About this guide

Identity Security Reference Guide

Independent & Unofficial. This is a personal reference project built for learning and knowledge-sharing. It is not an official Palo Alto Networks, Idira or CyberArk website, and it is not endorsed by, sponsored by, or affiliated with any of them. All content is compiled from publicly available information; any views, interpretations or errors are my own and do not represent my employer. Idira, Palo Alto Networks, Strata, Cortex, Prisma, CyberArk and related names are trademarks of their respective owners, used here for identification and reference only. Provided “as is” with no warranty — always verify against the official sources linked throughout.

Your practical field guide to the Idira identity security portfolio — Human, Machine and Agentic. Match each customer need to the right product, and know how to position it. Built for sales, pre-sales and new starters; Australia-focused; and verified against the official Idira, Palo Alto Networks and CyberArk websites and live vendor documentation.

The four-step field guide
Learn it, then take it to the customer.

Work through the numbers, or jump to any card.

1Foundations 2Run the Conversation 3Scope & Engineer 4Reference Material
Browse by category

Pick a category to see its sections — or jump to any section from the sidebar. Home always brings you back here.

1
Foundations
Key Messages, Use Case Legend, Product Legend and Shared Services — understand Idira before you position it.
2
Run the Conversation
Discovery Questions, Talk Tracks, Maturity Journeys and When Maturity Slips — everything for a customer conversation.
3
Scope & Engineer
Solutions Guidance, Use Case Targets, Platform Integrations, Solutions Architecture and the Glossary — scope a solution.
4
Reference Material
Industry reports, compliance frameworks, the Idira + Palo Alto Networks ‘Better Together’ story, and the public source material the guide is built on.

Accuracy. Compiled with Claude using only publicly available documentation from Idira, Palo Alto Networks and CyberArk, and verified against live vendor docs — always confirm details against the sources linked throughout before relying on them. Version 5.6 · last reviewed 3 July 2026. Next quarterly refresh due first week of October 2026.

Foundations

About this section
Foundations

Understand Idira before you position it — the core concepts, the portfolio map, and the shared platform layer. Pick a section below, jump to any from the tabs above, or use the sidebar.

Browse sections
Key Messages
Identity security in 90 seconds — the core concepts and vocabulary: the three identity types, IAM vs PAM vs IGA, credential vs secret vs certificate, and the privilege spectrum.
Use Case Legend
The four use-case categories — Human, Machine, Agentic and Governance — and what each colour-coded badge means. The key to everything that follows.
Product Legend
Every Idira product defined, with its colour-coded badge — the map of the whole Idira estate.
Shared Services
The cross-cutting capabilities that sit above the individual products and make the portfolio behave as one platform, not a bundle of tools — the platform layer, discovery, unified audit, and threat detection that every product plugs into.

Run the Conversation

About this section
Run the Conversation

Everything for a customer conversation — qualify the need, position the right product, and prove the cost of inaction. Pick a section below, jump to any from the tabs above, or use the sidebar.

Browse sections
Discovery Questions
Qualifying questions to run a customer conversation — each routes the customer’s answer to the right product or section. Filter by identity surface and use the ones relevant to the account to surface needs fast.
Talk Tracks
A ready-to-run, 5-minute talk track for each use-case category — five beats from setting the scene with the 2026 Landscape numbers to making the ask, with bullet talking points and a word-for-word script.
Maturity Journeys
Two one-slide walk-throughs — the Privilege journey for PAM (unsecure standing privilege → zero standing privilege) and the Secrets journey for machine identities — each mapping the stages to the Idira product that answers them.
When Maturity Slips
Real-world breaches — Medibank, Optus, JBS Foods, Uber, SolarWinds and more — each mapped to the Idira capability that closes the gap, across Human, Machine, Agentic and Governance.

Scope & Engineer

About this section
Scope & Engineer

The hands-on lookup tools for scoping a solution — align the right Idira products to a customer’s requirements. Pick a section below, jump to any from the tabs above, or use the sidebar.

Browse sections
Solutions Guidance
The ‘which product / how to position’ guides: Human, Machine, Agentic, Governance and Privilege & Deployment Models.
Use Case Targets
The full use-case-to-product matrix — filter by identity category, product or target to find which Idira product covers each requirement.
Platform Integrations
The platform-lookup catalogue — which Idira product handles each third-party platform and the mechanism it uses.
Common Confusions
The ‘don’t mix these up’ comparisons — the products and concepts that get confused, gathered in one place with how to tell them apart.
Solutions Architecture
The PAM solutions architecture view — how the components fit together for a deployment.
Glossary
Plain-English definitions of the acronyms used across the guide — aimed at new starters.

Reference Material

About this section
Reference Material

Industry reports, compliance frameworks, the Idira + Palo Alto Networks ‘Better Together’ story, and the public source material the guide is built on. Pick a section below, jump to any from the tabs above, or use the sidebar.

Browse sections
Industry Reports
2026 Landscape demand drivers and the Idira Identity Security Blueprint — how Idira maps to the frameworks and initiatives that drive Australian buying decisions.
Compliance Frameworks
Australian compliance mappings — Essential Eight, NIST CSF, SOCI Act, CI Fortify and AESCSF — and which Idira products deliver each control.
Better Together
The Idira + Palo Alto Networks story — the cross-platform integrations available today and the publicly stated roadmap across Strata, Cortex and Prisma.
Resources & References
Public reference material — the Idira and Palo Alto Networks sites, and CyberArk Docs (the engineering source of truth), with a per-product link table.

Overview

One Platform, Every Identity

Every Identity Now Carries Privilege

Privilege used to belong to a handful of named administrators. Not any more — every Human, machine and AI identity now carries privilege, and attackers know it. Idira’s differentiator is breadth: it applies privileged-grade controls across every identity type — Human, machine and agentic — under one platform, not just the named-admin minority.

Why Idira?

The ‘privileged-few’ assumption — that securing a small set of named admins is enough — has structurally failed; privilege is now universal and distributed across Human, machine and AI identities. The mature response is one platform applying privileged-grade controls to every identity that matters, not a patchwork of point tools. Idira is also a core Palo Alto Networks platform alongside Strata (network), Prisma (cloud) and Cortex (security operations) — so identity context flows into the network and the SOC and can be acted on at machine speed. That cross-platform reach is the differentiator no identity point-vendor can match.

Why This Matters Now — The 2026 Identity Security Landscape

Survey of 2,900+ cybersecurity leaders worldwide, with Unit 42 frontline data.
The breach reality. 90% of organisations suffered an identity-related breach in the past year and 83% suffered two or more; identity was involved in 89% of Unit 42 investigations. The fastest real-world intrusions now reach data in 72 minutes (~4x faster than a year earlier) — defenders are structurally behind before the alert fires.
The species shift. Machine identities outnumber humans 109:1 (up from 82:1) — and 79 of every 109 are AI agents. 99% of organisations have adopted AI agents in some form, with AI-agent numbers projected to grow 85% in the next year — the fastest-growing identity of all (vs 77% for machine identities and 56% for Human).
The coverage gap. 96% of Human identities hold access far beyond their role, yet only 39% of privileged access uses just-in-time or zero-standing privilege (confirm against the 2026 Landscape report PDF) — and just 37% of organisations can revoke an AI agent’s credentials.
The fragmentation tax. Disconnected identity tooling adds 12 hours to every incident-response cycle (cited by 97% of practitioners — confirm against the 2026 Landscape report PDF) — while attackers operate at machine speed.

Key Messages — Identity Security in 90 Seconds

New to identity security? Start here — the core concepts and vocabulary the rest of the guide assumes. (Skip ahead if this is familiar.)

Identity Is the New Perimeter

Attackers rarely break in — they log in, using stolen or over-privileged credentials. Identity security is about controlling who can access what, enforcing least privilege, and proving it.

Three Identity Types

Human (people — staff, admins, vendors), Machine (apps, workloads, scripts, services) and Agentic (delegated and autonomous AI agents). Every one of them now carries privilege an attacker can use.

IAM vs PAM vs IGA

IAM = who you are and your everyday access (SSO, MFA). PAM = protecting and brokering privileged (admin) access. IGA = governing who should have access (certify, provision, audit). Idira unifies all three.

Credential vs Secret vs Certificate

A Credential is a human’s login (password, passkey). A Secret is a machine’s key (API key, token, DB password). A Certificate is a cryptographic identity for a machine or service (TLS / PKI).

The Privilege Spectrum

Standing (always-on) → Vaulted (stored & rotated) → Just-in-Time (time-boxed) → Zero Standing Privilege (created on demand, deleted after). The less standing access, the smaller the attack surface.

Why One Platform

Run IAM, PAM and IGA as separate tools and attackers exploit the seams between them. One platform closes those gaps and lets identity context flow into the network and the SOC.

How Identity Attacks Actually Work

Attackers don’t break in — they log in. Almost every breach follows the same three-stage chain, in sequence. Idira breaks it at each stage.

1

Initial Access

Phishing, push-bombing or a stolen credential gets the attacker in. To break it: phishing-resistant MFA / passwordless leaves no credential to steal at the front door.

2

Lateral Movement

A captured hash or ticket (Pass-the-Hash / Pass-the-Ticket) is reused across systems. To break it: remove local admin (EPM) and vault + auto-rotate credentials so a stolen secret is already dead.

3

Privilege Escalation

Standing privilege is seized to reach domain admin and critical assets. To break it: zero standing privilege + brokered, recorded sessions — no persistent privileged account to take over.

Idira Portfolio

Use Case Legend

Every section of this guide is organised around four identity surfaces — the cards below define each use-case category and the products that solve it.

  • Human — Human Privilege, Workforce Access, Endpoint Privilege
  • Machine — Apps / DevOps, Third-Party Secrets Management, Legacy / On-Prem Applications, Workload Identity, Machine Identity Trust
  • Agentic — Agentic Identity: AI agents, both delegated (acting on a user’s behalf) and autonomous (operating independently)
  • Governance — Identity Governance: certification, provisioning and audit across Human, machine and agentic identities

Human PrivilegeHuman

Covers highly privileged accounts (admin, root, domain admin) where a Human is the identity — administrators, DBAs, network engineers, vendors, cloud engineers — the accounts that do serious damage if stolen or misused. Two jobs: protect the account (vaulted and auto-rotated) and secure the access to a sensitive target — a server, database, network device or cloud console — via checkout, just-in-time privilege elevation or an ephemeral privileged account, with the session brokered and recorded. Products by surface: Privilege Cloud / PAM Self-Hosted (vaulted standing privilege with PSM), Secure Infrastructure Access (VPN-less infrastructure), Secure Cloud Access (cloud consoles), and Vendor Privileged Access (external vendors). Typically owned by PAM admins, security operations and cloud security teams.

Workforce AccessHuman

Covers everyday employee access to business and SaaS applications that aren't privileged but still need protection — apps without SSO, shared department accounts and vendor portals, plus SSO-federated web apps that need post-login oversight. The user is an ordinary employee, not an admin. Distinct from Human Privilege, which deals with elevated access. Solved by Identity Administration for SSO and adaptive MFA (the authentication front door that comes first), Workforce Password Management to vault and share business-app credentials, for SSO and non-SSO apps alike (enterprise-controlled) and Secure Web Sessions to record, monitor and protect activity inside web apps after login — including SSO apps. Typically owned by IAM teams and department application owners.

Endpoint PrivilegeHuman

Covers privilege controls on workstations and servers — removing local admin rights, elevating trusted applications, blocking ransomware and credential theft on the endpoint itself. The endpoint is treated as the last line of defence against identity-based attacks that begin with a single compromised user device. Solved by Endpoint Privilege Manager across Windows, macOS and Linux, with VirusTotal reputation lookups for unknown-application risk and a Cortex XSIAM integration for privilege-aware incident response — a clean joint-integration angle for existing PANW customers. Typically owned by endpoint security teams, SOC and CISO offices.

Workload IdentityMachine

Covers the emerging requirement to give compute workloads a verifiable cryptographic identity — not just a password or API key, but a provable attestation of what the workload is, where it is running, and who deployed it. Built on the open SPIFFE standard, identities are short-lived (typically hours) and tied to verified runtime attributes. Solved by Secure Workload Access, including the Secretless Broker pattern where applications never touch a credential at all. Typically owned by platform engineering, cloud security and AppSec teams driving zero-trust workload-to-workload authentication.

Apps / DevOpsMachine

Covers credentials used by applications, pipelines, and automation in modern cloud-native environments — where the machine itself is the identity and no Human is in the authentication chain. These secrets typically live in code, config files, or pipeline variables and need to be externalised into a secrets manager so they can be rotated, audited, and managed. Solved primarily by Secrets Manager for cloud-native and containerised workloads (Kubernetes, CI/CD, Infrastructure-as-Code); for legacy applications that predate these patterns, see Legacy / On-Prem Applications. Typically owned by DevOps, platform engineering, AppSec and development teams.

Third-Party Secrets ManagementMachine

Covers the problem of secrets stored in vaults that aren't Idira's own — AWS Secrets Manager, Azure Key Vault, GCP Secret Manager and HashiCorp Vault. Applies to customers with one or more such deployments — single-cloud or multi-cloud, on-premises or hybrid — the unifying property is that the customer has invested in non-Idira secret stores and wants to keep using them rather than migrating away. The pattern does not replace these vaults; it replicates Idira-managed secrets out to them, discovers what already exists, and provides a single control plane above them. Solved by Secrets Hub. Typically owned by CISO offices, cloud security and security operations teams driving consolidation.

Legacy / On-Prem ApplicationsMachine

Covers credentials embedded in traditional applications that cannot be easily refactored — COTS software, ERP systems, SCADA platforms, RPA bots, homegrown Java or .NET applications, and mainframes. These environments predate cloud-native secrets patterns and require a solution that can remove hardcoded credentials without requiring code changes or application downtime. Solved by the two Credential Providers: Agent-Based CP (local credential cache on the application server — for OT, mainframes and HA-critical apps where vault unavailability can't be tolerated) and Central Credential Provider (centralised HTTPS web service — for web tiers, COTS software, RPA, scripting). Typically owned by OT security, app dev, IT ops and RPA teams.

Machine Identity TrustMachine

Covers Certificate Lifecycle Management (CLM) and PKI — discovering certificates across the network, automating renewal and rotation, modernising internal certificate authorities, and keeping pace with the shrinking certificate-validity window — already down to 200 days (since March 2026), heading to 47 by 2029. Solved by NGTS, PANW's CLM delivered by extending Strata Cloud Manager, which embeds the trust layer directly in the network control plane rather than treating certificates as a separate ops problem. NGTS is built on Venafi following the CyberArk acquisition, consolidating the former Venafi and CyberArk CLM/PKI tooling under one product. Typically owned by network security, PKI teams and IT operations.

Agentic IdentityAgentic

Covers the newest and fastest-growing identity surface: autonomous AI agents that take actions, call APIs, and access data without direct Human involvement in each step. Unlike Human or traditional machine identities, AI agents can operate at machine speed, accumulate credentials, and move across systems in ways that existing IAM and PAM tools were not designed to govern. Solved by Secure AI Agents, which discovers agents across SaaS, cloud and developer environments, enforces just-in-time privilege via the Identity Broker (also marketed as the AI Agents Gateway), governs each agent’s lifecycle, and flags or suspends abnormal behaviour — the full control plane, not discovery alone. Typically owned by CISO offices, AI/ML teams and security architecture.

Identity GovernanceGovernance

Covers governance of identities and entitlements — discovering who has access to what, certifying that access on a schedule, provisioning and de-provisioning users across SaaS and cloud apps, and producing the evidence auditors need. Distinct from Third-Party Secrets Management: this governs identities and their entitlements, not secrets and their storage. Solved by Identity Governance — AI-powered, originally Zilla Security and now native in the platform, with 250+ documented integrations (vendor cites 1,000+). Governance also extends to privileged access via Identity Compliance (Identity Compliance for PAM environments). Typically owned by IAM teams, compliance and CISO offices.

Product Legend

The complete Idira portfolio — an at-a-glance map of the whole estate first, then every product in detail with the colour-coded badge it carries throughout this guide. Products group by the four identity surfaces — Human, Machine, Agentic and Governance — and all sit beneath the Idira Platform, the shared SaaS plane (SSO, Discovery & Context, CORA AI, unified audit and threat detection) that each plugs into rather than standing alone.

Portfolio at a Glance

The whole estate on one screen — everything runs on the platform; products grouped by the identity they secure.

