Notifications
Clear all
Topic starter
07/06/2026 9:06 pm
TL;DR: Traditional PAM still leaves gaps in onboarding, offboarding, auditability, and cloud-native access, while 64% of organizations report productivity losses from infrastructure access friction, according to StrongDM. The deeper issue is that legacy PAM often treats privileged access as a bounded admin problem, not a broader governance layer across databases, Kubernetes, and modern workflows.
NHIMG editorial — based on content published by StrongDM: CyberArk vs. BeyondTrust: Which PAM Solution is Better?
By the numbers:
- Our Access-Productivity Report discovered that 64% of organizations struggle with productivity due to infrastructure access.
- Cybercrime costs businesses $10.5 trillion worth of damage globally by 2025.
Questions worth separating out
Q: How should security teams evaluate PAM tools for modern infrastructure?
A: Teams should evaluate whether the PAM model covers the full lifecycle of privileged access, including provisioning, session control, audit, and revocation.
Q: Why do traditional PAM deployments still create risk in cloud-native environments?
A: Traditional PAM often assumes privileged access is centralized and relatively stable, while cloud-native environments spread access across many systems and workflows.
Q: What do security teams get wrong about privileged access governance?
A: They often treat PAM as the whole answer instead of one control in a wider identity programme.
Practitioner guidance
- Map privileged access paths end to end Inventory where privileged credentials, session brokers, and access approvals live across databases, servers, Kubernetes, and remote access tooling.
- Test offboarding as a control, not a task Suspend the primary SSO or directory binding and confirm that server access, database access, and remote administration access all stop together.
- Measure whether session logs are actionable Review whether audit records include the privileged user, target system, command activity, and authorization context needed for an investigation.
What's in the full article
StrongDM's full blog covers the operational detail this post intentionally leaves for the source:
- Side-by-side feature comparison for CyberArk, BeyondTrust, and StrongDM across databases, servers, and Kubernetes
- Product-level pricing notes and trial details that implementation teams often need during procurement
- Claims about deployment complexity, documentation, and support that practitioners may want to validate before shortlisting
- Workflow details on onboarding, offboarding, and access logging that help teams assess day-two operations
👉 Read StrongDM's CyberArk vs BeyondTrust PAM comparison →
PAM comparison: what CyberArk vs BeyondTrust means for IAM teams?
Explore further
08/06/2026 8:54 am
Traditional PAM often solves the session problem while leaving the lifecycle problem intact. Vaulting, proxying, and session recording can reduce exposure during use, but they do not automatically solve joiner-mover-leaver governance, third-party revocation, or entitlement drift. The article’s own framing shows that onboarding and offboarding remain hard because access often lives in multiple places at once. Practitioners should treat PAM as one control layer, not the governance model itself.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: What is the difference between PAM and zero trust access control?
A: PAM focuses on governing elevated access, usually by brokering credentials and recording sessions. Zero trust is a broader model that assumes every access request must be continuously evaluated, regardless of location or network trust. In practice, PAM can be one mechanism inside zero trust, but it does not replace the need for continuous authorization.
👉 Read our full editorial: CyberArk vs BeyondTrust exposes the limits of legacy PAM
