Key points
- PAM exists because privileged accounts are the highest-value target in any breach.
- Core capabilities: credential vaulting, session brokering, session recording, just-in-time elevation, secret rotation.
- Modern PAM is shifting from 'vault and check out passwords' to 'eliminate standing privilege entirely' (JIT access).
- Cloud Infrastructure Entitlement Management (CIEM) extends PAM thinking to AWS/Azure/GCP IAM.
- Cyber insurance, NIS2, DORA, and most regulators now explicitly require PAM for in-scope systems.
What is PAM?
Privileged Access Management (PAM) covers the people, processes, and tools that protect accounts with elevated rights — domain admins, root, database superusers, cloud admins, AD service accounts, the local administrator on every workstation, and the "break-glass" account everyone hopes they never need.
These accounts are the crown jewels. Almost every major breach in the last decade involved compromise of a privileged account at some point, which is why PAM consistently lands on CISO priority lists, insurance questionnaires, and regulatory frameworks (DORA, NIS2, PCI-DSS 4.0, HIPAA, FedRAMP).
Core PAM capabilities
A full PAM platform typically provides:
- Credential vaulting — encrypted storage of passwords and SSH keys for shared/admin accounts.
- Session brokering — admins connect through the PAM rather than getting the raw credential.
- Session recording and monitoring — full keystroke / video record of privileged sessions for audit and IR.
- Just-in-time (JIT) elevation — temporary elevation to admin only when needed, automatically revoked.
- Secret rotation — passwords and keys are rotated automatically and often.
- Application-to-application secrets — what your services use instead of hard-coding secrets in config.
- Cloud entitlement management (CIEM) — visibility into who can do what in AWS/Azure/GCP.
The shift to zero standing privilege
Old PAM was about managing who has standing admin access. Modern PAM tries to eliminate standing admin access altogether:
- Admins are normal users by default.
- When they need to do something privileged, they request JIT access.
- The system grants elevation for a bounded time, with approval, scoped to the resource.
- Everything is recorded.
This dramatically shrinks the blast radius of a stolen credential and is the direction every serious PAM vendor (CyberArk, Delinea, BeyondTrust, Saviynt PAM, StrongDM, Teleport, HashiCorp Boundary) is heading.
When buyers care
You need PAM when:
- You have shared admin accounts and no audit trail of who used them.
- You have local admin everywhere and ransomware actors know it.
- Your AWS / Azure / GCP IAM has accumulated wildcard permissions (":") and nobody can untangle it.
- You're regulated under SOX, HIPAA, PCI, NIS2, DORA, or DoD frameworks.
- Your cyber insurance carrier is asking for PAM coverage.
Common pitfalls
- PAM-as-vault only. Just storing passwords without brokering and rotation doesn't reduce risk much.
- Skipping service accounts. Application-to-application secrets are often the longest-lived, most-privileged credentials in the environment.
- Ignoring cloud IAM. Traditional PAM was server-centric; modern environments need CIEM coverage.
- Operational friction. If admins find the PAM slower than going around it, they'll go around it. UX matters.
FAQ
Is PAM the same as a password manager?
No. A password manager helps individuals store personal credentials. PAM secures shared and privileged credentials with brokering, rotation, recording, and policy.
Where does PAM stop and IGA start?
PAM focuses on the high-blast-radius minority of accounts (admins, root, service). IGA governs standing access for everyone else. Both are needed.
Is JIT access the same as Zero Trust?
JIT access is one mechanism that supports Zero Trust principles (no standing privilege, continuous verification). Zero Trust is broader.