Platform — Shared ServicesThe SaaS plane every product plugs into
Single Sign-On & MFAAdaptive, risk-based authentication front door
Discovery & ContextContinuous inventory of every identity & entitlement
CORA AINL queries, audit summaries, anomaly detection
Connector ManagementDeploy & auto-upgrade connectors centrally
Unified AuditOne audit trail across every product
Threat DetectionCross-product ITDR (Identity Protection Space)
Human9
Identity AdministrationSSO, adaptive MFA, lifecycle — the access foundation
Privilege CloudVaults & governs human privileged credentials (SaaS PAM)
PAM Self-HostedSelf-Hosted PAM for air-gapped / regulated estates
Secure Infrastructure AccessVPN-less, agentless access to servers, DBs, K8s
Secure Cloud AccessCredential-less ZSP access to cloud consoles & CLI
Vendor Privileged AccessPasswordless, VPN-less access for external vendors
Workforce Password ManagementEnterprise password manager for business apps
Secure Web SessionsRecords & protects activity in web/SaaS after login
Endpoint Privilege ManagerRemoves local admin; elevates trusted actions
Machine5
Secure Workload AccessSPIFFE identity for workloads — secretless
Secrets ManagerDynamic secrets for cloud-native apps, containers, CI/CD
Secrets HubManage & rotate secrets across AWS / Azure / GCP / HashiCorp native vaults
Credential Providers (CP / CCP)Delivers vaulted secrets to legacy apps
NGTSNetwork-native certificate lifecycle management
Agentic1
Secure AI AgentsDiscover, govern & broker access for autonomous AI agents
Governance1
Identity GovernanceAI-powered access reviews, provisioning & certification
Identity Security PlatformShared Services
The unified SaaS management plane that brings every product below into one console. Single sign-on and shared services sit above the individual products — Identity Administration (SSO/MFA), Discovery & Context, CORA AI, Connector Management, unified Audit, and the Identity Protection Space (cross-product threat detection & response). Each is detailed under Platform Shared Services below. Everything below is consumed through this platform when deployed on Privilege Cloud / Shared Services. Idira Identity Security Platform →
Capabilities
The unified SaaS plane every product plugs into — what makes the portfolio behave as one system, not a bundle of tools.
  • Single console & SSO — one management plane and sign-on across every product, instead of per-tool administration.
  • Identity Administration — SSO, adaptive MFA, lifecycle and directory; federates your IdP (Entra ID, Okta, Ping) over SAML/OIDC with SCIM.
  • Discovery & Context — continuous scanning builds a live, correlated inventory of every identity, entitlement and access path.
  • CORA AI — portfolio-wide AI: natural-language queries, session-audit summaries, anomaly detection and policy recommendations.
  • Connector Management — deploy and auto-upgrade lightweight connectors centrally; on Privilege Cloud the agent also runs the Secrets Rotation Service.
  • Unified Audit & Threat Detection — one audit trail plus the Identity Protection Space for cross-product detection and response.
Identity AdministrationHuman
Identity Administration — the access foundation for the platform — single sign-on, adaptive MFA (risk-based step-up) including phishing-resistant passwordless authentication (FIDO2 / passkeys), lifecycle provisioning, directory services and behavioural risk signals that feed Threat Detection & Response. Integrates with external identity providers two ways: federation (SAML / OIDC) with Microsoft Entra ID, Okta and Ping, and SCIM user provisioning to and from those directories. It supplies the SSO/MFA layer referenced in the Essential Eight mapping and fronts every other service.
Capabilities
The access foundation — the authentication front door that fronts every other service.
  • Single sign-on — one front door to every app, with SAML/OIDC federation to Entra ID, Okta and Ping.
  • Adaptive, risk-based MFA — step-up driven by location, device, time and behaviour signals.
  • Passwordless / phishing-resistant — FIDO2 and passkey authentication.
  • Lifecycle provisioning — SCIM provisioning and de-provisioning to and from directories.
  • Risk signals — behavioural signals that feed platform Threat Detection & Response.
Privilege CloudHuman
Privilege Cloud — vaults and governs credentials for Human privileged users — admins, DBAs, vendors. Accounts exist in Active Directory or a local directory and are managed as privileged identities. Session brokering via PSM with full session recording; credential rotation runs as the SaaS Secrets Rotation Service (executed by the Connector Management Agent) — the recommended rotation service for new deployments (CPM-based track remains supported), removing the customer-managed CPM. The default for use cases that need Secure Standing Privilege (break-glass, non-federated targets). SIA is the recommended modern add-on for infrastructure access and is quickest to enable on Privilege Cloud (typically included in the subscription package).
Capabilities
SaaS PAM — vaults and governs credentials for human privileged users (admins, DBAs, vendors). FedRAMP-compliant offering available (GovCloud-region tenants).
  • Vaulting & automated rotation — store privileged credentials and rotate by policy via the SaaS Secrets Rotation Service (no customer-managed CPM).
  • Session management & recording — PSM brokers and records privileged sessions in full.
  • ZSP & JIT access — enforce zero standing privilege and just-in-time elevation; the default for Secure Standing Privilege (break-glass, non-federated targets).
  • Continuous discovery — organisation-wide scanning and attack-path mapping to onboard unmanaged accounts.
  • Detect & respond — spot identity-based attacks in real time and auto-terminate compromised sessions.
PAM Self-HostedHuman
PAM Self-Hosted — one of the two deployment models of Idira PAM (Privileged Access Management), alongside Privilege Cloud: the customer hosts the entire stack — Vault, CPM and PSM — in their own environment rather than consuming the vault as SaaS. PSM is its native session brokering and recording layer. Strongest fit where data sovereignty, air-gap capability or regulator-driven on-premise hosting is mandatory — parts of government, defence, regulated utilities and CI Fortify-aligned critical infrastructure. Modern SaaS services (SIA, SCA) can be integrated from V14.4+, with more setup than on Privilege Cloud.
Capabilities
Customer-hosted PAM — the full stack runs inside the customer environment.
  • Customer-hosted vault stack — Digital Vault (EPV), PVWA, CPM and PSM on-premises; credentials never leave the environment.
  • Native session brokering — PSM and PSM for SSH broker and record sessions into the Vault.
  • Credential rotation — CPM automatically rotates, verifies and reconciles target credentials.
  • HA & DR — Vault cluster plus a replicated Disaster-Recovery Vault.
  • Sovereignty & air-gap fit — for data-sovereignty, air-gap or regulator-mandated hosting; SIA/SCA integrable from V14.4+.
Secure Infrastructure AccessHuman
Secure Infrastructure Access (SIA) — VPN-less, agentless SaaS access to Windows, Linux, databases and Kubernetes — the modern alternative to PSM for infrastructure. Like PSM, it is a session brokering and recording layer in its own right (RDP video, SSH command-timeline recording, SSH/SQL/kubectl capture into the unified Audit view, with CORA AI summaries), so no PSM is needed for the audit trail. Supports all three privilege models — vaulted, JIT and ZSP. Bundled with Privilege Cloud (deploy the connector); a separate licence on PAM Self-Hosted. Co-exists with PSM; formerly Dynamic Privileged Access (DPA).
Capabilities
VPN-less, agentless SaaS access to infrastructure — the modern alternative to PSM (formerly DPA).
  • VPN-less, agentless access — to Windows, Linux, databases and Kubernetes.
  • Session brokering & recording — RDP video, SSH command-timeline and SSH/SQL/kubectl capture into unified Audit, with CORA AI summaries.
  • All three privilege models — vaulted, JIT and ZSP.
  • Ephemeral native access — signed SSH certificates (Linux), temporary local users (Windows), time-limited DB/Kubernetes access.
  • Deployment — bundled with Privilege Cloud (deploy the connector); separate licence on PAM Self-Hosted.
Secure Cloud AccessHuman
Secure Cloud Access (SCA) — native, credential-less ZSP access to cloud consoles and the CLI — AWS Management Console, Azure Portal, GCP Console. Access is ephemeral: created per request and automatically revoked, eliminating persistent IAM users and standing cloud-admin roles, with a full audit trail of every action. Includes the SCA MCP Server, giving AI developer tools (Amazon Q Developer, Claude Desktop) the same just-in-time, zero-standing cloud access instead of static keys.
Capabilities
Native, credential-less ZSP access to cloud consoles and the CLI.
  • Zero standing cloud access — ephemeral, per-request access to AWS, Azure and GCP consoles and CLI; auto-revoked.
  • Eliminates standing IAM — no persistent IAM users or standing cloud-admin roles.
  • Full audit trail — every action recorded, without disrupting native tool workflows.
  • SCA MCP Server — gives AI developer tools (Amazon Q Developer, Claude Desktop) the same JIT, zero-standing access instead of static keys.
Vendor Privileged AccessHuman
Vendor Privileged Access (Vendor PAM) — VPN-less, agentless, passwordless access for external vendors and contractors built on Zero Standing Privilege (also called Vendor PAM / VPAM). Vendors authenticate by scanning a one-time QR code with their phone’s native biometrics; sessions are brokered through an isolated browser tunnel so credentials never reach the vendor device, and every action is recorded. Continuous discovery of vendor access, automatic deprovisioning when an engagement ends, and onboarding in as little as ~2 minutes (vendor figure). Requires Privilege Cloud or PAM Self-Hosted.
Capabilities
VPN-less, passwordless access for external vendors, built on ZSP. SOC 2 Type II.
  • Biometric, passwordless onboarding — vendors scan a one-time QR code and authenticate with phone biometrics (hardware-backed, phishing-resistant).
  • Full session isolation & recording — isolated browser tunnel; credentials never reach the vendor device; every session recorded.
  • JIT, scoped access — vendors reach only authorised systems, for only the time needed.
  • Automated lifecycle — onboarding in as little as ~2 minutes (vendor figure); automatic deprovisioning when an engagement ends; REST API.
  • Compliance-ready — supports HIPAA, PCI DSS, FIPS 200, NERC CIP and CFATS. Requires Privilege Cloud or PAM Self-Hosted.
Workforce Password ManagementHuman
Workforce Password Management (WPM) — enterprise password manager for business applications — vaults and shares credentials whether or not the app supports SSO, and is especially valuable where SSO isn't available (legacy web apps, shared accounts, vendor portals). Stores credentials in Idira Cloud or PAM Self-Hosted Vault. Distinct from Privilege Cloud: this is for ordinary employee workflow apps, not privileged accounts. For SSO-federated web apps needing post-login monitoring or protection, see Secure Web Sessions.
Capabilities
Enterprise password manager for business apps — SSO or not.
  • Vault & share business-app credentials — enterprise-controlled, for SSO and non-SSO apps alike.
  • Best where SSO isn’t available — legacy web apps, shared accounts and vendor portals.
  • Storage choice — credentials in Idira Cloud or the PAM Self-Hosted Vault.
  • Workforce, not privileged — for ordinary employee workflow apps (distinct from Privilege Cloud).
Secure Web SessionsHuman
Secure Web Sessions (SWS) — records, monitors and protects user activity inside web and SaaS applications after login — including SSO-federated apps — via a browser extension. Adds session recording (with CORA AI session summaries that flag the critical activity), continuous authentication for high-risk apps (app-open step-up MFA is enforced via Identity Administration policies). The post-login layer for workforce web access; complements Workforce Password Management and SSO rather than replacing them.
Capabilities
Records, monitors and protects activity inside web / SaaS apps after login.
  • Post-login session recording — including SSO-federated apps, via a browser extension, with CORA AI summaries flagging critical activity.
  • Continuous authentication & step-up — for high-risk apps when anomalous activity is detected.
  • Click-level monitoring — behavioural monitoring with click-level search.
  • Complements SSO & WPM — the post-login layer, not a replacement.
Endpoint Privilege ManagerHuman
Endpoint Privilege Manager (EPM) — removes local admin rights from Windows, macOS and Linux endpoints and elevates trusted applications by policy — deployed standalone as SaaS with a single agent, no PAM vault required. Centralises Linux sudo management, blocks credential theft from browsers and the OS, and contains ransomware via application control. Unknown apps are checked against VirusTotal risk scores or run ring-fenced in Restrict mode. Supports Essential Eight ‘Restrict Administrative Privileges’ and ‘Application Control’, and integrates with Cortex XSIAM for privilege-aware response.
Capabilities
Removes local admin rights and elevates trusted apps by policy — single SaaS agent, no vault.
  • Remove local admin rights — least-privilege enforcement across Windows, macOS and Linux.
  • Application control & ring-fencing — allow, elevate, block or restrict apps; unknown apps run ring-fenced in Restrict mode.
  • JIT elevation — temporary, audited elevation of trusted apps without permanent admin rights.
  • Credential-theft & ransomware defence — blocks theft from browsers and the OS; out-of-the-box ransomware policies.
  • Linux sudo & Identity Bridge — centralised sudo management; bridges Linux to AD / cloud directories.
  • Risk & response integrations — reputation/threat-intel lookups (VirusTotal) for unknown apps; Cortex XSIAM for privilege-aware response. Supports Essential Eight ‘Restrict Administrative Privileges’ and ‘Application Control’.
Secure Workload AccessMachine
Secure Workload Access (SWA) — assigns each workload (container, VM, serverless function) a unique cryptographic SPIFFE identity tied to verified runtime attributes — what it is, where it runs, who deployed it. Identities expire in hours. Workloads authenticate directly with this identity rather than a static password or API key. Built on Idira Secrets Manager rather than replacing it — a workload can authenticate directly, or exchange its identity for a traditional secret when a target still requires one.
Capabilities
Gives each workload a unique cryptographic identity — the identity layer above secrets management.
  • Verifiable workload identity — SPIFFE-based identity tied to verified runtime attributes (what it is, where it runs, who deployed it).
  • Short-lived by default — identities expire in hours; no static passwords or API keys.
  • Every workload, every environment — containers, VMs, serverless and AI agents across on-prem, cloud and SaaS.
  • Secretless or secret-exchange — authenticate directly, or exchange identity for a traditional secret when a target still requires one.
  • Built on Secrets Manager — an identity layer on top, not a replacement.
Secrets ManagerMachine
Secrets Manager — delivers secrets dynamically to cloud-native applications, containers, and CI/CD pipelines via REST API, SDK and CLI. Best fit when workloads are modern, ephemeral, and running in Kubernetes or public cloud environments. Available in two editions: Secrets Manager SaaS — the Idira-hosted, multicloud service (formerly Conjur Cloud) — and Secrets Manager Self-Hosted — the customer-deployed edition long known as Conjur (formerly Conjur Enterprise), which adds a Leader/Follower high-availability architecture, native authenticators (Kubernetes, OpenShift, AWS IAM, Azure, GCP, OIDC) and the Secretless Broker (databases, SSH, HTTPS).
Capabilities
Delivers secrets dynamically to cloud-native apps, containers and CI/CD pipelines.
  • Dynamic secret delivery — via REST API, SDK and CLI to modern, ephemeral workloads (Kubernetes, public cloud).
  • Automated rotation — rotate secrets by policy, including with cloud-native secrets managers.
  • Two editionsSecrets Manager SaaS (Idira-hosted, multicloud; formerly Conjur Cloud) and Secrets Manager Self-Hosted (customer-run; the product known as Conjur, formerly Conjur Enterprise).
  • Self-Hosted HA & authenticators — Leader/Follower architecture; native Kubernetes, OpenShift, AWS IAM, Azure, GCP and OIDC authenticators.
  • Secretless Broker — apps connect to databases, SSH and HTTPS without fetching or holding a secret.
  • DevOps integrations & RBAC — Ansible, Jenkins, Azure DevOps; role-based access and centralised audit; removes the ‘secret zero’ problem.
Secrets HubMachine
Secrets Hub — replicates Idira-managed secrets out to non-Idira vaults — AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, GCP Secret Manager — and discovers existing secrets already in those vaults. Developers continue to consume secrets natively from the third-party vault while Idira becomes the source of truth for rotation, policy and audit.
Capabilities
Centralises secrets that live in non-Idira vaults — without changing the developer workflow.
  • Replicate to native vaults — push Idira-managed secrets to AWS Secrets Manager, Azure Key Vault and GCP Secret Manager.
  • Discover existing secrets — across cloud vaults; discovery + outbound sync for HashiCorp Vault (KV v2 engine only).
  • Unchanged developer experience — developers keep consuming secrets natively; Idira becomes the source of truth.
  • Automated rotation & policy — enforce enterprise-wide policy and rotation centrally.
  • Eliminate vault sprawl — one control plane across projects, CSP accounts and regions.
Agent-Based CPMachine
Agent-Based Credential Provider (CP) — an agent installed on the application server holds a local encrypted credential cache, so the app retrieves credentials with no network call to the vault at runtime — and keeps running and rotating even through a vault or network outage (a dual-account pattern gives zero-downtime rotation). No application code change. Supports Windows, Linux, AIX and IBM z/OS. The right choice for OT, mainframe and any system where vault unavailability can’t be tolerated.
Capabilities
Local credential cache on the application server — survives vault and network outages.
  • Local encrypted cache — the app retrieves credentials with no runtime network call to the vault.
  • Outage resilience — keeps running and rotating through a vault/network outage; dual-account pattern gives zero-downtime rotation.
  • No code change — removes hard-coded credentials without refactoring.
  • Broad OS support — Windows, Linux, AIX and IBM z/OS.
  • Best for — OT, mainframe and HA-critical apps where vault unavailability can’t be tolerated.
Central Credential ProviderMachine
The Central Credential Provider (CCP) is an agentless, centralised HTTPS web service — no agent on the application server. Applications call it over the network at runtime to retrieve credentials, authenticating by mutual TLS (client certificate) before a secret is returned. Scales across large or ephemeral estates without per-server agents (load-balanced for availability), with an extensive library of out-of-the-box integrations. The right choice where deploying an agent is impractical — web tiers, COTS software, RPA and scripts.
Capabilities
Agentless, centralised HTTPS web service — no agent on the application server.
  • Agentless retrieval — apps call a central HTTPS web service at runtime to fetch credentials.
  • Mutual-TLS authentication — client certificate verified before a secret is returned.
  • Scales without per-server agents — load-balanced for availability across large or ephemeral estates.
  • Extensive out-of-the-box integrations — web tiers, COTS software, RPA and scripts.
  • Best where an agent is impractical.
NGTSMachine
Palo Alto Networks Next-Generation Trust Security (NGTS) — PANW's network-native certificate lifecycle management (CLM) platform, launched 2026 and delivered by extending Strata Cloud Manager: certificate visibility, policy enforcement and renewal execute alongside firewall configuration, aligning certificate governance with the network control plane. Automates issuance, renewal, rotation and validation of digital certificates across firewalls, gateways, SASE and enterprise workloads. Built on Venafi technology following the CyberArk acquisition — the former Venafi and CyberArk certificate-lifecycle and PKI products consolidate under NGTS.
Capabilities
PANW network-native certificate lifecycle management, delivered by extending Strata Cloud Manager.
  • Enterprise-wide certificate visibility — continuous discovery across public and private networks; inventory of servers, workloads, Kubernetes, endpoints and appliances, with expiry, ownership and issuer tracking.
  • Policy-driven lifecycle automation — automated issuance, renewal, deployment, rotation and validation, with coordinated renewal workflows.
  • CA-neutral orchestration — multiple CA integrations; authority transitions and CA-distrust reissuance without redesign.
  • Modern private PKI (SaaS) — replaces hardware CA hierarchies; HSM-backed keys; ACME / EST / SCEP enrolment; Microsoft auto-enrolment; HA across regions.
  • Network-native — runs in the Strata Cloud Manager control plane; built on Venafi (prepares for the 47-day renewal cycle).
Secure AI AgentsAgentic
Secure AI Agents — discovers and governs autonomous AI agents across SaaS, cloud and developer environments — including AWS Bedrock / AgentCore and Microsoft Copilot Studio, with custom agents importable via API — enriching each with owner, purpose, status and context (solving “we have agents but can’t list them”). The Identity Broker (also called the AI Agents Gateway) is the enforcement point: sitting between an agent and the tools it reaches over the Model Context Protocol (MCP), it brokers and authorises each request — zero standing privileges on SIA-based MCP servers — with a full audit trail and instant gateway-level suspend / disable (behavioural monitoring is announced for 2026). Treats each agent as a first-class identity needing the same controls as a Human or workload.
Capabilities
One product, four capabilities — the full control plane for autonomous AI agents, not discovery alone.
  • Discovery & Context — detects agents across SaaS, cloud and developer environments (AWS Bedrock / AgentCore, Microsoft Copilot Studio; custom agents via API import) and enriches each with owner, purpose, status and context.
  • Secure Access — the Identity Broker brokers and authorises every agent request over MCP; ZSP is enforced on SIA-based MCP servers (task-scoped auto-revocation is the stated design goal).
  • Lifecycle & Compliance — manages each agent from registration to decommission with ownership assignment and audit-ready evidence of what it accessed and why.
  • Threat Detection & Response — suspend a misbehaving agent instantly at the gateway; behavioural anomaly detection is announced (2026 roadmap).
  • First-class identity — treats each agent as an identity needing the same controls as a human or workload.
Identity GovernanceGovernance
AI-powered Identity Governance and Administration (IGA), originally Zilla Security (acquired February 2025, now native in the Idira platform). Discovers, certifies, provisions and de-provisions Human, machine and agentic identities across SaaS, cloud and on-prem apps with 250+ documented integrations (vendor cites 1,000+) — plus Universal Sync RPA, direct-database connectors and flat-file ingestion to reach apps legacy IGA tools can’t. Answers “who has access to what, and should they?” Governance extends to privileged access via Identity Compliance (Identity Compliance for PAM environments) and can treat directories such as Active Directory as governed applications for clean-up (advisory).
Capabilities
AI-powered IGA — originally Zilla Security, now native in the platform.
  • Discover & visibility — surface who has access to what across SaaS, cloud and on-prem, with full visibility into entitlements, risk and activity.
  • Access certification — automate access reviews with AI-driven decisions to enforce least privilege.
  • Provisioning & de-provisioning — across human, machine and agentic identities, with 250+ documented integrations (vendor cites 1,000+) plus Universal Sync RPA, direct-database connectors and flat-file ingestion.
  • Audit-ready compliance — produce the evidence auditors need, at scale.
  • Extends to privileged access — Identity Compliance (Identity Compliance for PAM); can treat directories such as AD as governed apps (advisory).

Shared Services

Foundations

Shared Services

Platform Shared Services are cross-cutting capabilities that sit above the individual products and apply portfolio-wide — every product plugs into them rather than building its own. The point for a customer conversation: these are what make the portfolio behave as one platform, not a bundle of tools. Four matter most — the platform layer, discovery, audit, and threat detection.

Identity Admin, Connectors & CORA AI
The layer everything else runs on — what makes the portfolio behave as one system, not a bundle of point products.
Why it mattersKeep your existing IdP (Entra ID, Okta, Ping) and layer Idira on top rather than replacing it — one console and one sign-on across every product instead of per-tool administration, and the identity telemetry this layer gathers feeds straight into threat detection.
Identity AdministrationSSO, adaptive MFA, lifecycle & directory; federates your IdP (Entra ID, Okta, Ping) via SAML/OIDC + SCIM.
Connector ManagementOne place to deploy and auto-upgrade the lightweight connectors — not per-product installs. On Privilege Cloud the Connector Management Agent also runs the Secrets Rotation Service rotation plugins.
CORA AIPlatform-wide AI: natural-language queries, AI session audits, anomaly detection, policy recommendations.
What the platform layer includes
  • Identity Administration — SSO and adaptive, risk-based MFA, user lifecycle and a directory that federates your existing IdP (Entra ID, Okta, Ping) over SAML/OIDC with SCIM provisioning — Idira layers on top rather than replacing it.
  • Connector Management — one console to deploy, monitor and auto-upgrade the lightweight connectors (Connector Management Agents) that bridge Idira to your directories, vaults and targets — no per-product agent installs. On Privilege Cloud the agent also executes the Secrets Rotation Service credential-rotation plugins.
  • CORA AI — the portfolio-wide AI: natural-language queries across the estate, plain-language session-audit summaries, anomaly detection and policy recommendations.

Everything below is consumed through this platform plane when deployed on Privilege Cloud / Shared Services.

Discovery & Context
You can’t vault, govern or monitor an identity you can’t see — run once as a platform-wide service, not rebuilt per product.
Why it mattersYou can’t secure what you can’t see, so this is the foundation every other control builds on and where most PAM programmes start — and because each find is enriched with ownership, usage and risk, remediation is prioritised rather than guesswork.
Operating modelDiscovery & Context is the Discover stage of Idira’s Discover → Control → Govern operating model — you can only control and govern what you can first see. (Full model in Frameworks → Blueprint.)
Finds (out of the box)Unmanaged privileged & service accounts, SSH keys, and Loosely Connected Devices across Windows, Unix/Linux and macOS.
ContextEach find is enriched with ownership, usage and risk — so the platform can prioritise remediation and feed detection.
Full discover-then-govern coverage
  • Windows / Unix / Linux accounts — local admin, domain and root accounts across servers and workstations.
  • SSH keys — key pairs and their trust relationships, a frequent blind spot.
  • Application & service accounts — the non-interactive accounts used by apps, services and scheduled tasks.
  • Loosely Connected Devices (LCD) — remote/mobile machines not permanently domain-joined.

The same discover-then-govern pattern repeats per surface:

  • Secrets — Secrets Hub (AWS, Azure, HashiCorp, GCP)
  • Entitlements — IGA across SaaS & custom apps
  • Cloud access — SCA Cloud Visibility
  • Certificates — NGTS
  • AI agents — Secure AI Agents
Session Recording & Unified Audit
The evidence layer of privileged access — a defensible record of who connected to what, and exactly what they did inside.
Why it mattersAnswers “who did what, and when” fast — one consolidated, defensible record across PSM, SIA and SCA instead of a multi-tool hunt, with CORA AI turning hours of recording into a plain-language summary an auditor can actually read.
CapturesPSM records every session as full-screen video + commands. SIA records natively too — RDP as full video, SSH/SQL/kubectl as command-level timelines. SCA logs cloud console & CLI actions. All into one audit view.
CORA AI summariesTurn hours of recording into a plain-language audit of what a user actually did. The auditor differentiator.
The three capture paths — and PSM vs SIA
  • PSM — the vault-brokered proxy recorder: full-screen video plus text (keystrokes, SQL commands, window titles) on every session (RDP, SSH, database, web) for Privilege Cloud & PAM Self-Hosted.
  • SIA — native recording on the modern VPN-less, agentless path: RDP sessions as full video, and SSH, SQL and kubectl as command-level timelines. SIA records its own sessions — you do not bolt PSM on to get an audit trail.
  • SCA — every action in the AWS, Azure or GCP console and CLI.

PSM vs SIA — the difference is the access model and target coverage, not whether the session is recorded. PSM is the vault-brokered proxy with the broadest reach (RDP, SSH, Telnet, web and database clients, plus fat-client, GUI and mainframe apps via the Universal Connector). SIA is the agentless, VPN-less path for modern infrastructure (Windows, Linux, databases, Kubernetes). Rule of thumb: SIA for its own infrastructure targets; reach for PSM when the target is a legacy, fat-client or GUI app SIA doesn’t cover and for isolated networks.

One view, still maturing: events from all three already flow into a single Audit view; unified replay of the recordings is still being built out.

Threat Detection & Response
The Detect & Respond layer for what slips past Protect — built on Threat Detection & Response (TDR), Idira’s ITDR — successor to Identity Security Intelligence (ISI).
Why it mattersThe safety net for the compromise that slips past prevention — with intrusions now reaching data in 72 minutes, manual triage is too slow, so behaviour is scored continuously and TDR can respond on its own: terminate a risky session, rotate a credential or disable the account.
DetectsPrivilege escalation, lateral movement, anomalous sessions, credential theft — continuously, after access is granted.
RespondsTerminate a risky session, rotate a compromised credential, isolate the account — at machine speed.
How it detects, responds & fits your estate

Threat Detection & Response (TDR) is the platform’s ITDR layer — the successor to Identity Security Intelligence (ISI, support ended March 2026) — it watches the identities, accounts and sessions Idira already manages and flags the behaviour that signals a compromise in progress, scored continuously by behavioural analytics rather than static rules.

  • What it watches — privileged and service accounts, vaulted and just-in-time sessions, and the discovery, session and audit telemetry every product already feeds into the platform — one behavioural baseline across the identity estate.
  • What it catches — privilege escalation, lateral movement, anomalous sessions (unusual location, time or behaviour), credential theft and shadow / unmanaged admin accounts — the post-access activity that preventative controls never see.
  • How it responds — raises a prioritised, risk-scored detection and can act on it: suspend or terminate a risky session, force step-up MFA, rotate the exposed credential, or disable the account — automatically or on analyst approval.

Fits your estate: detections and response actions flow out to SIEM/SOAR — a natural bridge to Cortex XSIAM / XSOAR — so TDR complements PAM and SOC tooling rather than replacing it.

Solutions Guidance

Scope & Engineer

Solutions Guidance

For each identity area, a deciding question that routes to the right product — with how to position it and how to tell the close ones apart. Browse all, or filter to a single area.

