or investigations. Without real-time visibility into privileged sessions, banks are forced to investigate security incidents after financial and reputational damage has already occurred, rather than intercept suspicious activity as it happens.

Real-time privileged session monitoring for compliance

In banking, regulatory compliance goes hand in hand with Privileged Access Management (PAM). Real-time privileged session monitoring helps banks demonstrate continuous control over privileged access. Frameworks like SOX, PCI DSS and GLBA all expect strong access controls, auditability and safeguards around sensitive systems and data.

• SOX: Financial institutions must prove they have effective internal controls over systems that impact financial reporting. Real-time monitoring provides evidence of who accessed critical systems, changes that were made and whether certain actions aligned with approved roles.
• PCI DSS: Organizations must track and monitor access to system components and cardholder data environments. Privileged session monitoring creates detailed audit trails that track activity within cardholder data environments and ensure that all actions can be traced to users.
• GLBA: Banks must protect customers’ financial information, and monitoring privileged sessions ensures that access to sensitive information is tracked, recorded and investigated if suspicious activity occurs. With audit trails and the ability to terminate risky behavior in real time, security teams can reduce the likelihood of unauthorized data exposure and, therefore, compliance violations.

How Keeper^® enables real-time privileged session monitoring

Keeper allows banks to monitor and manage privileged access in highly regulated environments. Keeper’s main capabilities include:

Secure privileged access in your bank with Keeper

Banks should not rely only on periodic audits and retrospective alerts to detect suspicious activity. In modern financial environments where privileged accounts can access trading platforms, payment systems and sensitive financial data, delayed threat detection can result in significant financial losses and regulatory penalties.

Real-time privileged session monitoring helps banking security shift from reactive to proactive control, enabling financial institutions to identify and prevent fraudulent activity as it occurs. By delivering full visibility and granular access controls, Keeper helps banks protect privileged access while meeting strict compliance requirements.

Start your free trial of KeeperPAM today to see how your organization can better monitor privileged sessions and protect critical financial systems.

Continue reading to learn more about Keeper’s Jira workflow integration, how security teams can use it and its variety of security benefits.

What is the Keeper Jira workflow integration?

The Keeper Jira workflow integration brings secrets management and Privileged Access Management (PAM) directly into Jira. Built on a zero-trust and zero-knowledge security architecture, Keeper’s integration allows users to request and approve secure access actions, including retrieving credentials, modifying permissions or creating new records for secrets, without leaving their Jira environment. Keeper’s Jira integration consists of two main parts:

Together, these components create a secure, bidirectional workflow where requests originate in Jira and approved actions are executed via the Keeper Vault API by the locally hosted Keeper Commander. With the Keeper Jira integration, teams can securely manage credentials and request temporary access without leaving Jira.

What Keeper’s Jira integration enables for security teams

Keeper’s Jira integration is built on Atlassian Forge, offering a native Jira experience that aligns with enterprise-grade security standards. Once the integration is installed, a dedicated Keeper panel appears inside Jira issues, allowing security teams to manage access without introducing new tools or breaking focus. From within Jira, users can create, update and share records directly to their encrypted Keeper Vault. All secrets are protected with Keeper’s zero-knowledge architecture, ensuring sensitive data remains end-to-end encrypted and fully under the user’s control. The integration also supports granular record permissions and secure folder sharing, enabling teams to enforce least-privilege access, role-based controls and time-bound permissions without manual follow-up.

For organizations using Keeper, the integration allows security teams to review and approve access requests directly from within Jira tickets. With real-time visibility into the requesting user and their justification, teams can approve or deny access immediately, reducing delays while maintaining granular access controls. Since every action is automatically logged as a Jira comment with a timestamp and user attribution, organizations can review built-in audit trails that simplify compliance reporting and provide full visibility into how access is being used.

Benefits of integrating secrets and approvals into Jira workflows

Bringing secrets management and access approvals directly into Jira changes teams’ everyday operations. Instead of treating access approvals as a separate process, Keeper’s Jira integration embeds security controls into the same workflow teams already rely on.

Faster response times

By handling access requests and approvals within Jira, teams don’t have to go back and forth through email or chat tools like Slack with sensitive information. Approvals, credential changes and access updates happen in the same Jira tickets where work is tracked, reducing the time needed to address each issue and keeping work flowing without jeopardizing security.

Improved security posture

Keeper’s Jira integration enforces least-privilege access and secure handling of secrets in real time. Requests are justified and time-limited, minimizing the risk of long-lived credentials while ensuring access is granted only when necessary.

Stronger auditability

Each request, approval and action is automatically logged as part of the Jira issue, creating a clear and detailed audit trail. Teams can see timestamps and user attribution, making it easier to investigate security incidents and enforce accountability.

Reduced tool sprawl

Instead of managing secrets in one place and approvals in another, security teams can have centralized access to secrets and elevation workflows within Jira. This eliminates the need for multiple, disconnected tools and reduces the risk of sensitive information being shared insecurely.

Alignment with compliance frameworks

By enforcing structured approval workflows, Keeper’s Jira integration enables admins to enforce Role-Based Access Controls (RBAC) and comprehensive logging. This helps organizations meet common compliance requirements while maintaining full visibility and control over access decisions and internal governance policies.

Bring secrets and access control into Jira with Keeper

Managing secrets and approving privileged access in Jira positively impacts how security teams operate. Keeper’s Jira integration bridges an important security gap by embedding zero-knowledge security workflows directly into the system where work already happens. With the integration, teams no longer have to leave Jira to request credentials, approve access or handle privilege elevation since it all happens in one secure place.

Discover how to set up Keeper’s Jira integration to streamline access workflows and improve security controls.