Keeper Security has announced the availability of Keeper Workflow within KeeperPAM, allowing organizations to implement approval-based access controls and time-bound checkout policies for privileged resources. The new capability enables administrators to manage privileged access requests, approvals, and usage through a structured workflow, strengthening oversight across enterprise identity and access management.
As AI agents transition from experimental tools to foundational enterprise infrastructure, every agent introduces a new identity, attack surface and compliance obligation. Keeper Workflow is designed to meet this moment – bringing structured, approval-based controls to how privileged access is requested, approved and used across the enterprise. By embedding these controls directly into the KeeperPAM platform, organizations can move from ad hoc management to a scalable process that achieves zero standing privilege.
“AI is no longer just a productivity tool; it is a permanent and foundational layer of the modern enterprise technology stack,” said Darren Guccione, CEO and Co-founder of Keeper Security. “With Keeper Workflow, we are enforcing the boundaries of AI and human access. This is zero trust in practice: structured, auditable and built to determine exactly when and if an identity is allowed to act inside the enterprise infrastructure.”
Structured Controls for the Modern Perimeter
Keeper Workflow introduces capabilities designed to bring consistency and accountability to privileged sessions.
- Enhanced Access Control:Â Requires administrator or designated approver sign-off before a user can establish a connection or tunnel to a privileged resource. Requests are managed through a centralized notification center and can include Multi-Factor Authentication (MFA) requirements for establishing the connection, after approval is granted.
- Vault Approval Notifications: Users submit access requests directly from the Keeper Vault or through the Keeper Commander CLI. Designated approvers can receive notifications and approve or deny requests through the Keeper web vault, desktop app or mobile app. 3rd party integrations including Slack, Microsoft Teams, Jira and ServiceNow ensure that security teams can act within their existing workflows without switching platforms.
- Single-User-Mode and Time-Limited Enforcement:Â Limits access to a PAM protected resource on a time-limited basis, to one user at a time for a defined period. Once access is revoked, credentials can be automatically rotated, ensuring no standing privileges remain.
Together, these capabilities allow organizations to apply precise controls across their most sensitive environments, from regulated databases and critical infrastructure to business-critical applications and privileged administrative accounts.
Built for Modern Security Operations
Keeper Workflow is designed for IT administrators and security teams in highly-regulated industries – such as financial services, healthcare and government – where manual oversight of privileged accounts is no longer viable.
Key use cases include:
- Requiring formal approval before granting privileged access to compliance-governed systems.
- Restricting critical servers or infrastructure resources to a single authorized user for a defined window of time.
- Applying policy-consistent access controls to business-critical systems where concurrent access poses organizational risk.
“Keeper Workflow was built to bring structured governance to privileged access without compromising our zero-knowledge architecture,” said Craig Lurey, CTO and Co-founder of Keeper Security. “Because it’s natively integrated within KeeperPAM, organizations can enforce approval-based access controls and eliminate standing privilege with a solution that is both easy to deploy and simple to operate at scale.”
Keeper Workflow is available with the release of Vault 17.6 within KeeperPAM.
Related News:
Keeper Launches Agent Kit for AI-Powered Security Automation