Shared Services

Shared Services

The shared SaaS layer every range below sits on — SSO/MFA, discovery, audit, threat detection and CORA AI — detailed in the Shared Services section.
In scopeIdentity AdministrationDiscovery & ContextUnified AuditTDR / ITDRCORA AI
The deciding question
Which shared service answers the need?
Shared Services
SSO & MFA front door
Use it whenEvery customer, first — you need the SSO / MFA front door and to federate an existing IdP (Entra ID, Okta, Ping).
Why it matters
One authenticated, MFA-protected identity fronts every app and every product below; keep your existing IdP and layer Idira on top.
Capabilities
SSO front door — SAML/OIDC app catalogue
Adaptive MFA — risk-based step-up
IdP federation — Entra ID, Okta, Ping
SCIM provisioning
How it’s delivered
SSO, adaptive MFA, external-IdP federation and SCIM provisioning; feeds its own sign-in telemetry to TDR/ITDR (external-IdP activity reaches TDR via SIEM logon import or Cortex risk scores).
Delivered byIdentity Administration
Shared Services
See every unmanaged account
Use it whenYou can’t secure what you can’t see — discover unmanaged privileged & service accounts, SSH keys and devices across the estate, run once as a platform service.
Why it matters
The foundation of every other control; each find is enriched with ownership, usage and risk to prioritise remediation and feed detection.
Capabilities
Estate-wide discovery — privileged & service accounts, SSH keys, devices
Risk-enriched inventory — owner, usage, risk
Runs once — as a platform service
Feeds remediation & detection
How it’s delivered
Continuous discovery across the estate; risk-enriched inventory feeding remediation and detection.
Delivered byDiscovery & Context
Shared Services
One defensible audit record
Use it whenYou need one defensible record of who connected to what — PSM, SIA and SCA capture into a single audit view.
Why it matters
Answers ‘who did what, and when’ fast, with CORA AI turning hours of recording into a plain-language summary — the auditor differentiator.
Capabilities
Single audit view — across PSM, SIA and SCA
CORA AI summaries — plain-language session digests
Defensible record — who connected to what
Fast answers — for auditors and the SOC
How it’s delivered
Captures PSM, SIA and SCA sessions into one audit view; CORA AI plain-language summaries.
Delivered byUnified Audit
Shared Services
Catch what slips past prevention
Use it whenYou need to catch what slips past prevention — privilege escalation, lateral movement, anomalous sessions, credential theft — after access is granted.
Why it matters
Behavioural detect-and-respond on privileged accounts and sessions, bridging to SIEM / SOAR (Cortex XSIAM / XSOAR).
Capabilities
Behavioural detection — privileged accounts and sessions
Catches — escalation, lateral movement, credential theft
Post-access — what prevention misses
Bridges to SIEM/SOAR — Cortex XSIAM / XSOAR
How it’s delivered
Behavioural detect-and-respond; integrates with Cortex XSIAM / XSOAR.
Delivered byTDR / ITDR
Shared Services
AI across the whole estate
Use it whenYou want natural-language queries across the estate, AI session-audit summaries, anomaly detection and policy recommendations.
Why it matters
The portfolio-wide AI layer that makes discovery, audit and detection genuinely usable.
Capabilities
Natural-language queries — across the estate
AI session-audit summaries
Anomaly detection
Policy recommendations
How it’s delivered
Portfolio-wide AI layer spanning discovery, audit and detection.
Delivered byCORA AI
Human Identity

Human Identity Solutions

Securing the Human identity — admins, engineers, vendors and everyday staff — across every access surface, all on the Identity Administration SSO/MFA foundation.
In scopeIdentity AdministrationPrivilege CloudPAM Self-HostedSIASCAVendor Privileged AccessWPMSecure Web SessionsEPM
The deciding question
Which access surface — and how privileged is the user?
Human Identity
SSO & MFA front door
Use it whenYou need the SSO / MFA front door, or to federate an existing identity provider (Okta, Microsoft Entra ID, Ping) and provision users via SCIM. The access foundation nearly every customer needs first.
Why it matters
One authenticated, MFA-protected identity fronting every app and every other Idira product — and customers keep their existing IdP while layering Idira on top.
Capabilities
SSO — SAML/OIDC app catalogue
Adaptive MFA — risk-based step-up
IdP federation — Okta, Entra ID, Ping
SCIM provisioning — own sign-in telemetry feeds TDR/ITDR
How it differs
Identity, not privilege — the foundation the others sit on.
How it’s delivered
SSO (SAML/OIDC app catalogue), adaptive MFA, external-IdP federation and SCIM provisioning.
Delivered byIdentity Administration
Human Identity
Vault & broker privileged sessions
Use it whenYou need to secure and vault privileged credentials — domain / local admins, DBAs, network devices and service accounts — and broker modern privileged sessions to their targets. The foundation the access products build on, and the default where Secure Standing Privilege / break-glass is required.
Why it matters
Secures the credential itself — vaulted and automatically rotated — and the password is hidden from the user: it is injected into a brokered, recorded session, so it can’t be phished, written down or reused, and every privileged session is monitored and audited.
Capabilities
Vault & auto-rotate — credentials secured and rotated
Password hidden — injected into the session, never seen
Session brokering (PSM) — monitored and recorded
Break-glass / SSP — the standing-privilege foundation
How it differs
Secures the credential and the session — the standing-privilege foundation, where break-glass lives.
How it’s delivered
Privilege Cloud (SaaS vault; rotation via the Secrets Rotation Service, sessions via PSM) or PAM Self-Hosted (full on-prem stack — Vault, CPM and PSM).
Delivered byPrivilege CloudPAM Self-Hosted
Human Identity
VPN-less infrastructure access
Use it whenPrivileged access to infrastructure — Windows, Linux, databases, Kubernetes — especially modern/cloud, where you want VPN-less, agentless access with JIT or ZSP. The modern default for new infrastructure access.
Why it matters
No VPN and no jump server, and with ZSP no standing operational account to steal — fast for engineers and the biggest cut to attack surface where the target supports it.
Capabilities
VPN-less, agentless — no jump server
JIT or ZSP — no standing operational account
Native RDP/SSH/CLI — servers, databases, Kubernetes
Native session recording — co-exists with PSM
How it differs
Modern access to infra — co-exists with PSM, doesn’t replace it.
How it’s delivered
VPN-less SaaS; native RDP/SSH/CLI; vaulted, JIT or ZSP; delivered with Privilege Cloud.
Delivered bySIA
Human Identity
Zero-standing cloud-console access
Use it whenPrivileged access to cloud consoles and CLIs — AWS, Azure, GCP — without persistent IAM users or standing admin roles.
Why it matters
Eliminates the standing cloud-admin footprint — one of the most common cloud privilege-escalation paths; access is created per request and auto-revoked, with a full audit trail.
Capabilities
Credential-less ZSP — ephemeral access per request
Cloud consoles & CLIs — AWS, Azure, GCP
Auto-revoked — full audit trail
SCA MCP Server — for AI-tool workflows
How it differs
Same model as SIA, but for cloud consoles.
How it’s delivered
Native console & CLI access, credential-less ZSP; ephemeral access per request; SCA MCP Server for AI-tool workflows.
Delivered bySCA
Human Identity
Third-party privileged access
Use it whenExternal vendors, contractors or OEM engineers need time-bound privileged access — without a VPN, an agent or a corporate device. Purpose-built for the third-party workforce.
Why it matters
VPN-less, passwordless ZSP access through an isolated browser session; credentials never reach the vendor device, every action recorded, access auto-revoked when the contract ends. Onboard in as little as ~2 minutes (vendor figure).
Capabilities
Passwordless onboarding — one-time QR + phone biometrics
Isolated browser session — credentials never reach the device
Every action recorded
Auto-revoked — when the engagement ends
How it differs
Built for third parties, not your own admins.
How it’s delivered
SaaS; isolated browser session brokering; biometric MFA; lifecycle automation. Requires Privilege Cloud or PAM Self-Hosted.
Delivered byVendor Privileged Access
Human Identity
Business-app password vault
Use it whenEveryday access to business apps — especially those that don’t support SSO — legacy web apps, shared department accounts, vendor portals. Ordinary employees, not admins.
Why it matters
Replaces browser-saved and shared passwords with an enterprise-controlled, audited vault — closes the ‘password on a sticky note’ gap without touching privileged accounts.
Capabilities
Enterprise password vault — business-app credentials
Replaces browser-saved & shared passwords
Per-app access controls — audited
Works with or without SSO
How it differs
Ordinary employees, not admins — the opposite end from Privilege Cloud.
How it’s delivered
Enterprise password vault (Idira Cloud or PAM Self-Hosted Vault); per-app access controls.
Delivered byWPM
Human Identity
Oversight inside web apps
Use it whenYou need visibility and control over what users do inside web / SaaS apps after login — including SSO-federated apps — for monitoring, compliance or high-risk app protection.
Why it matters
Extends protection past the login: records sessions, can require continuous authentication (with app-open step-up MFA via Identity Administration policies), and protects high-risk apps — closing the post-login blind spot SSO alone leaves.
Capabilities
Session recording — inside web/SaaS apps after login
Step-up / continuous auth — high-risk apps
Covers SSO-federated apps too
Browser-extension delivered
How it differs
Governs the session, not the login.
How it’s delivered
Browser extension; integrates with Idira Identity SSO; recordings stored encrypted in the SaaS.
Delivered bySecure Web Sessions
Human Identity
Least privilege on the endpoint
Use it whenPrivilege on the endpoint itself — removing local admin rights, elevating trusted applications, blocking ransomware and credential theft on Windows, macOS and Linux.
Why it matters
The endpoint is where most identity attacks begin; least privilege there stops a single compromised device turning into lateral movement, and supports Essential Eight ‘Restrict Administrative Privileges’.
Capabilities
Remove local admin rights — Windows, macOS, Linux
Policy-based elevation — trusted apps
Application control — VirusTotal reputation lookups
Blocks ransomware & credential theft
How it differs
Secures the device, not access to a target — an ‘and’, not an ‘or’.
How it’s delivered
Endpoint agent; policy-based elevation; application control with VirusTotal reputation lookups.
Delivered byEPM
Machine Identity

Secrets & Machine-Identity Solutions

Securing non-human identities — application credentials, workload identities and certificates. The question for each is the same: what does it need to authenticate, and how does it get it? The real split is the kind of app and how it authenticates — a static, vault-rotated password for legacy apps, dynamic short-lived secrets for cloud-native apps, a secretless workload identity at the top, and certificates as a separate object. Read left to right, it’s also a maturity path: at each step a secret’s lifespan and blast radius shrink — shorter-lived, fewer places holding it — until the workload holds no secret to steal at all.
In scopeSecure Workload AccessSecrets ManagerSecrets HubAgent-Based CPCCPNGTS
The deciding question
What kind of machine identity is it — and how does it authenticate?
Machine Identity
Secretless workload identity
Use it whenYou want workloads to authenticate with a verifiable identity rather than a stored secret — zero-trust, workload-to-workload, across boundaries (containers, VMs, serverless; multi-cloud and on-prem).
Why it matters
A short-lived, verifiable identity means there is no static secret to steal, leak or rotate — authentication is based on what the workload provably is. Solves the ‘secret zero’ problem and enables zero-trust access that travels across clouds.
Capabilities
SPIFFE/SVID identity — short-lived, auto-rotated, no stored secret
Cross-boundary trust — workload-to-workload across multi-cloud and on-prem
Secret exchange — swaps identity for a short-lived secret only where a legacy target needs one
Built on Secrets Manager — the secretless layer on top
How it differs
No secret at all — the secretless end-state, built on Secrets Manager rather than replacing it.
How it’s delivered
SPIFFE/SVID short-lived cryptographic identities, built on Secrets Manager; the workload authenticates with its own verifiable identity, exchanging it for a short-lived secret only where a legacy target still requires one, so the application never holds it.
Delivered bySecure Workload Access
Machine Identity
Dynamic secrets for cloud-native apps
Use it whenThe app is modern and cloud-native and can retrieve a secret at runtime — containers, Kubernetes, CI/CD, microservices, IaC, cloud workloads. The recommended end state for app/DevOps secrets.
Why it matters
No hardcoded or static secrets in code or config, so a leaked repo or file no longer exposes a working credential; secrets rotate centrally with zero downtime and every retrieval is audited.
Capabilities
Dynamic secrets — short-lived, generated on demand, expired after use
Central rotation — zero-downtime, one policy across environments
Audited retrieval — every fetch logged
App-native access — REST API, SDK, CLI and a native Kubernetes authenticator
How it differs
Dynamic and short-lived — for apps built to call a secrets API at runtime, not a static password; a Credential Provider is the bridge for legacy apps that can’t adopt it.
How it’s delivered
Secrets Manager SaaS (Idira-hosted) or Secrets Manager Self-Hosted (Conjur, customer-run); REST API, SDK and CLI; native Kubernetes authenticator.
Delivered bySecrets Manager
Machine Identity
Govern third-party vaults in place
Use it whenThe customer already runs non-Idira cloud vaults — AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, GCP Secret Manager (single- or multi-cloud, incl. Mergers & Acquisitions) — and wants to keep using them rather than migrate.
Why it matters
One source of truth for rotation, policy and audit across vaults they already own — no migration project and no change to how developers work; surfaces and retires shadow and unused secrets.
Capabilities
Govern in place — central policy, rotation and audit across third-party vaults
Replicate out — pushes Idira-managed secrets into the native vault
Discover existing — finds secrets already there, incl. shadow and unused
Multi-cloud — AWS, Azure, GCP, HashiCorp
How it differs
Doesn’t store secrets for apps to consume — it governs other vaults in place.
How it’s delivered
Discovers existing secrets and replicates Idira-managed secrets out to the native vault; central policy, rotation and audit.
Delivered bySecrets Hub
Machine Identity
Remove hardcoded credentials from legacy apps
Use it whenA legacy / on-prem app can’t be re-coded to call a secrets API natively. Agent-Based CP for HA-critical apps that must keep working through a vault outage (OT/SCADA, mainframe z/OS, HA Java/.NET, MES-to-ERP); CCP where deploying an agent on every server is impractical (web tiers — WebSphere, WebLogic, Tomcat — COTS/ERP, RPA bots, scripts).
Why it matters
Removes embedded credentials from mission-critical legacy/COTS/RPA estates with no code change; Agent-Based CP’s local cache keeps the app running and rotating through a vault outage, while CCP rotates and revokes centrally with nothing to install.
Capabilities
No code change — hands a vaulted, rotated credential to the app at runtime
Agent-Based CP — local encrypted cache; serves credentials through a vault/network outage
CCP — agentless central HTTPS web service, mutual-TLS, nothing per server
Central rotation & revocation — a copied script or bot config no longer leaks a standing password
How it differs
The app still holds a static password — you’ve just stopped it being hardcoded.
How it’s delivered
Agent-Based CP — agent on the app server with a local credential cache, no network call at retrieval. CCP — agentless central HTTPS web service the app calls at runtime, mutual-TLS auth.
Delivered byAgent-Based CPCCP
Machine Identity
Certificate & PKI lifecycle
Use it whenIt’s about digital certificates / PKI, not passwords or secrets — discovering certificates across the network, automating renewal and rotation, and modernising internal CAs (TLS on firewalls, gateways, SASE and workloads).
Why it matters
Eliminates shadow certificates and expiry-driven outages, and makes the shrinking public-TLS validity windows (200 days now, 47 by 2029) operable — automation manual processes cannot match.
Capabilities
Certificate discovery — finds shadow and unmanaged certs across the estate
Automated lifecycle — renewal and rotation, no spreadsheet tracking
CA-neutral — ACME, EST, SCEP; modernises internal CAs
Crypto-agility — post-quantum readiness as TLS lifetimes compress
How it differs
A different object entirely — certificates, not secrets. One missed renewal takes firewalls, gateways, SSL decryption, SASE or Kubernetes down.
How it’s delivered
Extends Strata Cloud Manager; CA-neutral via ACME, EST, SCEP; SaaS-based private PKI.
Delivered byNGTS
Seven Machine-Identity Types, and a Secrets Maturity Path

A quick way to map a customer’s estate to the right product — machine identities fall into seven types:

  • Cloud & cloud-native appsSecrets Manager Secure Workload Access
  • DevOps, CI/CD & the software supply chainSecrets Manager
  • Automation tools & scriptsSecrets Manager CCP
  • COTS & ISV applicationsCCP
  • RPA botsCCP
  • N-tier / static homegrown appsAgent-Based CP CCP
  • Mainframe applicationsAgent-Based CP

Secrets maturity path. Start with the essentials — centralise secrets, remove hard-coded credentials, automate rotation. Accelerate — dynamic, just-in-time secrets for cloud-native workloads and one rotation policy across multicloud. Expand — reach legacy, OT and mainframe apps, and bring non-Idira vaults under one control plane with Secrets Hub. The through-line at every step: a secret’s lifespan and blast radius shrink — shorter-lived, and fewer things able to hold it — until the workload holds no secret to steal at all.

Agentic Identity

Agentic Identity

Securing AI agents as first-class identities. Secure AI Agents is the control point; Secrets Manager, Secure Workload Access, Secure Cloud Access and Identity Governance each apply to agents too — supplying the credential, workload-identity, cloud-access and governance layers it leans on.
In scopeSecure AI AgentsSecure Cloud AccessSecure Workload AccessSecrets ManagerIdentity Governance
The deciding question
What does the agent need — discovery & control, an identity, cloud access, or governance?
Agentic Identity
Discover, control & govern AI agents
Use it whenYou need the full control plane for AI agents as first-class identities — not discovery alone.
Why it matters
Solves “we have agents but can’t list them,” then brokers every request via the Identity Broker (ZSP on SIA-based MCP servers), records what each agent did, and can instantly suspend a compromised or runaway agent at the gateway.
Capabilities
Discovery & Context — every agent across SaaS, cloud and dev, enriched with owner, purpose, status, context
Secure Access — Identity Broker authorises every request over MCP; ZSP on SIA-based servers
Lifecycle & Compliance — registration to decommission; ownership and audit-ready evidence
Threat Detection & Response — gateway suspend / disable today; behavioural detection announced (2026)
How it differs
The control point — governs what the agent is allowed to do. The other products secure the layers it leans on; this one secures the agent itself.
How it’s delivered
Agent discovery enriched with owner, purpose, status and context; Identity Broker over MCP (ZSP on SIA-based servers); lifecycle management; audit; gateway suspend / disable (behavioural monitoring announced for 2026).
Delivered bySecure AI Agents
Agentic Identity
JIT cloud access for AI tools
Use it whenAn AI development tool (Amazon Q Developer, Claude Desktop) needs cloud-console access and is currently using static keys.
Why it matters
Replaces standing cloud keys with just-in-time, zero-standing access requested from the AI tool itself.
Capabilities
JIT cloud-console access — requested from the AI tool
Zero standing keys — replaces static credentials
SCA MCP Server — Amazon Q, Claude Desktop
Ephemeral — per-request
How it differs
Secures the tool’s route into the cloud console — not the agent’s identity (Secrets Manager / SWA) or its permissions (Secure AI Agents).
How it’s delivered
SCA MCP Server brokering ephemeral, per-request cloud access.
Delivered bySCA
Agentic Identity
The agent’s underlying identity
Use it whenAn agent or its underlying workload needs a credential or a verifiable identity to reach a target.
Why it matters
Delivers a short-lived secret or a verifiable SPIFFE workload identity instead of a hardcoded key.
Capabilities
SPIFFE identity — Secure Workload Access, secretless
Dynamic secret — Secrets Manager, via API/SDK
No hardcoded key — beneath the agent
The workload-identity layer
How it differs
What the workload is, beneath the agent.
How it’s delivered
Secrets Manager (API/SDK retrieval) or Secure Workload Access (SPIFFE/SVID short-lived identities).
Delivered bySecure Workload AccessSecrets Manager
Agentic Identity
Govern agent identities
Use it whenYou need to discover, certify and de-provision agent (non-human) identities and their entitlements alongside Human ones.
Why it matters
Brings agents under the same governance, certification and audit as every other identity.
Capabilities
Discover agent identities — non-human, alongside Human
Certify entitlements — access reviews
De-provision — lifecycle management
Same governance — as every identity
How it differs
Whether the agent should have access at all.
How it’s delivered
IGA discovery, certification and lifecycle management for non-human identities.
Delivered byIdentity Governance
Why Agents Are a New Kind of Risk
  • Third-party and insider at once. An agent erases the old divide — an external chatbot in your CRM becomes an insider the moment a token grants it data access. Legacy third-party-risk and insider-threat playbooks each only see half of it.
  • Six archetypes, varying autonomy. Agents range from simple task-runners to fully autonomous, multi-step actors — the more autonomous, the more standing access they accumulate and the more they need just-in-time privilege rather than static keys.
  • Shadow, orphaned and recursive trust. Watch for shadow agents no one registered, ‘ghost’ agent identities left active after a project ends, and recursive trust — one agent acting through another until the boundary between vendor and insider collapses.
  • Govern the whole lifecycle. Birth → adolescence → adulthood → death: give each agent a verifiable identity at creation, scope and monitor it in use, and decommission it cleanly — only 37% of organisations can currently revoke an agent’s credentials.

Adoption is already here — four in ten enterprises run agentic AI in production and three-quarters expect to within three years, yet only about one in ten have agent risk registries and dynamic authorisation (industry estimates — unsourced). Identity is the control plane: go beyond trusted to verifiable.

Identity Governance

Identity Governance

Governing whether access should exist — certification, provisioning and audit across Human, machine and agentic identities. Distinct from the access products that grant and secure it.
In scopeIdentity GovernanceIdentity Compliance
The deciding question
Are you controlling access, or governing whether it should exist?
Identity Governance
Access Certifications & Reviews
Use it whenYou run periodic access reviews (APRA CPS 234, ISO 27001, audit cycles) and want them evidence-backed rather than spreadsheet-driven.
Why it matters
Admin-defined SoD policies flag risky combinations, and unused entitlements are surfaced for clean-up; AI Profiles cut review effort by ~80% (vendor figure), so reviews complete faster.
Capabilities
Certification campaigns — SaaS, cloud, on-prem
AI risk surfacing — toxic combinations, unused entitlements
AI Profiles — cut review effort by ~80% (vendor figure)
How it’s delivered
Scheduled certification campaigns across SaaS, cloud and on-prem apps.
Delivered byIdentity Governance
Identity Governance
Joiner-Mover-Leaver
Use it whenNew starters need the right access from day one, movers adjusted on role change, and leavers de-provisioned automatically at termination.
Why it matters
Closes the most common audit finding — ex-employees and movers retaining access they no longer need.
Capabilities
Automated provisioning & de-provisioning
AI Profiles — infer roles beyond SCIM-native apps
Day-one access, clean termination
How it’s delivered
Automated provisioning/de-provisioning; AI Profiles infer roles beyond SCIM-native apps.
Delivered byIdentity Governance
Identity Governance
Entitlement Discovery
Use it whenYou need fine-grained visibility — not “does the user have Salesforce” but which permissions they actually hold.
Why it matters
Reveals over-entitlement legacy IGA tools can’t see, across SaaS and custom apps.
Capabilities
Fine-grained visibility — actual permissions held
250+ documented integrations (vendor cites 1,000+)
Universal Sync RPA — direct-DB & flat-file ingestion
How it’s delivered
250+ documented integrations (vendor cites 1,000+) plus Universal Sync RPA, direct-database connectors and flat-file ingestion.
Delivered byIdentity Governance
Identity Governance
Compliance Reporting & Audit Evidence
Use it whenYou need to show who had access, who approved it, when it was reviewed and what changed.
Why it matters
Audit-ready evidence on demand; a unified entitlement view (campaign reports / evidence package) spans Human and non-human identities — ‘Identity Map’ is vendor positioning for this view.
Capabilities
Pre-built reports
Certification records
Unified entitlement view — human & non-human (‘Identity Map’ in vendor positioning)
How it’s delivered
Pre-built reports, certification records and an exportable evidence package — the unified view vendor-positioned as the ‘Identity Map’.
Delivered byIdentity Governance
Identity Governance
Identity Compliance
Use it whenYou need to certify and review who can access privileged accounts and PAM Safes, not just business apps.
Why it matters
Brings privileged access under the same governance as ordinary entitlements — closing the loop between PAM (secures and records access) and IGA (certifies it should exist).
Capabilities
Certify privileged access & PAM Safes
Safe access-review campaigns
Closes the PAM↔IGA loop
How it’s delivered
Identity Compliance for PAM environments; Safe access-review campaigns across Privilege Cloud and PAM Self-Hosted.
Delivered byIdentity Compliance
Identity Governance
Active Directory Clean-Up advisory
Use it whenA sprawling, messy Active Directory is the starting point for a PAM uplift.
Why it matters
Cuts standing privilege (especially privileged groups like Domain Admins) before accounts come under PAM.
Capabilities
Treat AD as a governed app
Discover, certify & remediate — groups and nested groups
Cut Domain Admins — before PAM onboarding
How it’s delivered
Discover, certify and remediate group and nested-group entitlements. Advisory positioning.
Delivered byIdentity Governance

Don’t confuse with the access products: Privilege Cloud, Identity Administration and WPM grant and secure access; Identity Governance certifies whether it should exist. And versus Secrets Hub — both ‘discover and govern’, but IGA governs people’s entitlements while Secrets Hub governs machine secrets.

Architecture

Privilege & Deployment Models

Two architecture choices that cut across the products — which privilege model a target can support, and where the vault runs. The Use Case Table maps to capability, not deployment.
The deciding question — privilege model
How much standing privilege can the target tolerate?
Privilege Model
Secure Standing Privilege (SSP)
Use it whenBreak-glass, non-federated targets, and anything that can’t support JIT or ZSP.
How it works
A persistent vaulted account — rotated and checked out.
How it differs
The account always exists — the goal is to minimise standing privilege, not eliminate it.
Delivered byPrivilege CloudPAM Self-HostedSIA (vaulted)
Privilege Model
Just-in-Time (JIT)
Use it whenCutting the exposure window without re-architecting the target.
How it works
A time-bound checkout of a persistent vaulted account.
How it differs
The account still exists permanently — only access to it is time-boxed.
Delivered bySIASCAEPM (endpoints)
Privilege Model
Zero Standing Privileges (ZSP)
Use it whenModern infrastructure and cloud the target supports (Windows, Linux, databases, Kubernetes; AWS/Azure/GCP).
How it works
An ephemeral account created at request and deleted after the session.
How it differs
No standing operational account at all — the strongest model where the target supports it.
Delivered bySIASCA
How the Models Map to Products, and the Maturity Progression

How these models map to Idira products. SSP is delivered by Privilege Cloud and PAM Self-Hosted via the classic PSM vault model; SIA can also deliver vaulted access when the customer wants the modern VPN-less experience without giving up the standing privileged account. For infrastructure and cloud targets, JIT and ZSP are delivered by SIA (Windows, Linux, databases, Kubernetes) and SCA (AWS, Azure, GCP cloud consoles) — not available in classic PSM. JIT can also be applied as a time-bound layer on top of vaulted accounts via SIA — near plug-in on Privilege Cloud (SIA bundled; connector deployment only), and on PAM Self-Hosted from V14.4+ via the dedicated SIA integration. EPM extends the JIT model to endpoints. WPM sits outside this framework — non-privileged business apps, not elevated access.

The maturity progression. The Idira Identity Security Blueprint moves use cases from unsecured standing privilege → vaulted SSP → JIT-layered SSP → ZSP where the target supports it. SSP never disappears — break-glass, non-federated and fat-client legacy targets stay on permanent vaulted accounts. The right conversation is rarely “let’s get to ZSP” — it’s “get each use case to the highest model its target supports.”

The common confusion. ZSP does not mean “no vaulted accounts” — it removes the operational standing account, while break-glass SSP accounts remain dormant in the vault. The three models coexist in any mature deployment, not as competitors.

The deciding question — deployment
Where must the vault run?
Deployment
Recommended SaaS default
Use it whenThe recommended default — speed, lower TCO, and the fastest access to new capabilities.
How it works
Vault & backend run as Idira SaaS, with a lightweight connector in your environment — the Connector Management Agent (running the Secrets Rotation Service rotation plugins) plus PSM for sessions. No customer-managed CPM.
How it differs
The unified SaaS experience with SIA bundled — migrating off Self-Hosted removes up to 70% of on-prem hosts (vendor estimate — unsourced; confirm before quoting).
Delivered byPrivilege Cloud
Deployment
On-prem, air-gapped vault
Use it whenHard data-sovereignty, air-gap / isolation (SOCI / CI Fortify) or deep customisation.
How it works
The entire stack — Vault, CPM and PSM — runs inside your environment.
How it differs
Keeps working through internet isolation; SaaS services (SIA, Connectors) integrate as add-ons from V14.4+.
Delivered byPAM Self-Hosted
Full Deployment Detail

Both models ship the same native session manager, PSM; the use cases are largely the same across both — the split is architectural (where the vault runs and what comes bundled), not which session product you’re locked into.

Privilege Cloud on Shared Services is the recommended starting position for the great majority of new commercial opportunities — the unified Idira experience natively (Discovery SaaS, CORA AI, unified Connector Management, centralised SSO/MFA, cleanest integration with SIA, SCA, Secrets Hub and IGA), with SIA bundled. Cross-region DR at a 5-minute RPO/RTO (CRDR — optional add-on licence; 5-minute figure documented for Identity Administration failover) and BYOK for data sovereignty.

PAM Self-Hosted is the right answer where data sovereignty, air-gap capability or regulator-driven on-premise hosting is a hard requirement (government, defence, regulated utilities, CI Fortify-aligned critical infrastructure), and where the deepest configuration and legacy-target coverage matter. Privileged access keeps working through internet isolation (the CI Fortify scenario).

Common Confusions

Scope & Engineer

Common Confusions

Every ‘don’t mix these up’ comparison gathered in one place — the products and concepts that get confused, and how to tell them apart.

Human IdentityThe human-access products overlap at the edges — vault versus VPN-less, endpoint versus target, privileged versus everyday. These clear up which product owns which job, and where they’re an ‘and’ rather than an ‘or’.
SIA vs Privilege Cloud / PSM
In practiceYou don’t rip out PSM to adopt SIA — lead with SIA for modern infrastructure and keep PSM for the legacy and break-glass cases it still owns, so the customer modernises without re-platforming.
The full distinction
Both give Human privileged access. SIA is the modern, VPN-less path for infrastructure (vaulted credentials, JIT or ZSP); PSM is the vault-brokered recorder for everything SIA doesn’t reach (fat-client, legacy, custom session capture) and wherever Secure Standing Privilege or break-glass is required. They co-exist — SIA is not a rip-and-replace.
Does SIA record sessions, or do you need PSM for that?
In practiceEvery SIA session is already recorded and audited — so ‘SIA has no recording’ is a false objection to retire early, and the SIA-vs-PSM choice is about which targets each reaches, not which one records.
The full distinction
SIA has its own native session recording and auditing — you do not bolt PSM onto SIA to get an audit trail. SIA isolates, monitors and records its own sessions: RDP as video, SSH with a command-by-command timeline, and SSH/SQL/kubectl command capture, with CORA AI textual session summaries. What differs from PSM is not whether the session is recorded but the access model and target coverage: PSM is the vault-brokered proxy with broad Marketplace connector coverage (RDP, SSH, Telnet, web and database clients, and via the Universal Connector fat-client, mainframe-emulator and GUI apps); SIA is the modern VPN-less, agentless path for infrastructure (Windows, Linux, databases, Kubernetes). Both feed a single unified Audit view for auditors and the SOC (unified replay across PSM, SIA and SCA is still being built out). Practical rule: SIA covers its own infrastructure targets natively with full recording; reach for PSM when the target is a fat-client, legacy or GUI app SIA doesn’t reach.
SIA vs SCA
In practiceOne ZSP model already covers both their cloud consoles and their servers — position them as two surfaces of one approach, not two products to evaluate.
The differenceSame access model (ZSP), different targets. SCA is for cloud consoles (AWS, Azure, GCP web); SIA is for infrastructure (servers, databases, Kubernetes).
Vendor Privileged Access vs SIA
In practiceThe deciding question is whose device it is — outside the org on an unmanaged endpoint is Vendor Privileged Access; your own admins are SIA.
The full distinction
Both can give remote, VPN-less access. Vendor Privileged Access is purpose-built for external third parties — passwordless biometric onboarding, isolated browser sessions and automatic deprovisioning when the engagement ends; SIA is the modern access path for internal admins and engineers (and can serve vendors on a managed device). Reach for Vendor Privileged Access when the user is outside your organisation and you don’t control their device.
EPM vs the access products
In practiceEPM is an ‘and’, not an ‘or’ — it closes the local-admin gap on endpoints the access products never touch, which is core to the Essential Eight story.
The differenceEPM secures privilege on the endpoint device; the others secure privileged access to targets. They are complementary layers, not alternatives.
WPM vs Privilege Cloud
In practiceMatch the tool to the account’s privilege level — WPM for everyday business logins, Privilege Cloud for accounts that can do real damage — so neither gets stretched to do the other’s job.
The differenceWPM is for non-privileged everyday business apps; Privilege Cloud is for privileged accounts. WPM can even be configured to stop privileged credentials being stored in it.
WPM is not only for apps that lack SSO
In practiceDon’t let it get boxed in as a ‘no-SSO fallback’ — it’s the enterprise password manager for all business apps, a far larger footprint and a stronger reason to deploy it broadly.
The full distinction
A common mistake is to position Workforce Password Management as a fallback used only when an application can't do SSO. WPM is an enterprise password manager for business applications generally — it vaults, shares and audits credentials whether or not the app supports SSO, and integrates with Identity Administration SSO and adaptive MFA to extend one-click access across all of them. It is most valuable where SSO is unavailable (legacy web apps, shared accounts, vendor portals), but it equally covers SSO-capable apps an organisation hasn’t federated, or where a vaulted credential is still wanted. Position it as ‘enterprise password management for business apps’, not ‘the thing you use when there’s no SSO’.
WPM vs Secure Web Sessions
In practiceAccess vs oversight — WPM gets users in, Secure Web Sessions governs what they do next; together they cover the whole web-app session, which is why they belong together.
The differenceWPM gets users into business apps with vaulted passwords (especially apps that lack SSO); Secure Web Sessions governs what they do inside web apps after login — including SSO apps — via recording and continuous-authentication controls. Complementary: one is access, the other is session oversight.
Identity Administration vs WPM vs Secure Web Sessions vs IGA
In practiceDraw the four-layer picture early — front door (Identity Administration), passwords (WPM), in-app oversight (Secure Web Sessions), governance (IGA) — so the customer sees one stack, not four overlapping tools.
The full distinction
Four different jobs in the workforce-identity stack: Identity Administration is the SSO/MFA front door and federation/SCIM layer (getting the right user authenticated into apps); WPM vaults passwords for business apps, especially those that lack SSO; Secure Web Sessions governs what users do inside web apps after login; IGA certifies and attests whether that access should exist.
Secrets & Machine-IdentityMachine-identity tooling spans credential delivery, third-party vault governance and workload identity — easy to conflate. These pin down which approach fits which kind of app, and where one is the destination and another the bridge.
The secrets maturity ladder: Credential Providers → Secrets Manager → Secure Workload Access
In practicePosition them as a progression on a single platform — vault-and-rotate now, modernise to dynamic secrets, then go secretless — so the customer sees a roadmap they can climb at their own pace, not three products to choose between.
The full distinction
These aren’t competitors — they’re a maturity ladder, and most estates run more than one at once. A Credential Provider hides and rotates a credential that already lives in your PAM Vault so an existing app stops hardcoding it — the fastest “remove the hardcoded password” play for traditional, legacy and COTS apps (CCP agentless via an HTTPS/REST call for web tiers, COTS, RPA and scripts; Agent-Based CP with a local encrypted cache for OT/SCADA, mainframe, air-gapped or HA-critical targets that must keep working through a Vault outage). Secrets Manager (Conjur) is the dedicated, developer-first platform for cloud-native and DevOps apps — containers, Kubernetes, CI/CD, microservices — delivering dynamic, on-demand secrets via API/SDK and the native Kubernetes authenticator. Secure Workload Access is the secretless end-state: the workload presents a SPIFFE identity and never holds a credential at all, exchanging that identity for a secret only when a legacy target still demands one (it’s built on Secrets Manager). The quick test: credential already vaulted, legacy app, just kill the hardcoding → Credential Providers (Agent-Based CP if it can’t tolerate Vault downtime or is OT / air-gapped); cloud-native app that wants dynamic secrets → Secrets Manager; want the app to hold no credential at all → Secure Workload Access. Idira’s own framing: use cryptographic workload identity where the environment supports it and keep secrets where it doesn’t — both governed from the one Secrets Manager platform, with no forced migration.
Secrets Manager vs CCP
In practiceSet Secrets Manager as the destination and a Credential Provider as the bridge — the customer modernises where they can and still covers the apps they can’t, under one platform and unified governance.
The full distinction
Both get a secret to an application without hardcoding it, but they work in fundamentally different ways. A Credential Provider is a delivery mechanism for a credential that already lives in your PAM Vault: the Vault owns a long-lived, rotated password and CCP hands it to the app at runtime — the app still receives a real, static credential, CCP just stops it being hardcoded and keeps it rotated, with no code change. Secrets Manager (Conjur) is a dedicated secrets platform in its own right, not Vault-consumption: the workload authenticates to it using its own cloud-native identity — a Kubernetes service-account token, an AWS or Azure IAM role — and Secrets Manager returns secrets governed by policy-as-code, including dynamic, short-lived secrets generated on demand and expired after use, retrieved via API/SDK as part of the application rather than looked up from a vault. Put simply: CCP retrofits an existing app to consume a vaulted password; Secrets Manager is how cloud-native and DevOps apps (containers, Kubernetes, CI/CD, microservices) get secrets natively as part of the build. Recommend Secrets Manager where the app can adopt it; a Credential Provider where it cannot.
Secrets Hub vs Secrets Manager
In practiceIf they’ve already invested in AWS/Azure/HashiCorp vaults, lead with Secrets Hub (govern in place, no migration) rather than asking them to rip and replace.
The differenceSecrets Manager is Idira’s own secret store for applications. Secrets Hub does not store secrets for apps to consume — it governs secrets that live in someone else’s vault, replicating Idira-managed secrets out and discovering what already exists.
Agent-Based CP vs CCP
In practiceIf the app must keep running when the Vault is unreachable → CP; if you can’t put an agent on every box → CCP.
The full distinction
Both fetch a vaulted credential for an application that can’t adopt Secrets Manager natively — so the real split is not ‘legacy vs modern’ (Secrets Manager is the modern path); it is deployment model and resilience. Agent-Based CP runs a provider on each application server and serves credentials from a secure local cache: the highest anti-tamper security and performance, and — critically — it keeps serving credentials through a Vault or network outage. That makes it the choice for mission-critical, high-availability and isolation-prone targets (OT/SCADA, mainframe z/OS, HA Java/.NET). CCP is agentless — applications call a central web service (on IIS) at runtime — so there is nothing to install per server, which scales far more easily across large, ephemeral or locked-down estates (web tiers, COTS/ERP, RPA bots, scripts) and can be load-balanced for availability. The trade-off: that central service and the network path to it must be reachable at request time, so it suits non-mission-critical apps or wherever per-server agents are impractical.
Secure Workload Access vs Secrets Manager
In practiceSWA sits on top of the secrets investment, not against it — it removes the ‘secret zero’ problem, so frame it as the next maturity step, not a competing buy.
The differenceSWA is built on Secrets Manager, not a replacement. SWA gives the workload an identity; where a target still requires a traditional secret, the workload exchanges its identity for one from Secrets Manager.
NGTS vs Secrets Manager
In practiceThese land with different teams (network/PKI vs DevOps) — don’t let one disqualify the other; they cover separate machine-identity surfaces and often land independently in the same account.
The differenceBoth secure machine identities, but different objects: NGTS manages the certificate / PKI lifecycle (network and PKI teams); Secrets Manager delivers application secrets (DevOps and AppSec). NGTS is not an alternative to the secrets products — it covers the certificate surface they don’t.
SPIFFE Workload Identity vs Certificates
In practiceBoth give a machine a cryptographic identity, so they sound interchangeable — but they answer different questions. SPIFFE (via Secure Workload Access) answers ‘who is this workload, so it can authenticate without holding a secret?’; certificates (managed by NGTS) answer ‘is this machine or service’s TLS identity trusted and still valid?’. Position them as complementary, not either/or.
The full distinction
The confusing part first: a SPIFFE identity (an SVID) is often itself an X.509 certificate — so this isn’t ‘SPIFFE or certificates’, it’s two different jobs that both happen to use crypto. SPIFFE / Secure Workload Access is a workload-identity system: each workload is issued a short-lived, automatically-rotated identity granted by attesting what the workload is (its platform and properties), not by a secret it stores. The workload then authenticates to databases, APIs and other workloads by presenting that identity — secretless — so there is no long-lived credential to steal, leak or rotate. The problem it solves is workload authentication and authorisation without secrets, at machine speed and scale. Certificates are the broader PKI trust fabric: X.509 credentials that bind an identity to a public key, issued by a CA and used for TLS / mTLS, encryption and code signing across servers, services, devices and load balancers. NGTS (Next-Generation Trust Security) manages that estate end-to-end — discovery, ownership, expiry tracking, automated renewal and crypto-policy / post-quantum readiness — the problem being avoiding outages and weak crypto as public TLS lifetimes compress toward 47 days. The quick test: goal is ‘this workload should authenticate without holding a secret’ → Secure Workload Access (SPIFFE); goal is ‘keep our certificate / TLS estate discovered, current and policy-compliant’ → NGTS. They’re two surfaces of machine identity, governed on the one platform — and they often land with different teams (DevOps / platform vs network / PKI).
Agentic IdentitySecuring AI agents has several moving parts — what the agent can do, its underlying identity, its cloud access and its governance. These separate what each product actually secures.
The big one: Secure AI Agents does not overlap Secrets Manager, SWA and Secure Cloud Access
Because all four appear together on agentic use cases, they look like they do the same job. They don’t. Securing an agent is four different authentication / authorisation hops, each with its own owner. They chain — they don’t duplicate.
1
Should this agent identity exist at all?
Identity Governancegoverns the identity
Certifies, provisions and de-provisions the agent identity alongside Human and machine ones — the ‘should it exist’ question, not how it authenticates.
2
Is this a known agent, and what is it allowed to do?
Secure AI Agentsagent → tool
Discovers the agent, then the Identity Broker brokers and authorises its access to tools over MCP (ZSP on SIA-based servers) — the control point for what the agent may reach. It does not issue the workload’s secret or grant cloud-console access itself.
3
How does the agent’s workload authenticate to a target system?
Secrets ManagerSecure Workload Accessworkload → target
One layer beneath the agent: the runtime it runs as needs a credential or identity to reach a database, API or system — Secrets Manager delivers a runtime secret, SWA a verifiable SPIFFE identity. Secure AI Agents leans on these; it doesn’t replace them.
4
How does an AI dev tool get into a cloud console?
Secure Cloud Accesstool → cloud console
A specific MCP server — reached through the gateway — giving AI dev tools (Amazon Q, Claude Desktop) just-in-time, zero-standing access to AWS / Azure / GCP consoles instead of static keys. It secures the tool’s route, not the agent’s identity.
Why they feel similar: the Identity Broker’s MCP servers and the Secure Cloud Access MCP Server run on the same Secure Infrastructure Access zero-standing-privilege engine used for Human and machine access. The shared engine is consistency by design — one ZSP model across surfaces — not the same capability built four times.
AI agent vs traditional machine identity
In practiceA standing credential is the wrong control for something that decides its own actions — that’s the hook for why existing machine-identity tooling isn’t enough for agents.
The differenceA service account or workload runs fixed, predictable logic; an AI agent reasons and chooses actions at runtime, so it needs task-scoped, just-in-time privilege and continuous monitoring — not a standing credential.
Secure AI Agents vs the SCA MCP Server
In practiceThey’re complementary, not either/or — one governs the agent, the other gives it safe just-in-time cloud access, so the answer to ‘which?’ is usually ‘both’.
The differenceBoth involve MCP. Secure AI Agents governs the agent as an identity (gateway, discovery, JIT); the SCA MCP Server gives a developer or agent just-in-time cloud-console access from an AI tool. Use them together.
Secure AI Agents vs Secure Workload Access
In practiceSWA answers ‘what is this workload’, Secure AI Agents answers ‘what is this agent allowed to do’ — most agentic deployments need both.
The full distinction
Both secure non-human identities, but at different layers: Secure Workload Access gives a workload — including an AI agent’s runtime — a verifiable SPIFFE identity; Secure AI Agents governs the agent as an actor (discovery, MCP-brokered tool access, just-in-time privilege, audit). They stack, not compete.
‘Secure AI Agents’ is the control point, not the whole solution
In practiceScope agentic security as a portfolio play so the customer doesn’t expect one product to cover discovery, identity, access and governance.
The differenceIt is the primary product, but agent credentials and identity lean on Secrets Manager and Secure Workload Access, AI-tool cloud access on the Secure Cloud Access MCP Server, and governance and certification of agent identities on Identity Governance.
Delegated vs autonomous agents
In practiceThe control model differs — for delegated agents accountability flows to the user, while autonomous agents must be governed as identities in their own right.
The differenceA delegated agent acts on a named user’s behalf, so its actions trace back to that Human; an autonomous agent operates independently and needs its own first-class identity, privilege and audit.
Identity GovernanceGovernance is routinely confused with the access controls it sits above. These mark the line between granting and securing access, and certifying whether it should exist at all.
IGA vs PAM (Privilege Cloud / SIA / SCA)
In practicePAM controls the access, IGA decides whether it should exist at all — doing PAM without governance still fails the ‘who approved this?’ audit question, which is the opening for IGA.
The differencePAM secures and records privileged access once it is granted; IGA governs who should have access in the first place — entitlements, certification and the Joiner-Mover-Leaver lifecycle across every app. Complementary layers: governance above, access control below.
IGA vs Identity Administration
In practiceRunning access (Identity Administration) and policing it (IGA) are different jobs — the customer needs both to answer ‘are the right people in the right apps?’ end to end.
The full distinction
Identity Administration authenticates users and provisions them into apps (the SSO/MFA front door and SCIM lifecycle); IGA governs and certifies whether that access should exist. They meet at the lifecycle boundary — Identity Administration runs the access, governance polices it — which is why they’re easily confused.
IGA vs Workforce Password Management
In practiceOne is access to apps, the other is oversight of who should have it — WPM isn’t a governance control, and the auditor will ask for the one that is.
The differenceWPM stores and shares passwords for business apps, especially those without SSO; IGA governs and certifies entitlements across apps. One is access to apps, the other is oversight of who should have it.
IGA vs Secrets Hub
In practice‘Discover and govern’ appears in both talk tracks — be explicit that IGA governs people’s access and Secrets Hub governs machine secrets, so each is scoped to the right risk.
The differenceBoth ‘discover and govern’, but different objects: IGA governs identities and their entitlements; Secrets Hub governs secrets sitting in third-party vaults.
Privilege & Deployment ModelsTwo architecture choices run through this group — the privilege model a target can support (Secure Standing Privilege, Just-in-Time or Zero Standing Privileges) and the deployment model for the PAM stack (Privilege Cloud, SaaS with a lightweight connector, or PAM Self-Hosted, the full Vault, CPM and PSM stack in the customer environment). The confusions below clear up what actually changes — and what doesn’t — across both.
PSM is not Self-Hosted-only
In practiceMoving to Privilege Cloud SaaS doesn’t cost them PSM or their legacy target coverage — that removes a common blocker to the cloud conversation.
The differencePrivileged Session Manager is the native session manager in both deployments, installed on the connector, covering an enormous range of targets via the Marketplace (including fat-client, mainframe and legacy systems). It is not exclusive to PAM Self-Hosted.
SIA is a separate add-on, not Privilege Cloud’s built-in session manager
In practiceSet packaging expectations up front — SIA is included with a typical Privilege Cloud subscription (just deploy the connector) but is a separate licence on Self-Hosted (V14.4+), so there are no surprises at quoting.
The full distinction
It provides VPN-less, agentless, ZSP-capable access to Windows, Linux, databases and Kubernetes and co-exists with PSM rather than replacing it. SIA is bundled in the typical Privilege Cloud subscription (enable by deploying the connector); on PAM Self-Hosted it requires a dedicated licence and additional setup (V14.4+).
PSM vs SIA — which is the session manager?
In practiceIt’s not either/or — PSM is the native session manager in both deployments; SIA is the newer, cloud-native, VPN-less path. Lead with SIA for modern infrastructure and keep PSM for the broad legacy, fat-client and mainframe estate.
The full distinction
PSM — installed on the Privilege Cloud / Self-Hosted connector, it brokers and records RDP, SSH and database sessions and covers an enormous target range via Marketplace connection components. It is Privilege Cloud’s built-in session manager, not a Self-Hosted-only component.

SIA — a separate, cloud-native service giving agentless, VPN-less, ZSP-capable access to Windows, Linux, databases and Kubernetes; Idira positions it to eventually replace PSM/PSMP, but today the two co-exist rather than one replacing the other.
Privilege Cloud vs PAM Self-Hosted — which deployment?
In practiceLead with Privilege Cloud and reserve Self-Hosted for genuine isolation or sovereignty needs — don’t default to Self-Hosted out of habit.
The full distinction
Same PAM capabilities; the split is where the vault runs. Privilege Cloud (SaaS, with a lightweight connector) is the recommended default for speed, lower TCO and the fastest access to new capabilities; PAM Self-Hosted (the full stack inside the customer environment) is for hard data-sovereignty, air-gap or isolation requirements (SOCI / CI Fortify) or deep customisation.
Secure Standing Privilege (SSP) vs Just-in-Time (JIT) vs Zero Standing Privileges (ZSP)
In practiceThey coexist — push each target to the highest model it supports, but SSP stays the right answer for break-glass and legacy, so ‘get everything to ZSP’ is the wrong goal.
The full distinction
Three distinct privilege models, often used loosely: Secure Standing Privilege (SSP) is a permanent vaulted account (rotated, checked out); Just-in-Time (JIT) adds a time-bound checkout window on top of a vaulted account; Zero Standing Privileges (ZSP) means no standing operational account at all — an ephemeral account is created at request and deleted afterwards.
Zero Standing Privileges does not mean ‘no vaulted accounts’
In practiceReassure security teams that ZSP doesn’t strip their emergency access — the three models are layers, not competitors.
The differenceZSP removes the standing operational account, but break-glass and Secure Standing Privilege accounts remain dormant in the vault for emergencies and non-federated access.
Legacy PAM vs Idira Next-Gen Identity Security
In practiceWhen displacing a legacy or self-hosted PAM, position what next-gen adds beyond the vault — continuous discovery, ZSP, automated lifecycle and one platform across every identity — not a like-for-like vault swap.
The full distinction
  • Scope — legacy PAM secures named admins and privileged accounts; Idira secures every identity (Human, machine, agentic).
  • Access model — legacy leans on standing vaulted credentials; Idira pushes to JIT and zero standing privilege from endpoint to session.
  • Visibility — legacy is point-in-time with slow, manual onboarding; Idira runs continuous discovery and a live risk inventory (ISPM).
  • Governance — legacy bolts on a separate IGA with periodic certifications; Idira governs continuously, secure-at-birth across the lifecycle.
  • Architecture — legacy is a self-hosted stack of point tools; Idira is SaaS-native, unifying IAM, PAM and IGA on one platform with Precision AI.

Discovery Questions

Run the Conversation

Discovery Questions

Conversation starters that surface what an account actually needs — each answer routes you to the right product and section below. The chips mirror the use-case categories: Shared Services questions open the conversation (discovery, estate, detection, deployment), then walk HumanMachineAgentic in turn, and close with Governance across all three.

Shared ServicesOpen the conversation — discovery, estate, detection and deployment.
Discovery & Visibility
Do you know about every privileged and service account created in the last 3–6 months — and can you continuously discover and onboard new ones as they appear?
Routes toDiscovery & Context
When there’s an outage or a security incident, can you run root-cause analysis quickly — replaying who connected, what they ran and in what order?
Routes toSession Recording & Unified Audit with CORA AI summaries
Estate & Critical Platforms
Which third-party platforms and tools run your business — vulnerability scanners, RPA, ITSM, CI/CD, backup, ERP, OT/SCADA — and how do you secure those credentials today?
Routes toPlatform Integrations
What are your crown-jewel and critical-infrastructure / OT systems that must be protected and kept running no matter what?
Routes toPlatform Integrations Agent-Based CP PAM Self-Hosted
Detection & Response
Can you detect and stop privileged-credential misuse in real time — after access is granted, not just at login?
Routes toThreat Detection & Response
Would identity detections feeding your SIEM / SOAR (e.g. Cortex XSIAM / XSOAR) strengthen your SOC?
Routes toThreat Detection & Response + SIEM / SOAR integration
Deployment & Compliance
Do you have data-sovereignty, air-gap or SOCI / CI Fortify isolation requirements?
Routes toPAM Self-Hosted
Are you targeting Essential Eight maturity (Restrict Admin Privileges, MFA, Application Control)?
Routes toPrivilege Cloud SIA SCA EPM
HumanPrivileged and workforce Human access.
Human Identity Visibility
Do you know every Human identity with privileged or admin access — staff, contractors and vendors — and how much of it is standing, shared or beyond what the role needs?
(96% of Human identities have access beyond their role; only 39% of privileged access is JIT/ZSP — confirm against the 2026 Landscape report PDF.)
Routes toDiscovery & Context Identity Administration Identity Governance
Human Privileged Access
How do your admins, DBAs and network engineers reach your servers, databases and network devices today — VPN and a jump box, or something more modern?
Routes toSIA Privilege Cloud
Are your privileged credentials vaulted and rotated, or do you have shared and standing admin accounts?
Routes toPrivilege Cloud PAM Self-Hosted
Do you record privileged sessions for audit — could you reconstruct exactly what an admin did?
Routes toPSM (Privilege Cloud PAM Self-Hosted) / SIA
Vendor & Third-Party Access
How do you grant and time-bound third-party / vendor privileged access today — and can you attribute every action to a named individual?
Routes toVendor Privileged Access SIA
Do external vendors or contractors connect over VPN with corporate laptops, or share accounts you can’t easily revoke?
Routes toVendor Privileged Access
When a vendor engagement or contract ends, is their access removed automatically — or do dormant vendor accounts linger?
Routes toVendor Privileged Access
Could you onboard a new vendor for time-bound, passwordless privileged access in minutes — no VPN, no agent and no corporate device?
Routes toVendor Privileged Access (QR + phone biometrics)
Endpoint
Do your end users have local admin rights on their workstations?
Routes toEPM
How do you elevate trusted applications and block ransomware / credential theft on the endpoint itself?
Routes toEPM
Workforce & SaaS Access
Do you have business apps — especially ones without SSO — where staff reuse or share passwords?
Routes toWorkforce Password Management
Do you already run Okta, Microsoft Entra ID or Ping as your identity provider — and do you need to layer privilege controls or threat detection on top?
Routes toIdentity Administration
Do you need to record or add in-session controls to what your users do inside web / SaaS apps — including SSO-federated ones?
Routes toSecure Web Sessions
Cloud Access
Do your engineers sign into the AWS / Azure / GCP consoles with standing IAM users or admin roles?
Routes toSecure Cloud Access
Can you grant cloud access just-in-time and revoke it automatically once the task is done?
Routes toSecure Cloud Access
MachineApplication secrets, workload identity and certificates.
Machine Identity Visibility
Do you know how many non-human identities — service accounts, application credentials, secrets, certificates and workloads — you run, and who owns each?
(Machine identities now outnumber humans ~109:1.)
Routes toDiscovery & Context Secrets Hub Identity Governance
Machine & Application Secrets
Do you have hardcoded passwords or API keys in your code, config files or scripts?
Routes toSecrets Manager CCP
Where do your CI/CD pipelines (Jenkins, GitHub Actions, GitLab, Azure DevOps) get their credentials — are any stored in pipeline configs or variables?
Routes toSecrets Manager (pipelines are Tier 0)
Do your containers / Kubernetes workloads use secrets baked into images, or injected at runtime?
Routes toSecrets Manager (Kubernetes authenticator)
Do your Infrastructure-as-Code tools (Terraform, Ansible, Puppet) keep credentials in playbooks or state files?
Routes toSecrets Manager
Do your vulnerability scanners, RPA bots or backup tools hold privileged credentials?
Routes toCCP
Do you have COTS or packaged applications where you can’t change the code or install an agent, but they still need to retrieve a vaulted credential at runtime?
Routes toCCP
Do you have web tiers or large, ephemeral or locked-down server fleets where deploying and maintaining an agent on every host isn’t practical?
Routes toCCP
Do you have OT, mainframe or HA-critical apps that can’t tolerate a credential lookup failing?
Routes toAgent-Based CP
Do you have legacy or homegrown applications (Java/.NET, ERP) you can’t re-code, with credentials embedded in config — running on servers where you can install an agent?
Routes toAgent-Based CP
Do you have mission-critical apps that need credential retrieval with no network call — for performance or anti-tamper isolation — across Windows, Linux, AIX or z/OS?
Routes toAgent-Based CP
Do your developers already use AWS Secrets Manager, Azure Key Vault or HashiCorp Vault?
Routes toSecrets Hub
Have you acquired teams or environments running their own cloud vaults you need under central policy — without a migration project?
Routes toSecrets Hub (M&A)
Workload Identity & Certificates
Do your workloads authenticate to each other with long-lived API keys or shared secrets?
Routes toSecure Workload Access
Do workloads in different clouds or on-prem talk to each other over shared secrets or IP allow-lists, because identities don’t travel across boundaries?
Routes toSecure Workload Access (portable SPIFFE identity, mTLS)
Are you trying to solve “secret zero” — the first credential a workload needs before it can fetch any others?
Routes toSecure Workload Access
Do you want applications to reach databases or APIs without ever holding the credential?
Routes toSecure Workload Access (secretless, built on Secrets Manager)
Do you have visibility of every TLS certificate across your estate, have you had expiry-driven outages, and are you ready for shrinking certificate lifetimes — already 200 days, heading to 47 by 2029?
Routes toNGTS
Are you modernising or consolidating internal CAs / private PKI, or managing certificates across firewalls, gateways and SASE?
Routes toNGTS
AgenticAI agents as identities.
AI Agents
Can you list every AI agent running across your SaaS, cloud and developer environments (Copilot, Bedrock, custom) — and could you revoke one’s access today?
(79 of every 109 machine identities are now AI agents; only 37% of organisations can revoke an agent’s credentials.)
Routes toSecure AI Agents
Do your AI agents authenticate with embedded API keys or shared service-account tokens?
Routes toSecure AI Agents Secrets Manager Secure Workload Access
Can you control which tools, databases and data an AI agent is allowed to reach?
Routes toSecure AI Agents
If an agent took an action, can you prove what it did and on whose behalf?
Routes toSecure AI Agents
Do your AI development tools (Amazon Q, Claude) reach cloud with static keys?
Routes toSecure Cloud Access (MCP Server) Secure AI Agents
Can you govern, certify and de-provision your AI agents — their identities and entitlements — the way you do Human and machine identities?
Routes toSecure AI Agents Identity Governance
Could a third-party or SaaS agent act like an insider in your environment — and would you spot a shadow agent no one registered or one left active after a project ended?
(agents blur vendor and insider; shadow and orphaned agent identities are a growing attack surface)
Routes toSecure AI Agents
GovernanceWho should have access — across every identity type.
Identity Governance

All route to Identity Governance — the questions surface its different capabilities.

How do your access certifications run today — spreadsheets — and how long do they take?
(AI Profiles cut review effort by ~80% — vendor figure)
Do new joiners get the right access on day one, and do movers and leavers lose it automatically?
Can you produce audit-ready evidence on demand — who has access to what, who approved it and when it was last reviewed?
(unified entitlement view — vendor-positioned as the ‘Identity Map’)
Do you have applications — legacy, custom or on-prem — your current IGA tool can’t connect to?
(Universal Sync RPA, direct-database, flat-file)
Can you spot over-provisioned or excess access — identities with more entitlements than their role needs?
Do you certify and review who can access your privileged accounts and PAM Safes — not just business apps?
Routes toIdentity Compliance
Can you certify and de-provision machine and non-human identities — service accounts, app and agent identities — the way you do Human ones?
Is a messy Active Directory holding back your PAM programme — orphaned accounts, over-stuffed privileged groups?
(advisory)
Is access governance so slow that people work around it — or so role-heavy it can’t keep up with how work actually happens?
(65% of employees admit bypassing slow access rules; static roles and legacy IGA can’t govern the full app estate — AI-driven LCM aligns access continuously)

Maturity Journeys

Run the Conversation

Maturity Journeys

Two one-slide walk-throughs for a customer conversation — each follows one question across the life of an identity and shows which Idira product answers it at every stage. Switch between the Privilege journey for PAM and the Secrets journey for machine identities.

One question: for each privileged account, how much privilege stands — and for how long?

■ Today, most teams sit on unsecure standing privilege — always-on admin access behind little more than a password. ● Read the ladder left to right: standing access shrinks from always-on, to protected-but-permanent, to granted only in the moment, to nothing standing at all. Move as much privilege up the ladder as each resource allows — every step materially cuts your attack surface, and Secure Standing Privilege never fully disappears (break-glass lives there by design). Don’t let perfect be the enemy of good.

1
Unsecure standing privilege
2
Secure the standing privilege
3
Just-in-time access
4
Zero standing privilege
Higher risk → higher mitigation — apply the highest control each resource can take
Today · highest risk

Unsecure Standing Privilege

All privileged accounts
What it is

Always-on privileged access protected by little more than a shared password — no rotation, no monitoring, no session isolation.

The risk: one compromised credential gives an attacker unlimited dwell time to move laterally.

  • Standing local admin and shared service accounts nobody rotates or watches
  • A leaked credential stays valid until it’s changed everywhere
  • The highest-risk state — and the one Idira is built to move you off
First move — find itDiscovery & Context
Protect what stands

Secure Standing Privilege

Human
What it’s for

The privilege still stands permanently — but now it’s protected: credentials vaulted, MFA enforced, sessions isolated and recorded, passwords auto-rotated.

Reach for it when: the account must stay always-on — break-glass, emergency and non-federated targets.

  • Vault + automated rotation (CPM); session isolation & recording (PSM)
  • MFA on every checkout, with a full audit trail
  • Break-glass — vaulted, dual-control retrieval, auto-rotate after every use
  • This layer never disappears — even at full maturity
Delivered byPAM Self-Hosted Privilege Cloud EPM
Remove always-on

Just-In-Time Access

Human
What it’s for

The account exists, but privilege is elevated only when needed — requested, approved, used, then automatically revoked.

Reach for it when: admins or vendors need access occasionally, not around the clock.

  • Time-bound elevation of vaulted accounts; temporary group membership
  • VPN-less native RDP / SSH with MFA, brokered and recorded
  • Access auto-revoked when the task is done — no leftover entitlements
Delivered bySecure Infrastructure Access
The goal — nothing to find

Zero Standing Privilege

Human
What it’s for

Accounts and entitlements don’t exist until needed — an ephemeral privileged account is created at request and deleted after use.

Reach for it when: the resource can support dynamic, ephemeral access — modern servers, databases, cloud.

  • Ephemeral accounts per session — signed SSH certs (Linux), temporary local / domain users (Windows), time-limited DB / Kubernetes
  • Cloud consoles & CLIs: zero-standing access per request — no standing IAM users or admin roles
  • Nothing left standing for an attacker to find or reuse; supports zero-trust
Delivered bySecure Infrastructure Access Secure Cloud Access
The pragmatic rule. Apply the highest control each resource can take. If ZSP isn’t achievable, use JIT; if JIT isn’t possible, apply Secure Standing Privilege — vault it, enforce MFA, rotate automatically. Secure Standing Privilege never disappears entirely; break-glass accounts live there by design. Every step up the ladder beats staying where you are.

What we’ll explore together

Where do you have always-on privileged access today — and who or what holds the keys?
Which accounts must stay standing (break-glass, emergency) — are they vaulted, dual-controlled and auto-rotated?
Where could always-on admin be replaced with just-in-time elevation?
Which resources could support zero standing privilege — ephemeral accounts created and destroyed per use?

Discussion aid · product detail drawn from the Idira Identity Security Reference Guide and Idira product documentation · verify against current vendor documentation.

When Maturity Slips

Run the Conversation

When Maturity Slips

Real breaches that trace back to a single identity-maturity gap — and the Idira capability that would have closed it. Grouped by identity surface; filter to one at a time. Agentic looks forward to the 2026 risk curve.

Real-World Breaches, Mapped to the Fix
Breach · 2022 · AustraliaHuman
Medibank
Stolen contractor credentials — including an admin account — and a corporate VPN that didn’t require MFA opened the records of 9.7M customers.
✓ How Idira closes it
Vault and manage the privileged account, retire the flat VPN for MFA-enforced zero-standing access, and front every login with adaptive, phishing-resistant MFA.
Privilege CloudSecure Infrastructure AccessIdentity Administration
2026 Landscape: only 39% of privileged access uses just-in-time or zero-standing privilege (confirm against the report PDF).
Breach · 2021 · AustraliaHuman
JBS Foods
An old network-administrator account was never deactivated and sat behind a weak password — REvil ransomware used it to halt meatworks at sites across Australia.
✓ How Idira closes it
Discover and decommission orphaned privileged accounts, vault and rotate every admin credential behind MFA, and strip the standing local admin that lets ransomware spread.
Discovery & ContextPrivilege CloudEndpoint Privilege Manager
2026 Landscape: 96% of human identities hold access far beyond their role.
Breach · 2022 · InternationalHuman
Uber
Attackers wore down a contractor with repeated MFA push prompts until one was approved, then found hard-coded admin credentials inside an internal script.
✓ How Idira closes it
Phishing-resistant, number-matching MFA shuts down push-bombing, and vaulting every privileged credential means a stray script can’t hand over admin access.
Identity AdministrationPrivilege CloudSecrets Manager
2026 Landscape: the fastest intrusions now reach data in 72 minutes.
Breach · 2020 · AustraliaHuman
Toll Group
One of Australia’s largest logistics firms was hit by ransomware twice in three months, freezing freight nationwide — ransomware thrives on standing privileged access and local admin rights to spread.
✓ How Idira closes it
Vault and rotate privileged credentials, broker access with MFA and zero standing privilege, and remove the standing local admin that lets ransomware move laterally.
Privilege CloudSecure Infrastructure AccessEndpoint Privilege Manager
2026 Landscape: disconnected tooling adds 12 hours to every incident-response cycle.
Breach · 2020 · InternationalMachine
SolarWinds
Attackers compromised the software build system and slipped malicious code into a legitimately signed update that shipped to ~18,000 organisations — undetected for nine months.
✓ How Idira closes it
Give the build pipeline a verifiable workload identity, keep its secrets short-lived and vaulted, and bring the code-signing certificates under managed lifecycle.
Secure Workload AccessSecrets ManagerNGTS
2026 Landscape: machine identities now outnumber humans 109:1.
Breach · 2022 · InternationalMachine
Toyota
A live access key sat publicly on GitHub for almost five years before anyone noticed.
✓ How Idira closes it
Continuously discover exposed and unmanaged secrets, pull them under one vault with automatic rotation, and govern the ones already living in other vaults.
Secrets HubDiscovery & Context
2026 Landscape: machine identities now outnumber humans 109:1.
Outage · 2018 · InternationalMachine
Ericsson / O2
A single expired certificate knocked mobile data offline for tens of millions of O2 and SoftBank users for a day.
✓ How Idira closes it
Discover every certificate, automate renewal and rotation, and get ahead of shrinking TLS lifetimes — already 200 days, 47 by 2029 — so an expired cert never causes an outage.
NGTS
2026 Landscape: public TLS certificate lifetimes have already dropped to 200 days (March 2026) and reach 47 by 2029 — roughly 8x more renewals.
Breach · 2022 · InternationalMachine
Dropbox
A phished developer’s GitHub access exposed 130 code repositories — with plaintext API keys and credentials sitting inside the source code.
✓ How Idira closes it
Externalise every secret into a managed vault so it’s short-lived, rotated and never baked into code — and govern the secrets already scattered across other vaults.
Secrets ManagerSecrets Hub
2026 Landscape: 12 hours are added to every incident-response cycle by disconnected tooling.
Breach · 2024 · InternationalAgentic
Midnight Blizzard
Russia’s SVR password-sprayed a legacy test-tenant account with no MFA, then abused the over-privileged OAuth apps it could reach — non-human identities that sidestep MFA entirely — to read senior executives’ mailboxes.
✓ How Idira closes it
Treat every non-human and agent identity as first-class: least privilege, just-in-time access, and the ability to revoke it instantly.
Identity GovernanceSecure AI Agents
2026 Landscape: only 37% of organisations can revoke an AI agent’s credentials.
Breach · 2023 · InternationalAgentic
Cloudflare
One service token and three service-account credentials — missed when thousands were rotated after the Okta breach — reopened Cloudflare’s internal systems.
✓ How Idira closes it
Discover every machine and agent credential, give them zero standing access, and rotate or revoke them automatically — a non-human credential should never live forever.
Secrets ManagerSecrets Hub
2026 Landscape: 40% of AI agents already have access to organisational data.
AI Exploit · 2025 · InternationalAgentic
Microsoft Copilot ‘EchoLeak’
A zero-click prompt hidden in a normal email could make Copilot exfiltrate corporate data on its own — the first known zero-click prompt-injection vulnerability disclosed against a production AI agent (CVE-2025-32711; patched, no in-the-wild exploitation reported).
✓ How Idira closes it
Broker every tool and data call an agent makes, audit it end to end, and keep gateway-level suspend / disable to hand (behavioural anomaly monitoring is announced for 2026) — never let an agent act on untrusted input unchecked.
Secure AI Agents
2026 Landscape: 99% of organisations have already adopted AI agents in some form.
Breach · 2024 · AustraliaAgentic
Ticketek / Snowflake
A standing data-platform credential with no MFA was stolen by infostealer malware and used to walk straight in — researchers linked the breach to the Snowflake credential campaign, with roughly 30 million Ticketek Australia customer records reportedly offered for sale.
✓ How Idira closes it
Vault and rotate standing credentials so a stolen static secret is worthless, enforce phishing-resistant MFA on every account that can log in — human or service — and give workloads short-lived identities instead of passwords that never expire.
Identity AdministrationSecrets ManagerSecure Workload Access
2026 Landscape: only 39% of privileged access uses just-in-time or zero-standing privilege (confirm against the report PDF).
Breach · 2019 · InternationalGovernance
Capital One
An over-privileged cloud role held far more access than it needed — so a single web flaw exposed 106M records.
✓ How Idira closes it
Discover and certify entitlements, drive least privilege, and surface the standing cloud access that should never have existed.
Identity GovernanceSecure Cloud Access
2026 Landscape: 96% of human identities hold access far beyond their role.
Breach · 2022 · AustraliaGovernance
Optus
A customer-data interface was reachable with no authentication and unrestricted access, exposing roughly 9.8M records.
✓ How Idira closes it
Put an authenticated, least-privilege identity in front of every access path, and govern who — and what — can reach sensitive data.
Identity AdministrationIdentity Governance
2026 Landscape: disconnected identity tooling adds 12 hours to every incident-response cycle.
Breach · 2018 · InternationalGovernance
Cisco
A departed engineer kept his cloud access months after leaving — and wiped 456 virtual machines.
✓ How Idira closes it
Automate joiner-mover-leaver provisioning so access ends the moment someone leaves, and certify entitlements on a schedule.
Identity Governance
2026 Landscape: only 39% of privileged access uses just-in-time or zero-standing privilege (confirm against the report PDF).
Breach · 2023 · InternationalGovernance
Okta
A leaked service account let attackers into Okta’s support system and read customer files — including session tokens used to pivot into those customers.
✓ How Idira closes it
Govern non-human and service accounts like any other identity: discover them, certify their access on a schedule, and de-provision the ones nobody owns.
Identity Governance
2026 Landscape: 96% of human identities hold access far beyond their role.

Breach details are drawn from public reporting and incident disclosures, and cross-checked against the VERIS Community Database (VCDB) — a community dataset of publicly disclosed incidents maintained by the Verizon DBIR team (separate from the DBIR’s contributor data). For Australia, the OAIC Notifiable Data Breaches scheme and dashboard is the official government record.

Talk Tracks

Run the Conversation

Talk Tracks

Open with The Idira Story — a short, high-level overview (about 3–5 minutes) for a first prospect conversation across the full spectrum of identities (Human, Machine, Agentic and the Governance layer). Its job is to frame the big picture and set up a deeper session with our specialists; keep it high-level and let the experts go deep. When the conversation narrows, drop into the ready-to-run 5-minute track for whichever category matters most. Pick a track with the filter below.

The four category tracks each run on the same five beats: set the scene with the 2026 Identity Security Landscape numbers, name the broken model, land the Idira play, prove why it’s a platform not point tools, then make the ask. Every track gives you bullet talking points to glance at and a word-for-word script to deliver.

How to run it. Lead with The Idira Story to frame the whole picture and earn the next meeting, then follow the customer into the category that lands hardest. Use the bullets as your autocue and lean on the word-for-word script if you want it. All figures trace to the 2026 Identity Security Landscape and Unit 42 data in the Reports & Frameworks section — cite them with confidence.
The Idira Story: one platform for every identity Full Spectrum 3–5 min
The high-level opener for a first prospect conversation — a quick walk across the full identity spectrum (Human, Machine, Agentic and the Governance layer). Its job is to frame the big picture and set up a deeper session with our specialists. Keep it high-level; the experts go deep.
1Identity is the new front door
  • Attackers don’t break in — they log in, with stolen credentials or over-provisioned access. 90% of organisations were breached through identity last year, 83% of them more than once.
  • Identity was involved in 89% of Unit 42 breach investigations — it’s the primary way in now, not the perimeter.
Say it like this“Let me frame why identity has become the security conversation. For years the budget went on the perimeter — firewalls, networks, endpoints. But attackers changed tactics: nowadays attackers don’t break in, they log in, with credentials they’ve stolen or access that was over-provisioned. Nine in ten organisations were breached through identity last year. So the question we help customers answer isn’t ‘is the perimeter holding’ — it’s ‘can you trust, see and control every identity that has access to your business?’”
2It’s not one identity — it’s three
  • Human — workforce, admins, engineers and vendors: the accounts that get phished and over-provisioned (96% hold access beyond their role).
  • Machine — apps, services and workloads now outnumber people 109:1 (up from 82:1), each holding hardcoded secrets and keys.
  • Agentic — AI agents are already 79 of every 109 machine identities; 99% of organisations run them, growing ~85% a year.
Say it like this“What makes this hard is that identity isn’t just about human identities anymore — it’s three, and each is its own attack surface. First, your people — workforce, admins, engineers, third-party vendors — the accounts that get phished and quietly end up with far more access than the job needs. Second, your machines — the applications, services and workloads that now outnumber your people more than a hundred to one, each holding secrets and keys that are often hardcoded and forgotten. And third, the fastest-growing: AI agents. These aren’t simple service accounts — they reason, act on their own, hold credentials and inherit human-level privilege, and most organisations are already running them before security has a way to govern them. Three very different identities, one shared attack surface.”
3Why point tools leave gaps
  • Most teams grew identity one tool at a time — workforce login, privileged access, compliance, then separate tools bolted on for machines and agents. They don’t talk to each other, so attackers move through the seams — the fastest reach data in 72 minutes, and fragmented tooling adds ~12 hours to every incident.
  • The governance blind spot: only 39% of privileged access is just-in-time (confirm against the 2026 Landscape report PDF) and just 37% could revoke an AI agent — so no one can cleanly answer who has access, who approved it, and should they still have it.
Say it like this“The challenge is that most organisations built their identity security one tool at a time — one product to log the workforce in, another to vault the privileged admins, another for compliance, and lately separate point tools for machine identities and again for AI agents. Each solved a different problem, and none of them talk to each other. Attackers move through the gaps between them — and they move fast. And it leaves a question nobody can answer cleanly: across your people, your machines and your agents — who has access, who approved it, and should they still have it? That governance blind spot is where most of the risk, and most of the audit findings, quietly live.”
4One platform for every identity — and where we’d start
  • Idira secures all three on one platform: discover every identity, give each exactly the right level of privilege (passwordless, just-in-time — nothing standing to steal), and govern them under one model.
  • Governance is the tie that binds — the same review proves access for a person, a workload and an agent — and Idira is a core Palo Alto Networks platform alongside Strata, Prisma and Cortex, so identity becomes a live signal your SOC can act on.
  • The ask: a short working session with our specialists to map your identities across all three types and pinpoint where your biggest exposure is today.
Say it like this“This is exactly what Idira was built for. Instead of another point tool, it secures the full spectrum — human, machine and agentic — on one platform: it discovers every identity, gives each exactly the right level of privilege — so access is passwordless, just-in-time or ephemeral with nothing left standing to steal, and governs all of it under one model. That one model is the tie that binds — the same review proves access for a person, a machine and an agent, and gives you the evidence an auditor asks for. Because Idira is a core Palo Alto Networks platform, alongside the network, the cloud and the SOC, identity stops being a blind spot and becomes a live signal your team can act on. So here’s what I’d suggest: let me bring in a couple of our specialists for a short working session — we’ll map your identities across all three types and pinpoint where your biggest exposure is today. Worst case, you leave with a clear, independent picture of your identity risk. Could we get that in the diary?”
Securing the humans who hold the keys Human 5 min
Human Privilege, Endpoint Privilege & Workforce Access — the admins, engineers, vendors and everyday staff whose accounts attackers want most.
1Set the scene
  • 90% of organisations suffered an identity-related breach last year; 83% were hit two or more times.
  • Identity was involved in 89% of Unit 42 investigations — and the fastest intrusions now reach data in 72 minutes, ~4x faster than a year ago.
  • 96% of Human identities have access far beyond their role; only 39% of privileged access is just-in-time or zero-standing (confirm against the 2026 Landscape report PDF).
Say it like this“Quick question — who here is certain every admin account in your business is vaulted, rotated and recorded? Last year 90% of organisations suffered an identity-related breach, and 83% were hit more than once. When Unit 42 investigates, identity is involved 89% of the time — and the fastest attackers now go from foothold to stolen data in 72 minutes. The uncomfortable part: 96% of your people already have far more access than the job needs, and only 39% of privileged access is time-boxed. That standing access is the attack surface.”
2Why the old model fails
  • The old assumption — secure a handful of named admins and you’re safe — has broken.
  • Privilege is everywhere now: cloud engineers, DBAs, vendors on unmanaged laptops, and staff with local admin.
  • VPNs, shared passwords and permanent local-admin rights are the openings attackers walk through.
Say it like this“For years we treated privilege as a small club — a dozen named admins behind a vault. That model is dead. Every cloud engineer, every DBA, every vendor on a laptop you don’t control, every employee with local admin now carries privilege an attacker can ride. VPNs hand them the whole network; shared passwords can’t be traced; permanent local-admin rights turn one phished laptop into a ransomware launchpad. You can’t fix that one account type at a time.”
3The Idira play
  • It starts with a secure vault — a hardened, tamper-proof store that encrypts, holds and automatically rotates the credentials — but it goes well beyond a traditional password store.
  • Passwordless to the target: the user never sees the password. It’s injected into an isolated, recorded session, so the admin reaches the server, database or console without ever seeing, typing or knowing it — it can’t be phished, written down or reused.
  • Modern Privileged Access Management, not just storage: it discovers the unmanaged privileged and service accounts across the estate and brings them under management, vaulted and rotated, then brokers and records every session — Privilege Cloud / PAM Self-Hosted with PSM.
  • VPN-less, agentless access to servers, databases and Kubernetes with SIA; cloud consoles with SCA — both pushing to zero-standing privilege, where the account is created on demand and deleted afterwards, so there’s no standing password to steal.
  • External vendors get the same passwordless, isolated, auto-expiring access via Vendor Privileged Access.
  • Lock the device with Endpoint Privilege Manager; the everyday workforce gets SSO and adaptive MFA (Identity Administration), vaulted business passwords (WPM) and in-app oversight (Secure Web Sessions).
  • Both sides of the attack chain: passwordless removes the credential to steal at the front door; zero standing privilege removes the access to abuse once inside — nothing to steal, nothing to exploit.
Say it like this“Here is how Idira closes it — and this is the part people underestimate. Yes, at its heart there’s a vault — a hardened, tamper-proof store that encrypts, holds and automatically rotates the credentials. But it’s far more than a traditional password store. Idira discovers the unmanaged privileged and service accounts hiding across your estate, brings them under management, and then brokers the connection itself. Your admin clicks ‘connect’ and lands on the server, the database or the cloud console — but the password is injected into an isolated, recorded session, so they never see it, never type it, never even know it. That means it can’t be phished, written on a sticky note or reused. Privilege Cloud with PSM does exactly that. For modern infrastructure we go VPN-less and agentless with Secure Infrastructure Access, and for cloud consoles Secure Cloud Access — both pushing to zero-standing privilege, where the account is created on demand and deleted afterwards, so there is no standing password left to steal. Vendors get the same passwordless, auto-expiring access. On the endpoint, Endpoint Privilege Manager strips local admin; and for everyday staff it’s SSO and adaptive MFA, vaulted business-app passwords, and oversight inside the apps. Every Human surface — one platform.”
4Why a platform, not point tools
  • It all runs on shared services: discovery finds the unmanaged admin and service accounts you can’t see; one unified audit trail with CORA AI plain-language session summaries; Threat Detection & Response watches for privilege escalation and lateral movement after access is granted.
  • Idira is a core Palo Alto Networks platform alongside Strata (network), Prisma (cloud) and Cortex (SOC) — so identity signals flow into the SOC and EPM feeds Cortex XSIAM.
  • Fragmented identity tools add 12 hours to every incident — cited by 97% of practitioners (confirm against the 2026 Landscape report PDF). One platform removes that tax.
Say it like this“None of these are bolt-ons — they share one foundation. Discovery finds the unmanaged admin and service accounts hiding in your estate. One audit trail answers ‘who did what’, with AI turning hours of session video into a paragraph an auditor can read. Threat Detection watches for privilege escalation and lateral movement after login, not just at it. And Idira is a core Palo Alto Networks platform, alongside Strata for network, Prisma for cloud and Cortex for the SOC — so identity context flows straight into your security operations, and Endpoint Privilege Manager feeds Cortex XSIAM. Fragmented tools add 12 hours to every incident; 97% of practitioners say so. One platform deletes that.”
5The close — make the ask
  • The ask: let us run a live demo of the whole Human-privilege flow end to end — passwordless, brokered, zero-standing access in action. No proof-of-concept to scope.
  • Tailored to you: we set the demo against the targets your team actually uses — servers, cloud consoles, vendor access, endpoints — so they’re watching their own day, not a generic script.
  • The vision: privileged-grade control over every Human identity, evidenced for every auditor.
Say it like this“So here is my ask — let us show you, not tell you. We’ll run a live demo of the whole thing end to end: an admin connecting to a server or a cloud console, the password injected so they never see it, the session recorded, and a zero-standing account created on demand and deleted afterwards. We’ll tailor it to the targets your team actually uses, so they’re watching their own day. No proof-of-concept to stand up, no project to scope — just see it work and decide from there. The end state is every Human who holds a key vaulted, time-boxed and recorded, provable to any auditor. Let’s get a demo in the diary.”
The 109:1 problem: securing machine identities Machine 5 min
Apps / DevOps secrets, third-party vaults, legacy & OT apps, workload identity and certificates — where no Human is in the loop.
1Set the scene
  • Machine identities now outnumber humans 109:1 — up from 82:1 a year ago — and are projected to grow another 77% this year.
  • Credentials are hardcoded in source, baked into pipelines and scattered across AWS, Azure, GCP and HashiCorp vaults nobody fully governs.
  • 90% of organisations were breached through identity last year; a secret leaked in code is one of the easiest front doors there is.
Say it like this“For every Human in your business there are now 109 machine identities — apps, scripts, pipelines, workloads. A year ago it was 82. It’ll grow another 77% this year. Every one of them needs a credential, and right now those credentials are hardcoded in source, sitting in config files, baked into pipelines, and scattered across AWS, Azure and HashiCorp vaults nobody fully governs. 90% of organisations had an identity breach last year, and a secret leaked in code is one of the easiest front doors there is. The machines became your biggest identity surface while nobody was watching.”
2Why the old approach breaks
  • Cloud-native apps want dynamic, short-lived secrets; legacy, OT and mainframe apps can’t be refactored at all.
  • Teams have already invested in non-Idira vaults and won’t rip them out.
  • Result: every team improvises, nothing is audited end-to-end, and ‘secret zero’ sits in plain text somewhere.
Say it like this“The old approach breaks because one answer doesn’t fit. Your cloud-native teams want dynamic, short-lived secrets delivered by API. Your OT, mainframe and COTS apps can’t be touched — they need the credential handed to them with no code change, and they have to keep working even if the vault is unreachable. Meanwhile you’ve invested in AWS and HashiCorp vaults you’re not going to throw away. So every team improvises, nothing is audited end-to-end, and ‘secret zero’ — the credential that unlocks the others — is sitting in plain text somewhere. Point tools make that worse.”
3The Idira play
  • A maturity ladder on one platform, no forced migration.
  • Credential Providers kill hardcoded passwords in legacy/COTS/OT apps with no code change (CCP agentless; Agent-Based CP with a local cache that survives a vault outage).
  • Secrets Manager (Conjur) delivers dynamic, on-demand secrets for cloud-native, Kubernetes and CI/CD.
  • Secure Workload Access is the secretless end-state — the workload presents a SPIFFE identity and holds no credential.
  • Secrets Hub governs the secrets already in AWS/Azure/GCP/HashiCorp in place; NGTS covers the certificate lifecycle.
Say it like this“Idira treats this as a ladder you climb at your own pace, all on one platform. For the apps you can’t change, Credential Providers remove the hardcoded password with no code change — and the agent-based option keeps serving credentials straight through a vault outage, which is why OT and mainframe teams love it. For cloud-native, Secrets Manager delivers dynamic, short-lived secrets on demand. When you’re ready, Secure Workload Access goes fully secretless — the workload proves who it is with a SPIFFE identity and never holds a credential at all. Already invested in other vaults? Secrets Hub governs them in place, no rip-and-replace. And NGTS covers the certificate lifecycle the secrets tools don’t. Vault now, modernise to dynamic, then go secretless — same platform, one governance model.”
4Why a platform, not point tools
  • Shared services do the heavy lifting: Secrets Hub discovery finds the secrets already sprawled across every vault; one audit and governance model spans Human, machine and agentic; Threat Detection watches workloads for credentials used where they shouldn’t be.
  • One platform, every identity — the same controls span humans, machines and AI agents, so machine identity isn’t a silo.
  • Idira is a core Palo Alto Networks platform alongside Strata, Prisma and Cortex, so a leaked or abused machine credential becomes a signal Cortex and the SOC can act on at machine speed.
Say it like this“Underneath, the platform’s shared services carry it. Discovery through Secrets Hub finds the secrets already sprawled across your clouds — you can’t govern what you can’t see. One audit and governance model spans humans, machines and AI agents, so machine identity stops being a silo. Threat Detection watches workloads for credentials being used where they shouldn’t be. And because Idira is a core Palo Alto Networks platform — alongside Strata, Prisma and Cortex — a leaked machine credential becomes a signal your SOC can act on at machine speed, not a log nobody reads. No identity point-vendor reaches across network, SOC and identity like that.”
5The close — make the ask
  • The ask: let us run a live demo of the secrets lifecycle in action — a hardcoded credential removed, a dynamic secret issued, a workload going secretless. No proof-of-concept to scope.
  • Tailored to you: we run it against the kind of apps, pipelines and vaults you actually have, so it’s recognisably your environment.
  • The vision: every machine identity managed, rotated or dynamic — with a roadmap to secretless.
Say it like this“My ask is simple: let us show you the secrets lifecycle live. In one demo we’ll take a hardcoded credential out of an app with no code change, issue a short-lived dynamic secret to a cloud-native workload, and show a workload running fully secretless on a SPIFFE identity — then govern secrets sitting in an AWS or HashiCorp vault in place. We’ll run it against the kind of apps, pipelines and vaults you actually have, so it’s recognisably yours. No proof-of-concept to scope — just see the whole use case work end to end. The destination is every machine identity managed, rotated or dynamic, with a clear path to secretless. Let’s book the demo.”
79 of every 109: securing AI agents Agentic 5 min
Delegated and autonomous AI agents — the fastest-growing, least-governed identity on your network.
1Set the scene
  • Of the 109 machine identities per Human, 79 are AI agents — and 99% of organisations have already adopted them.
  • AI agents are projected to grow another 85% this year — the fastest-growing identity of all.
  • 40% of those agents already have access to organisational data, yet only 37% of organisations can revoke an agent’s credentials.
Say it like this“Here is the number that should keep you up at night: of those 109 machine identities per Human, 79 are AI agents — and 99% of you have already deployed them in some form. They’re growing 85% this year, faster than any other identity. Now the scary half: 40% of those agents already touch organisational data, but only 37% of organisations can actually revoke an agent’s credentials if it goes wrong. We’ve handed autonomous software the keys and kept the brakes in the box.”
2Why agents break the old model
  • An AI agent isn’t a service account — it reasons and chooses its actions at runtime, accumulates credentials, calls tools and moves across systems.
  • A standing credential is exactly the wrong control for something that decides for itself.
  • Delegated agents act for a named user; autonomous agents need their own first-class identity, privilege and audit.
Say it like this“An AI agent is not a service account. A service account runs fixed, predictable logic. An agent reasons, picks its own actions at runtime, accumulates credentials, calls tools, and moves across your systems without a Human in each step. So a long-lived standing credential — the thing we give workloads — is exactly the wrong control for something that decides for itself. And there are two kinds: a delegated agent acting on a named user’s behalf, where accountability traces back to that Human, and an autonomous agent operating on its own, which needs its own first-class identity, least privilege and audit trail. Your existing machine-identity tooling wasn’t built for either.”
3The Idira play
  • Treat every agent as a first-class identity — the same discovery, least privilege and audit you’d give a Human or workload.
  • Secure AI Agents is the control point: discover agents across SaaS, cloud and dev; broker tool access through MCP (registered servers only; ZSP on SIA-based servers); audit everything.
  • A portfolio play, not one box: identity/credentials from Secrets Manager and Secure Workload Access (separately configured); cloud access via the SCA MCP Server (AWS). Certification via Identity Governance is not yet a documented integration — roadmap.
Say it like this“Idira’s answer is to treat every agent as a first-class identity — the same discovery, least privilege and audit you’d give a Human or a workload. Secure AI Agents is the control point: it discovers the agents already running across your SaaS, cloud and developer environments, brokers their access to tools through registered MCP servers, enforces zero standing privileges on SIA-based servers, and records what each agent did. But it’s deliberately a portfolio play, not one box — the agent’s underlying identity and secrets come from Secrets Manager and Secure Workload Access, its cloud access from the Secure Cloud Access MCP Server, and its certification and governance from Identity Governance. Discovery, identity, access, governance — all covered, because no single product should claim all four.”
4Why a platform, not point tools
  • Same shared services: discovery finds the shadow agents; unified audit captures agent sessions with CORA AI summaries; Threat Detection for agent behaviour is announced for 2026 (posture findings today).
  • One platform, every identity — agents governed alongside the humans and workloads they act with, not in a separate tool.
  • Idira + Cortex/Strata means an agent gone wrong becomes a containment action the SOC can take at machine speed — the only speed that matches an agent.
Say it like this“And it runs on the same platform foundation as everything else. Discovery surfaces the shadow agents nobody registered. The unified audit trail captures what agents do, with AI summarising it in plain language. Behavioural threat detection for agents is on the 2026 roadmap — today you contain via instant gateway suspend — and because Idira sits alongside Cortex and Strata, containment becomes an action your SOC can take at machine speed. That matters more for agents than anything else, because an agent operates at machine speed too — a human-paced response loses. One platform governing your humans, your workloads and your agents together is the only model that keeps up.”
5The close — make the ask
  • The ask: let us run a live demo of an AI agent governed end to end — discovered, given just-in-time access, monitored, then revoked in one click. No proof-of-concept to scope.
  • Tailored to you: we use the kind of agents and tools your teams are already running, so it lands as your problem, not a hypothetical.
  • The vision: every agent discovered, least-privileged, revocable and audited — before the 85% growth lands.
Say it like this“So my ask: let us show you an agent under control, live. In one demo we’ll discover an agent, broker its access to a tool through MCP, grant it just-in-time privilege scoped to a single task, watch it work, then revoke its access in one click — with a full audit trail of everything it did. We’ll use the kind of agents and tools your teams are already running, so it lands as your problem, not a hypothetical. No proof-of-concept to stand up — just see the whole use case in action. The goal is every agent discovered, least-privileged, revocable and recorded, before this year’s 85% growth arrives. You’ve already given AI agents the keys — let’s show you how to take them back.”
The access nobody remembers granting Governance 5 min
Identity Governance — certification, provisioning and audit across Human, machine and agentic identities.
1Set the scene
  • 96% of Human identities have access far beyond their role; on average 42% of the workforce has direct access to organisational data (confirm against the 2026 Landscape report PDF).
  • Only 39% of privileged access is just-in-time or zero-standing — most is permanent and forgotten (confirm against the 2026 Landscape report PDF).
  • 90% breached last year; when the auditor asks ‘who approved this access?’, most teams can’t answer.
Say it like this“Let me ask the question every auditor and every breach report eventually asks: who approved this access — and should it still exist? Right now, 96% of your people have access well beyond their role. On average 42% of your workforce can reach organisational data directly. Only 39% of privileged access is time-boxed — the rest is permanent and forgotten. 90% of organisations were breached through identity last year, and over-entitlement is how a single compromise becomes a catastrophe. Most teams can secure access — but they can’t answer whether it should have been granted in the first place.”
2Why access control isn’t governance
  • PAM and SSO control and record access once granted; they don’t decide whether it should exist.
  • Entitlements pile up through joiners, movers and leavers and never get revoked.
  • It’s no longer just people — machines and AI agents now hold entitlements too, and nobody’s certifying them.
Say it like this“Here is the gap. Your PAM tool secures privileged access and your SSO gets the right user into the app — but neither answers whether that access should exist at all. Entitlements accumulate: someone joins, moves teams, changes roles, leaves — and the access trails behind them, never revoked. Do that across thousands of people for a few years and you get the 96% over-entitlement number. And it’s not just humans anymore — machines and AI agents now hold entitlements too, and almost nobody is certifying those. Securing access without governing it still fails the ‘who approved this?’ question. That’s the audit finding waiting to happen.”
3The Idira play
  • Identity Governance (IGA) governs who — and what — should have access: certification campaigns, the Joiner-Mover-Leaver lifecycle, and provisioning across every app.
  • It discovers fine-grained entitlements across SaaS and custom apps, then certifies and attests them.
  • Crucially, it governs Human, machine and agentic identities — one certification model for the whole estate, including the agents from the agentic story.
Say it like this“Idira’s answer is Identity Governance. It governs not just who should have access, but what — running certification campaigns where managers attest to access, automating the Joiner-Mover-Leaver lifecycle so access tracks the person, and provisioning across every app. It discovers the fine-grained entitlements buried in your SaaS and custom apps and puts them in front of the right approver. And here’s the differentiator: it governs Human, machine and agentic identities under one model. The same certification that proves an employee’s access is justified also proves it for a service account and for an AI agent. One governance layer over the entire identity estate — not a people-only tool that ignores 109 of every 110 identities you actually run.”
4Why a platform, not point tools
  • Governance sits on the same shared services: discovery feeds it the entitlements; unified audit and CORA AI make certification fast and evidence-ready; it complements PAM, Identity Administration and Secrets Hub rather than replacing them.
  • One platform, every identity — governance is the layer that ties Human, Machine and Agentic together and proves the whole thing to a regulator.
  • Maps directly to the frameworks Australian buyers care about — Essential Eight, SOCI, NIST CSF — turning governance into evidence.
Say it like this“Governance runs on the same platform foundation. Discovery feeds it the entitlements to certify. The unified audit trail and AI summaries turn a quarter’s worth of access reviews from a spreadsheet nightmare into evidence you can hand a regulator. It complements your PAM, your SSO and Secrets Hub rather than replacing them — governance above, access control below. And this is the layer that ties the whole story together: Human, Machine and Agentic all roll up into one certification model on one platform, which is exactly what Essential Eight, SOCI and NIST CSF ask you to prove. Governance is where ‘we secured it’ becomes ‘we can prove it’.”
5The close — make the ask
  • The ask: let us run a live demo of an access-certification campaign end to end — entitlements discovered, put to approvers, certified or revoked, evidence produced. No proof-of-concept to scope.
  • Tailored to you: we use the kind of apps and roles your business runs — including machine and agent entitlements — so the over-entitlement you see is recognisably yours.
  • The vision: continuous certification across Human, machine and agentic identities — over-entitlement down, audit answered on demand.
Say it like this“My ask: let us show you a certification campaign run end to end, live. In one demo we’ll discover the entitlements across an app, surface the standing and orphaned access nobody can justify, put it to an approver to certify or revoke, and produce the audit evidence at the end — for Human, machine and agent identities alike. We’ll use the kind of apps and roles your business actually has, so the over-entitlement you see is recognisably yours. No proof-of-concept to scope — just watch the whole use case work. From there it’s continuous certification, with over-entitlement falling every cycle and the ‘who approved this?’ question answered on demand. Let’s get the demo in the diary.”

Industry Reports

Reports & Frameworks

Industry Reports

How Idira maps to the security frameworks and initiatives that drive Australian buying decisions — filter to one, or browse them all.

2026 Identity Security Landscape — Demand Drivers

Quantified context for investment justification and executive conversations. Source: Palo Alto Networks 2026 Identity Security Landscape, survey of 2,900+ cybersecurity decision-makers worldwide, May 2026.

The Breach Reality

90% of organisations suffered an identity-related breach in the past 12 months. 83% suffered two or more incidents. 89% of Unit 42 investigations showed identity weaknesses played a material role (Unit 42 Global Incident Response Report 2026). In 2025 the fastest real-world intrusions reached data exfiltration in 72 minutes — roughly 4x faster than a year earlier (2026 Unit 42 Global Incident Response Report). Defenders are structurally behind before the alert fires.

The Species Shift — Machine and AI Identities Now Dominate

Machine identities outnumber Human identities 109:1 (up from 82:1 last year). Of those 109, 79 are AI agents. 99% of organisations have adopted AI agents in some form, and while 91% believe they can rapidly contain a compromised agent (confirm against the 2026 Landscape report PDF), the controls lag; 40% of those agents already have access to organisational data. Projected growth over next 12 months: AI agents 85%, machine identities 77%, Human identities 56%.

The Coverage Gap

96% of respondents report that Human identities operate with access far beyond what is required for their roles, and on average 42% of the Human workforce has direct access to organisational data. Only 39% of privileged access is managed through a just-in-time or zero-standing-privilege (JIT/ZSP) model — most still relies on standing access. Only 37% of organisations have the controls to revoke an AI agent's credentials. (42% and 39% figures: confirm against the 2026 Landscape report PDF.)

The Fragmentation Tax

Disconnected identity tooling adds 12 hours to every identity-related incident response cycle, cited by 97% of practitioners (confirm against the 2026 Landscape report PDF). The cost compounds: while defenders struggle with fragmented tooling, attackers operate at machine speed.

What This Means for the Investment Case

The ‘privileged-few’ assumption — that securing a small set of named administrators is enough, with a clean divide between them and ordinary users — has structurally failed. Privilege is now universal and ubiquitous, distributed across Human, machine and AI identities. The mature response is a unified identity security platform that applies privileged-grade controls to every identity that matters, not just the named-admin minority. This is the structural argument behind Idira and the consolidation case for the platform.

Compliance Frameworks

Reports & Frameworks

Compliance Frameworks

For Australian government, critical infrastructure operators and regulated industries — federal and state government agencies, utility and energy operators, water providers, financial services, telecommunications, healthcare and defence — identity security maps directly to the ACSC Essential Eight maturity model and NIST Cybersecurity Framework. Essential Eight is mandatory for non-corporate Commonwealth (federal) entities and is widely referenced across state government and utility procurements. Energy-sector operators are additionally assessed against the AESCSF (below), where identity security is the heaviest lever across the maturity journey.

ESSENTIAL EIGHT MAPPING

Restrict Administrative Privileges

Delivered byPrivilege CloudSIASCAEPMIdentity Compliance

The foundational privileged access mitigation and the most cross-product Essential Eight control in the Idira portfolio. Delivered by Privilege Cloud (vaulted privileged access), SIA (ZSP infrastructure access), SCA (ZSP cloud console access) and EPM (least privilege on endpoints). Identity Compliance adds the maturity-model governance this control demands — recertifying privileged access at least annually (the ML2 ‘revalidate or disable after 12 months’ rule), surfacing inactive privileged accounts to disable, and producing the compliance evidence assessors expect.

Multi-Factor Authentication

Delivered byIdentity Administration

Delivered by Identity Administration as part of the unified Idira platform's SSO/MFA layer. Supports adaptive MFA based on risk signals.

Application Control

Delivered byEPM

Delivered by EPM via allow-list, deny-list and greylist patterns. Unknown applications are checked against VirusTotal before execution, or run ring-fenced in Restrict mode.

User Application Hardening

Delivered byEPMWPM

Partial coverage via EPM (browser credential theft prevention, application elevation controls) and Workforce Password Management (replacing browser-saved passwords with enterprise vaulting).

The remaining strategies — Patch Operating Systems, Patch Applications, Configure Microsoft Office macro settings and Regular backups — fall outside identity security and are not addressed by the Idira portfolio.

Source: ACSC — Essential Eight

Status (July 2026): ASD/ACSC has opened a consultation on the evolution of the Essential Eight (submissions close 12 July 2026). The Essential Eight is expected to be progressively deprecated over ~12 months and retired at ~24 months, replaced by a broader “Essentials” series with separate chapters for enterprise IT, operational technology and cloud (and a likely agentic-AI chapter), shifting from prescriptive controls toward security outcomes — existing Essential Eight investment carries forward. Source: ASD/ACSC — Consultation on the evolution of the Essential Eight.

NIST CSF 2.0 MAPPING

Idira maps across all six NIST CSF 2.0 functions — heaviest in Protect (the renamed PR.AA Identity Management, Authentication & Access Control category), and contributing to every other function.

Govern (GV)

Delivered byIdentity GovernanceIdentity ComplianceUnified AuditCORA AI

The access policy, oversight and evidence leadership is asked to set and monitor. Identity Governance defines and certifies who should have access and enforces least-privilege and separation-of-duties policy (GV.RR, GV.PO); Identity Compliance (Identity Compliance) reports the compliance posture of privileged environments for oversight (GV.OV); the unified audit trail with CORA AI turns activity into board- and regulator-ready evidence. Brokered vendor access maps to cybersecurity supply-chain risk (GV.SC).

Identify (ID)

Delivered byDiscovery & ContextSecrets HubNGTSThreat Detection & Response

You can't protect what you can't see. Discovery & Context continuously inventories privileged, service and machine identities and their cloud entitlements (ID.AM); Secrets Hub discovers secrets already sitting in third-party vaults and NGTS discovers the certificate estate; Threat Detection & Response turns that inventory into a scored identity-risk assessment (ID.RA).

Protect (PR)

Delivered byIdentity AdministrationPrivilege CloudPAM Self-HostedSIASCAEPMVendor Privileged AccessSecrets ManagerSecrets HubAgent-Based CPCCPWPMNGTS

The heart of PR.AA (identity management, authentication and access control). Identity Administration delivers SSO, adaptive MFA and phishing-resistant passwordless; Privilege Cloud / PAM Self-Hosted vault and broker privileged access; SIA and SCA give zero-standing-privilege access to infrastructure and cloud consoles; EPM removes local admin and controls applications; Vendor Privileged Access brokers third-party access. Secret, credential and key protection (PR.DS) comes from Secrets Manager, Secrets Hub, the Credential Providers and NGTS; Workforce Password Management protects business-app credentials.

Detect (DE)

Delivered byThreat Detection & ResponseUnified AuditCORA AI

Threat Detection & Response continuously monitors for credential misuse, shadow admins and anomalous privilege use (DE.CM) and scores adverse events for analysis (DE.AE); Session Recording & Unified Audit supplies the forensic detail and CORA AI surfaces the critical moments from hours of recording.

Respond (RS)

Delivered byThreat Detection & ResponseCortex XSIAMCORA AI

Identity detections drive action through the Identity Protection Space: a risky session can be terminated, a credential rotated or an account disabled (RS.MI), and the event pushed to the SOC via the Cortex XSIAM / XSOAR integrations for incident management (RS.MA, see Better Together). CORA AI accelerates incident analysis (RS.AN) by turning session recordings into plain-language timelines.

Recover (RC)

Delivered byPAM Self-HostedAgent-Based CPUnified AuditCORA AI

Recovery leans on credential hygiene and evidence. Post-incident, automated rotation re-keys compromised privileged credentials at scale; PAM Self-Hosted and the Agent-Based CP keep privileged access and rotation running while systems are rebuilt (RC.RP); the unified audit trail with CORA AI provides the post-incident attestation and reporting (RC.CO) that regulators expect.

SOCI ACT AND CRITICAL INFRASTRUCTURE CONTEXT

For Security of Critical Infrastructure (SOCI) Act 2018 entities — most Australian utilities and large parts of state government — the Critical Infrastructure Risk Management Program (CIRMP) requires material risks to be managed across four hazard vectors. Idira addresses the three that turn on identity; the cyber hazard must additionally adopt a recognised framework (Essential Eight, AESCSF or NIST CSF — all mapped above).

Cyber & Information Security Hazard

Delivered byPrivilege CloudPAM Self-HostedSIASCAEPMIdentity AdministrationThreat Detection & ResponseUnified AuditNGTS

The cyber hazard must adopt a recognised framework — Essential Eight, AESCSF or NIST CSF (all mapped above). Idira delivers the identity controls they demand: vaulted and zero-standing privileged access, adaptive MFA, endpoint least-privilege, continuous identity threat detection and a unified audit trail, with NGTS adding certificate-lifecycle resilience. For energy-sector entities, AESCSF v2 is the recognised framework and the Enhanced CIRMP Rules point medium/high-criticality operators at SP-2 by the 2028 attestation (see the AESCSF panel).

Personnel Hazard — Trusted Insider

Delivered byIdentity GovernanceIdentity AdministrationThreat Detection & ResponseSession Recording & Unified Audit

The trusted-insider risk from critical workers with privileged access. Identity Governance certifies and revokes entitlements as roles change; Identity Administration provisions and de-provisions on personnel change; Threat Detection & Response and session recording detect and evidence misuse.

Supply Chain Hazard

Delivered byVendor Privileged Access

The risk that vendors and integrators disrupt or compromise the asset. Vendor Privileged Access gives third parties brokered, recorded, time-bound access with no standing credentials or VPNs, and deprovisions automatically when an engagement ends.

The fourth vector — physical security and natural hazards — sits outside identity security. For isolation-critical infrastructure, PAM Self-Hosted is typically the deployment of choice (see CI Fortify). Status (July 2026): following the 31 January 2026 SOCI Act Independent Review and the consultation that closed 1 May 2026, the Enhanced CIRMP Rules — Security of Critical Infrastructure Legislation Amendment (Enhanced Critical Infrastructure Risk Management Program) Rules 2026 — were registered on 9 June 2026 (Federal Register F2026L00701) and commenced 10 June 2026, uplifting the 2023 CIRMP Rules across cyber, personnel, supply-chain and physical security (grace periods to mid-2027/mid-2028); proposed Ministerial Directions Powers amendments remain under consideration (cisc.gov.au).

CI FORTIFY AND THE DEPLOYMENT MODEL IMPLICATION

In October 2025, ASD/ACSC released CI Fortify — guidance for critical infrastructure operators to maintain essential services through crisis or conflict. It carries a direct deployment-model consequence for identity security: a SaaS PAM service cannot function during a prolonged internet isolation, so isolation-critical systems point to PAM Self-Hosted.

Isolate and Keep Operating

Delivered byPAM Self-HostedAgent-Based CPEPM

The core requirement is to isolate vital OT and enabling systems from external networks for up to three months while continuing to operate. The self-hosted Vault, PSM and CPM, the Agent-Based CP's local credential cache, and EPM's endpoint policy all run entirely on-prem and keep working through the isolation.

Rapidly Rebuild and Resume

Delivered byPAM Self-HostedUnified Audit

CI Fortify also requires rapid rebuild of compromised systems. Offline Vault backups restore privileged access without the SaaS plane, post-incident rotation re-keys credentials at scale, and on reconnection the SaaS shared services (Discovery, threat detection, unified audit) resync. See the PAM Self-Hosted Lens in the AESCSF section for the full air-gap reconciliation.

Operators aligned to CI Fortify — and ASD-aligned defence customers where SOCI Act and CI Fortify obligations combine — lean towards PAM Self-Hosted for privileged access on isolation-critical systems. Source: ASD/ACSC — CI Fortify guidance.

AESCSF — AUSTRALIAN ENERGY SECTOR CYBER SECURITY FRAMEWORK

The AESCSF, governed by AEMO, is the maturity model Australian electricity, gas and liquid-fuel operators are assessed against. It is built on the US ES-C2M2 and NIST CSF and adds Australian control references (Essential Eight, the Australian Privacy Principles and the Notifiable Data Breaches scheme). Practices are assigned Maturity Indicator Levels (MIL-1 to MIL-3) across 11 domains, and an organisation's target state is expressed as a Security Profile (SP-1, SP-2, SP-3) set by its assessed criticality to the sector. Security Profiles are cumulative — SP-2 builds on SP-1, SP-3 on SP-2 — so advancing through the profiles means implementing a progressively deeper set of practices across every domain (the AESCSF v2 framework comprises 354 practices and anti-patterns across 11 domains and their objectives, of which SP-3 is the most comprehensive set), with the heaviest lift in identity, monitoring and incident response.

Where Idira moves the needle. AESCSF v2 spans 11 domains; here is where Idira fits across them.

  • Contributes controls & audit evidence — 6 domains (mapped in the cards below): Identity & Access Management (ACCESS) — the domain Idira maps to most directly — plus Asset, Change & Configuration Management (ASSET), Threat & Vulnerability Management (THREAT), Situational Awareness (SITUATION), Event & Incident Response / Continuity of Operations (RESPONSE) and Supply Chain & External Dependencies Management (THIRD-PARTIES).
  • Informs — 2 domains: Risk Management (RISK), with identity risk posture; and Cybersecurity Architecture (ARCHITECTURE), with secure remote access and secrets / key management.
  • Outside Idira’s scope — 3 domains: Workforce Management (WORKFORCE), Cybersecurity Program Management (PROGRAM) and Australian Privacy Management (APM).

AESCSF spans OT and IT — Idira covers the identity and enterprise-IT plane and pairs with Palo Alto Networks Strata and Cortex for the network, OT and SOC controls.

Identity & Access Management (ACCESS)

Delivered byPrivilege CloudPAM Self-HostedSIASCAEPMIdentity AdministrationIdentity Governance

The core domain — and where AESCSF places the identity lifecycle. The framework expects systematic least-privilege, strong authentication, managed privileged access and a controlled joiner/mover/leaver lifecycle: vaulted privileged access (Privilege Cloud / PAM Self-Hosted), zero-standing-privilege infrastructure and cloud access (SIA, SCA), endpoint least-privilege (EPM), SSO and adaptive MFA (Identity Administration), and provisioning, access certification and prompt de-provisioning of orphaned and departed-contractor access (Identity Governance with Identity Administration).

Asset, Change & Configuration Management (ASSET)

Delivered byDiscovery & ContextSecrets ManagerSecrets HubAgent-Based CPCCPNGTS

Higher maturity raises the bar on knowing what you have and bringing every credential under management. Discovery & Context continuously inventories privileged and service accounts; Secrets Manager / Secrets Hub manage cloud-native and third-party-vault secrets; the Credential Providers remove hardcoded credentials from traditional and OT applications — Agent-Based CP holds a local encrypted cache on the application or OT server so credentials stay available and keep rotating even when the vault is offline (critical for SCADA and isolation-critical systems), and CCP covers agentless web and COTS tiers; NGTS tracks the certificate estate.

Threat & Vulnerability Management (THREAT)

Delivered byThreat Detection & Response

Credential exposure, shadow admin accounts and anomalous privilege use are identity vulnerabilities. Threat Detection & Response scores them continuously with behavioural analytics, feeding the domain's detection and remediation practices.

Situational Awareness (SITUATION)

Delivered bySession Recording & Unified AuditCORA AI

The framework expects logging and monitoring of privileged activity. Session Recording & Unified Audit captures who connected to what and what they did — video and command-level — with CORA AI turning hours of recording into plain-language audit evidence.

Event & Incident Response, Continuity of Operations (RESPONSE)

Delivered byThreat Detection & ResponseCortex XSIAMPAM Self-HostedAgent-Based CP

Identity detections can terminate a risky session, rotate a credential or disable an account, and flow to the SOC via the Cortex XSIAM / XSOAR integrations (see Better Together). The continuity-of-operations half of this domain is where PAM Self-Hosted (vault and PSM running entirely on-prem) and Agent-Based CP (local credential cache that survives a vault or network outage) keep privileged access and credential rotation working through an incident or a CI Fortify isolation event.

Supply Chain & External Dependencies Management (THIRD-PARTIES)

Delivered byVendor Privileged Access

Energy operators depend heavily on vendors and integrators. Vendor Privileged Access gives third parties brokered, recorded, time-bound access without VPNs or standing credentials — the external-dependency control the framework expects.

THE SP-1 → SP-3 PRODUCT JOURNEY

Security Profiles define practices and anti-patterns, not products — but this is the pragmatic Idira sequencing that satisfies each profile's intent. Profiles are cumulative, so every stage carries the one below it forward. Confirm the customer's target Security Profile from their Criticality Assessment Tool (CAT) result before scoping. Energy-sector SOCI note: under the Enhanced CIRMP Rules 2026, AESCSF v2 is a recognised cyber framework, and medium/high-criticality operators are in practice expected to reach SP-2 maturity — with a documented uplift plan through the attestation periods leading up to the September 2028 attestation (30 June 2028 deadline for critical-systems network segregation and recovery).

SP-1 — Foundational

Get the essentials in place. Baseline hygiene that closely tracks the 26 ACSC Priority Practices (~20 sit within SP-1) and Essential Eight ML1: vault privileged credentials, enforce MFA, remove local admin, and bring service-account and OT/application credentials under management — with the Agent-Based CP keeping OT credentials available and rotating when the vault is offline.

CoreIdentity AdministrationPrivilege CloudPAM Self-HostedEPMSecrets ManagerAgent-Based CPCCP

SP-2 — Systematic

Make it managed and prove it — the heavy lift. SP-2 expects systematic least privilege, zero-standing-privilege, monitored privileged activity, certified access, controlled third parties and a known inventory.

AddsSIASCADiscovery & ContextThreat Detection & ResponseSession Recording & Unified AuditIdentity GovernanceVendor Privileged AccessSecrets Hub

SP-3 — Advanced

Continuous and automated. Optimised assurance across the broadest identity surface — including machine and AI-agent identities — with automated detection-and-response and crypto-agility.

AddsCORA AICortex XSIAMSecure AI AgentsNGTS
PAM SELF-HOSTED LENS — REACHING THESE SERVICES FROM A SELF-HOSTED VAULT

Most isolation-critical operators run PAM Self-Hosted rather than the SaaS deployment. Here is how a self-hosted customer reaches each capability in the journey above.

Runs natively, inside your environment

The self-hosted Vault, PSM (privileged session brokering and recording) and CPM (credential rotation) operate entirely within the customer datacentre, with EPM enforcing endpoint least-privilege and the Credential Providers (Agent-Based CP and CCP) supplying application and OT credentials on-prem. No internet dependency — they keep working through a CI Fortify isolation event.

On-premPAM Self-HostedEPMAgent-Based CPCCP

Reached via optional SaaS integration (V14.4+)

From PAM Self-Hosted V14.4, the vault optionally connects outbound to the Idira shared-services platform through Connector Management — bringing ZSP infrastructure and cloud access, continuous discovery, identity threat detection, unified audit and AI summarisation, governance certification and secrets sync to a self-hosted deployment wherever connectivity allows.

SaaS-reachedSIASCADiscovery & ContextThreat Detection & ResponseUnified AuditCORA AIIdentity GovernanceSecrets Hub

During internet isolation

The Vault, PSM and CPM keep brokering, recording and rotating privileged access standalone, and the Credential Providers keep serving application and OT credentials — the Agent-Based CP's local cache survives even a vault or network outage. The SaaS-reached services pause and resync once connectivity is restored — which is exactly why isolation-critical OT and enabling systems anchor on the self-hosted deployment.

Can an air-gap-capable, CI Fortify-aligned site still use the V14.4+ SaaS services?

Yes — because air-gap capability and SaaS integration are not mutually exclusive. CI Fortify asks for the ability to isolate vital OT and enabling systems from external networks for up to three months during a crisis and keep operating — not for a permanent air-gap during normal operations. That distinction is what lets a self-hosted customer consume the SaaS services without breaking CI Fortify alignment:

  • Normal operations: the self-hosted Vault holds a tightly controlled, outbound-only connection to the Idira shared-services platform, so SIA, SCA, Discovery & Context, Threat Detection & Response, unified audit, CORA AI, Identity Governance and Secrets Hub are all available.
  • Declared isolation: the link is severed at the pre-identified isolation point. The Vault, PSM and CPM keep brokering, recording and rotating privileged access entirely on-prem, the Credential Providers keep serving application and OT credentials (the Agent-Based CP via its local cache), and EPM keeps enforcing endpoint policy locally; the SaaS-reached capabilities pause.
  • On reconnection: queued session recordings, audit and telemetry resync to the platform.

Implications to plan for before relying on the SaaS integration

  • Keep a local continuity access path. SIA and SCA are SaaS-brokered, so that access path is unavailable during full isolation. Retain vaulted, PSM-brokered access and break-glass on isolation-critical systems as the continuity method, with SIA as the day-to-day path — never make SIA the only way in to a vital system.
  • Treat the egress as controlled and severable. Outbound connectivity from an isolation-critical zone is itself an attack-surface and data-sovereignty consideration: keep it outbound-only to allowlisted endpoints, terminating at a defined isolation point that can be physically or logically cut.
  • Know what degrades. Real-time threat detection, continuous discovery, unified-audit aggregation and CORA summaries, governance certification and Secrets Hub sync all pause while isolated; local session recording and credential rotation do not.
  • Keep recovery local. CI Fortify also requires rapid rebuild — hold offline Vault backups and rebuild from them without depending on the SaaS plane.
  • Scope by zone. Use the SaaS integration freely on the enterprise-IT plane; reserve the standalone, air-gap-capable posture for the vital OT and enabling systems behind the isolation point.

For a genuinely permanent air-gap (no outbound connectivity at any time — some classified or defence OT), run PAM Self-Hosted fully standalone on those systems and forgo the SaaS-reached features there, applying them only to connected segments.

Trade-off: self-hosted means the customer owns the patching, DR and upgrades the SaaS platform otherwise handles. Reserve PAM Self-Hosted for isolation-critical systems and use the SaaS shared services for everything else where connectivity allows.

Deployment-model note for critical infrastructure. Because most energy operators are SOCI Act regulated and increasingly aligned to CI Fortify (above), privileged access on isolation-critical OT and enabling systems typically points to PAM Self-Hosted, whose vault and PSM brokering run entirely inside the customer environment and survive a prolonged internet isolation. The SaaS shared services (Discovery, Threat Detection & Response, unified audit) are reached via integration (V14.4+) where connectivity allows. Confirm the customer's target Security Profile from their Criticality Assessment Tool (CAT) result before scoping the engagement.

Sources: AEMO — AESCSF framework & resources · AESCSF 2025 Overview (PDF) · AESCSF 2025 Domain Walkthrough (PDF)

Idira Identity Security Blueprint

The Idira Identity Security Blueprint is the prescriptive framework underpinning Idira positioning — a risk-aligned best-practice guide for establishing and maintaining an effective identity security program across Human, machine and AI identities. Built on Palo Alto Networks and Unit 42 frontline experience: 89% of Unit 42 investigations show identity weaknesses played a material role in the breach; 9 out of 10 organisations faced a successful identity-related breach in the last 12 months.

The Operating Model — Discover, Control, Govern

The Blueprint sets the maturity curve (unsecured → vaulted → JIT → ZSP); this is the operating model that runs alongside it.

Discover

Continuous visibility of where privilege exists and where risk is introduced — a live inventory across every Human, machine and AI identity (Discovery & Context).

Control

Enforce access dynamically from endpoint to session — remove standing privilege and shrink the attack surface (JIT and zero standing privilege).

Govern

Secure-at-birth, continuous governance aligned to risk and behaviour across the whole identity lifecycle — not a periodic audit (Identity Governance).

The three are interdependent: discovery without control is awareness without enforcement; control without governance lets access accumulate; governance without visibility certifies access no one fully understands.

Three Guiding Principles — The Attack Chain to Disrupt

1Prevent identity compromise

Defend against credential theft, MFA bypass, IdP attacks, session cookie compromise, social engineering, credential repository scraping.

2Stop lateral and vertical movement

Limit how attackers move across resources within a tier (workstation to workstation) and across tiers (workstation to cloud service provider, workstation to DevOps tool).

3Limit privilege escalation and abuse

Constrain elevation of privileges and the malicious actions that follow.

Three Elements of Identity Risk — How to Calculate It

1Level of privilege

Read-only through full administrator, plus the sensitivity and regulatory classification of the data accessed (PII, IP, regulated data).

2Scope of influence (blast radius)

How many systems the identity can reach directly or via downstream and inherited access.

3Ease of compromise

How exploitable the identity is given attack patterns, vulnerabilities, and weak controls.

Risk-Based Prioritisation — The Quadrant

Use cases are sorted by a risk-effort index. High-priority work sits in the high-risk + low-effort quadrant — the quick wins. Then medium-priority buckets, then low-priority. Customers get the maximum risk reduction for their effort rather than trying to boil the ocean.

Three Identity-Centric Risks the Blueprint Mitigates

Security Risk

Compromise, lateral movement, privilege abuse → data exfiltration, ransomware, service disruption.

Operational Risk

Manual provisioning, orphaned accounts → downtime, higher TCO, slower onboarding.

Compliance Risk

Audit gaps, segregation-of-duty failures, unattested access → fines, failed audits, reputational damage.

Mitigating all three builds identity resilience — the ability to withstand, adapt and recover from cyber incidents, process breakdowns and compliance failures.

Four Ways to Use the Blueprint

1Understand the Attack Chain

See how compromise → lateral movement → privilege abuse unfolds, and where each control breaks it.

2Assess Your Security

Benchmark current controls against the Blueprint's three principles to find the gaps that matter.

3Build Your Roadmap

Sequence use cases by the risk-effort quadrant — high-risk, low-effort quick wins first.

4Best Practice Education

A shared reference to align security, IAM and platform teams on an identity-first defence.

Rapid Risk Reduction Playbook

A companion to the Blueprint that maps it to the 2025 NIST incident-response lifecycle (Govern, Identify, Protect, Detect, Respond, Recover) and prioritises the highest-risk identities first — network, domain, infrastructure, cloud and identity-takeover targets. Recommended critical-tier controls: SSO, adaptive MFA, ZSP, session protection and threat detection & response. A ready-made ‘where do I start’ sequence for a customer roadmap.

Full reference: Idira Identity Security Blueprint →

Better Together

Reference Material

Better Together

The Idira + Palo Alto Networks story — how identity security combines with the wider platform. It splits into the cross-platform integrations available today and the publicly stated roadmap. Each card links its evidence; roadmap items are forward-looking and may change.

Available Today

Listed here only when a public page documents the actual cross-platform integration, or a product page shows the exact capability. Each card links that evidence.

✓ AvailableNGTS + Strata Cloud Manager — certificates in the network
NGTS Strata Cloud Manager

Next-Generation Trust Security (NGTS) is the first network-native platform to automate certificate lifecycle management and accelerate post-quantum readiness, delivered by extending Strata Cloud Manager. Certificates synced from Strata Cloud Manager are brought under NGTS for discovery, expiry tracking, renewal and crypto-policy enforcement — closing the gap as public TLS lifetimes compress to 47 days, in the network itself rather than as a bolt-on tool.

✓ AvailableIdira EPM + Cortex XSIAM — privilege-aware response
EPM Cortex XSIAM

Idira Endpoint Privilege Manager integrates with Cortex XSIAM via the CyberArk EPM SOC Response integration (the CyberArk Endpoint Privilege Manager pack on the Cortex Marketplace), so the SOC can activate or deactivate EPM risk plans on a targeted endpoint — dynamically restricting endpoint privileges in real time during an incident and disrupting attacks earlier in the kill chain. GA on both XSOAR and XSIAM (beta-exit date unconfirmed), and headlined in Cortex XSIAM 3.5 (May 2026) as privilege-aware response, with MITRE ATT&CK-mapped correlation rules for EPM detections.

✓ AvailableIdira Identity + Cortex XSIAM — identity events in the SOC
Idira Identity Cortex XSIAM

The CyberArk Identity Event Collector forwards Idira Identity (SSO, MFA and adaptive-access) log events into Cortex XSIAM / XSOAR, giving the SOC native identity telemetry to correlate, hunt and build playbooks against — identity signal feeding security operations today.

On the Roadmap

Publicly stated direction from the launch blog, Idira product pages and acquisition announcement — but no page yet documents the integration or shows the exact capability as shipping. Forward-looking; capabilities and timing may change.

RoadmapIdira Secure AI Agents + Prisma AIRS — securing AI agents
Secure AI Agents Prisma AIRS

Idira Secure AI Agents discovers, controls and governs AI-agent identities today. Prisma AIRS 3.0 (launched March 2026; AI Agent Gateway in limited preview) will apply Idira agent-identity controls inside its AI-security workflows, enforced through the AI Gateway (Portkey, acquired May 2026): Prisma AIRS secures the AI runtime while Idira grants just-in-time, task-scoped privilege to each agent. Native integration is still marked “coming soon” on the Idira Agentic page and the AI Gateway is being integrated into Prisma AIRS — so it stays on the roadmap, with deeper native access from inside the Prisma AIRS console rolling out through 2026.

RoadmapIdira + Prisma Browser — privileged access where users work
Idira Prisma Browser

The launch blog states Prisma Browser will deliver privileged access directly inside the enterprise browser. As of now the Prisma Browser product page documents secure browsing, data protection and GenAI governance — but no published integration or capability page describes Idira privileged access in the browser, so it is tracked as roadmap until one does.

RoadmapIdira + Cortex — first-party identity signals
Idira Cortex

Cortex (XSIAM / XSOAR) will receive first-party identity signals from Idira to sharpen detection and take automatic identity- and privilege-driven response — for example revoking access or rotating a credential the moment an indicator of compromise fires, at machine speed.

RoadmapIdira + Strata & Cortex — deep platform integration
Idira Strata Cortex

Idira capabilities are being deeply integrated into the Strata and Cortex platforms to deliver identity-aware security and real-time response across the enterprise — the unified outcome of bringing identity in as a core Palo Alto Networks platform.

Underpinning all of it — Unit 42. Idira, the 2026 Identity Security Landscape and the Identity Security Blueprint draw on Unit 42 frontline incident-response intelligence (the source of the 72-minute breakout time). This is the intelligence behind the platform rather than a product integration, so it isn’t listed as a status card above. Sources: Identity Security Landscape → · Unit 42 →

Solutions Engineering

A curated set of resources for aligning the right Idira products to a customer’s requirements — the hands-on lookup tools you reach for while scoping a solution. Browse them all, or pick a single tool below.

Use Case Targets

Scope & Engineer

Use Case Targets

The master table — every common use case mapped to the right Idira product. Filter by product, or search for a specific scenario. The comprehensive ‘which product covers X?’ lookup — start here for any scenario or target.

Looking for a specific third-party system or the connection mechanism?

By category
By target
By product
Shared Services apply per product, not uniformly. Each product header below carries a Shared Services line stating the platform capabilities that genuinely apply to it — Session Recording, Unified Audit, Threat Detection (Threat Detection & Response) and Discovery vary by product and identity surface, so they are scoped per product rather than claimed across the board. These are shared services of the Idira SaaS platform: PAM Self-Hosted reaches them only via integration (V14.4+) and not in isolated or air-gapped deployments, and NGTS runs on the PANW network platform with its own native discovery and audit. Confirm packaging entitlements per opportunity.
Use Case Category Use Case / Target Product Category Idira Product What it solves Typical Buyer
Privilege Cloud / PAM Self-HostedVault, CPM and PSM in Idira's PAM stack; the credential vault and PSM session-brokering layer for Human privileged identities (capabilities common to both deployment models)Shared Services: PSM video + text session recording (keystrokes, SQL commands, window titles) feeding the unified audit view · privileged & service-account discovery (Discovery SaaS, replacing CPM Scanner) · TDR threat detection on privileged accounts and sessions. On PAM Self-Hosted, the SIA integration specifically requires V14.4+; other shared-services integrations have their own prerequisites, native threat analytics is delivered by PTA, and none apply in isolated / air-gapped deployments.
Human Windows / AD Service Accounts (Directory-Managed) Human Privilege Privilege Cloud PAM Self-Hosted Vaults AD service account passwords, rotated by the Secrets Rotation Service (Privilege Cloud) or CPM (PAM Self-Hosted), controls who can check out. Account exists in Active Directory and is owned by a Human team as a privileged identity. PAM AdminSecurity Ops
Human Domain Admin & Local Admin Accounts (Vaulted, with Session Recording via PSM) Human Privilege Privilege Cloud PAM Self-Hosted Audit Classic vaulted privileged access — credential is checked out, session is brokered via PSM and recorded as video and text (keystrokes, SQL commands, window titles). The default model where Secure Standing Privilege is still required (e.g. break-glass, non-federated targets). Time-bound just-in-time elevation — temporary admin-group membership under the user’s own login — is available as a layer on top. PAM AdminCISO
Human Vendor / Third-Party Access Requiring PSM-Style Session Recording on Legacy Systems Human Privilege Privilege Cloud PAM Self-Hosted Vendor Privileged Access Audit Where the target requires PSM connector-based brokering — e.g. older fat-client applications, legacy systems with custom session capture requirements. For modern infrastructure targets, SIA is the recommended path; for external vendors with no managed device, Vendor Privileged Access is purpose-built (see those rows). Security OpsOT Team
Human Network Device Credentials (Firewalls, Routers, Switches) Human Privilege Privilege Cloud PAM Self-Hosted Marketplace platforms for Palo Alto Networks PAN-OS, Cisco, Check Point, Juniper, Fortinet, F5 and more (Arista via custom / adapted SSH plugin). Credentials rotated by the Secrets Rotation Service (Privilege Cloud) or CPM (PAM Self-Hosted). Strongest cross-portfolio fit into existing PANW firewall accounts — same vendor trusted for the perimeter, now trusted for the admin credentials too. Network EngPAM Admin
Human Virtualisation & Hypervisor Admin (VMware vCenter / ESXi, Microsoft Hyper-V, Nutanix, Citrix) Human Privilege Privilege Cloud PAM Self-Hosted Audit Vaults and brokers privileged access to the virtualisation management plane with Secrets Rotation Service credential rotation and PSM session recording — VMware vCenter/ESXi via documented platforms, Hyper-V via the generic Windows platforms, Nutanix Prism and Citrix via community / custom connectors (verify per vendor on the Marketplace). SIA provides modern VPN-less access where supported. Platform EngIT Ops
Human Database Admin Accounts (SQL Server, Oracle, MySQL, PostgreSQL, MariaDB, IBM Db2, MongoDB, SAP HANA, Snowflake — DBA Access via PSM) Human Privilege Privilege Cloud PAM Self-Hosted Audit Human DBA accounts vaulted and session-recorded via PSM. SQL command-level audit and searchable keystroke / text recording capture the actual queries executed — not just screen video. For ZSP-based ephemeral database access, see the SIA row. DBA TeamCompliance
Human SSH Key Lifecycle Management (SSH Key Manager) Human Privilege Privilege Cloud PAM Self-Hosted SSH Key Manager stores, rotates and reconciles privileged SSH key pairs across the estate — the same vault-and-rotate control applied to keys, not just passwords. (Secrets Manager can store an SSH key as a secret, but the managed key lifecycle lives here.) PAM AdminIT Ops
Human Privileged Account Discovery & Automated Onboarding Human Privilege Privilege Cloud PAM Self-Hosted Discovery Scans Windows/AD and Unix/Linux estates for unmanaged privileged accounts (the Discovery service, replacing CPM Scanner) and automatically onboards matches to the vault under onboarding rules. PAM coverage is never complete without it — the standard first step of any programme. PAM AdminIT Ops
Human Dual-Control Approval for High-Risk Accounts Human Privilege Privilege Cloud PAM Self-Hosted Access to designated accounts requires authorisation from one or more Safe owners before the credential is released or the session brokered — single- or multi-level approval, with access expiring automatically at the end of the approved window. A core SOX / PCI compliance control. PAM AdminCompliance
Human Break-Glass / Emergency Access Human Privilege Privilege Cloud PAM Self-Hosted A small set of vaulted break-glass accounts (cloud root, built-in Administrator, domain admin) released to authorised responders during outages and incidents. On Privilege Cloud, access during a SaaS outage relies on credentials pre-cached in the CyberArk Remote Access mobile app; PAM Self-Hosted break-glass is fully local. The reason Secure Standing Privilege never fully disappears. CISOSecurity Ops
Human Fully Isolated, Sovereign-Controlled Vault (Hardened Standalone Server, Complete Network Isolation) Human Privilege PAM Self-Hosted The customer hosts and controls the entire vault stack on a dedicated hardened server with complete network isolation — the deployment answer where data sovereignty, air-gap capability or regulator-driven on-premise hosting is non-negotiable (the SOCI / CI Fortify scenario). PAM AdminCISO
Human Distributed Vaults Across Segmented / Geo-Distributed Networks Human Privilege PAM Self-Hosted Satellite vaults serve segmented sites and remote regions — one Primary plus up to five Satellite vaults in a fully meshed topology (the Primary is not isolated), with Satellites dropping to read-only if the Primary is unreachable — so privileged access keeps working across network zones and distributed operational footprints (a common pattern in mining, utilities and government). PAM AdminIT Ops
Secure Infrastructure Access (SIA)VPN-less, agentless SaaS access to Windows, Linux, databases and Kubernetes; supports vaulted, Just-in-Time and Zero Standing Privileges access modelsShared Services: SSH / SQL / kubectl command-level recording feeding SIA-native session monitoring and the unified audit view · target onboarding/discovery for in-scope infrastructure · TDR threat detection on infrastructure sessions.
Human Server Access (Windows / Linux) — VPN-Less, Agentless, JIT and ZSP-Capable Human Privilege Secure Infrastructure Access Modern alternative to PSM-brokered server access. VPN-less native client connection (RDP, SSH) with MFA. Supports vaulted credentials from PAM, Just-in-Time elevation of vaulted accounts (documented for Windows targets via PAM Self-Hosted V14.4+), and Zero Standing Privileges with ephemeral accounts created per session and deleted after use. Sessions are isolated, monitored, and audited including SSH command recording, with no jump server required. Platform EngCloud Eng
Human Database Access with ZSP (Db2, MariaDB, MongoDB, MySQL, Oracle, PostgreSQL, SQL Server) Human Privilege Secure Infrastructure Access Audit Ephemeral database users created on demand using a strong account, joined to the right database roles, and removed after the session. Captures executed SQL commands as searchable text recordings; Amazon RDS is supported via ephemeral RDS IAM authentication (MySQL, MariaDB, PostgreSQL). Eliminates the need for a permanent vaulted DBA credential for routine access — Secure Standing Privilege only needed for break-glass. DBA TeamCloud Eng
Human Kubernetes Cluster Access (Kubectl) Human Privilege Secure Infrastructure Access Audit Native kubectl access with MFA, audit and command recording — documented onboarding covers self-hosted clusters, OpenShift and GKE (vaulted model, requires Privilege Cloud; Kubernetes 1.27+). Use case PSM does not address natively — Kubernetes administrators get the access experience they expect without bypassing PAM controls. Platform EngDevSecOps
Human Vendor / Third-Party Access to Modern Infrastructure (VPN-Less, Time-Bound) Human Privilege Secure Infrastructure Access Vendor Privileged Access Modern recommended path for vendor remote access into servers, databases and Kubernetes. No VPN required, no endpoint agent on the vendor device, native client experience, MFA-secured, automatically expiring at the maintenance window close. Strong OT-environment fit for time-bounded OEM engineer access. Vendor access supports biometric passwordless MFA and provisioning in as little as ~2 minutes (vendor figure); the vendor-access offering carries SOC 2 Type 2 and SOC 3 certifications. Security OpsOT Team
Human Vaulted Access to On-Prem & Legacy Targets Human Privilege Secure Infrastructure Access SIA brokers sessions using credentials already vaulted in PAM, honouring existing Safe permissions — the VPN-less modern experience without giving up the standing vaulted account. Vaulted and ZSP modes co-exist per target. Platform EngPAM Admin
Human Ephemeral Domain Users for Windows ZSP Human Privilege Secure Infrastructure Access For domain-joined Windows estates, SIA can provision an ephemeral domain user (not just a local account) at request time — supporting domain-level activities while keeping zero standing privilege. Platform EngIT Ops
Human MFA Caching Across Multi-Target Sessions Human Privilege Secure Infrastructure Access A single MFA challenge covers successive RDP / SSH connections within a configurable window, so engineers working across dozens of servers in a change window aren’t re-prompted on every hop. Platform EngIT Ops
Secure Cloud Access (SCA)Native Zero Standing Privileges access to cloud consoles and CLIs (AWS, Azure, GCP); eliminates persistent IAM users and standing cloud admin rolesShared Services: session protection and audit surfaced in the unified view (SIA / SCA session monitoring); console-session recording is delivered via Secure Web Sessions (separately licensed) · cloud entitlement visibility via SCA Cloud Visibility (formerly Cloud Entitlements Manager (CEM)) — discovers identities with standing access and can onboard them to Privilege Cloud.
Human AWS Management Console / CLI Access with ZSP Human Privilege Secure Cloud Access Native access to the AWS Management Console and CLI with no persistent IAM users. Ephemeral access granted per request, expires when session ends. Eliminates standing IAM user footprint — one of the most common privilege-escalation paths in cloud environments. Cloud SecurityCloud Eng
Human Azure Portal / GCP Console Access with ZSP Human Privilege Secure Cloud Access Same ZSP model extended to Azure (Entra ID / Azure RBAC) and Google Cloud. Cloud engineers and SREs access the console for the time they need it; access is granted on demand and revoked automatically — no standing role left behind. Audit trail of who did what in which cloud account. Cloud SecuritySRE
Human AI-Tool Cloud Access (Amazon Q Developer, Claude Desktop, MCP-Enabled Agents) Human Privilege Secure Cloud Access Secure AI Agents The SCA MCP Server lets developers obtain ephemeral, zero-standing AWS access from inside their AI development tools — CLI, IDE, or MCP-enabled agent. Plug-and-play with Amazon Q Developer and Claude Desktop. Embeds ZSP into the AI-driven developer experience without context switching. Cloud SecurityPlatform Eng
Human Multi-Cloud Entitlement Visibility (Cloud Visibility) Human Privilege Secure Cloud Access Discovery Cloud Visibility onboards AWS, Azure and GCP workspaces, continuously discovers identities and their entitlements, and flags excessive standing permissions and shadow admins — queueing standing privileged accounts for onboarding to Privilege Cloud. The natural pre-SCA conversation. Cloud SecurityIAM Team
Human On-Demand Cloud Access Requests with Approval Workflows (Temporary Access & Elevation) Human Privilege SCA Users request access to cloud consoles or roles they don’t hold — or temporary elevation beyond limited standing permissions — through a single approver level with fallback routing (business owner, else workspace admin, else cloud security admins), requested via ServiceNow or Identity Flows channels, receiving a time-bound grant that expires automatically. Cloud SecurityIAM Team
Vendor Privileged AccessVPN-less, agentless, passwordless ZSP access for external vendors and contractors; isolated browser sessions, biometric MFA and automatic deprovisioningShared Services: full session recording into the unified audit view · expiry-based vendor deprovisioning · behavioural threat detection on brokered sessions is delivered by platform TDR (PSM / SIA), not a Vendor PAM-native capability. Requires Privilege Cloud or PAM Self-Hosted.
Human External Vendor / Contractor Privileged Access (VPN-Less, Passwordless, Time-Bound) Human Privilege Vendor Privileged Access Secure Infrastructure Access Audit Gives third-party vendors, contractors and OEM engineers time-bound, zero-standing privileged access with no VPN, no agent and no corporate laptop. Vendors authenticate with a one-time QR code and phone biometrics; sessions run in an isolated browser so credentials never touch the vendor device, and every action is recorded. Onboard in as little as ~2 minutes (vendor figure). Requires Privilege Cloud or PAM Self-Hosted. PAM AdminSecurity OpsVendor Mgmt
Human Automatic Vendor Offboarding & Lifecycle (Deprovision at Contract End) Human Privilege Vendor Privileged Access Secure Infrastructure Access Discovery TDR Removes standing vendor accounts — the “static account left active after the contract ended” risk. Invitations and access are time-framed: access and vaulted credentials are revoked automatically when an engagement expires, and expired vendors are auto-removed (expiry-based — a role-change trigger is not documented). Behavioural detection on brokered sessions is delivered by platform TDR. PAM AdminIAM Team
Human Vendor Invitation & Just-in-Time Provisioning Human Privilege Vendor Privileged Access Admins or delegated vendor managers invite a vendor from the portal; the vendor authenticates with phone biometrics from a one-time link and is provisioned into a brokered session in minutes — no pre-created AD account, no VPN, no corporate laptop. Vendor MgmtPAM Admin
Human Biometric Vendor Authentication via CyberArk Mobile (QR Code — No Passwords, Tokens or Agents to Issue) Human Privilege Vendor Privileged Access Vendors authenticate with smartphone biometrics plus a one-time QR code — no passwords, hardware tokens, VPN accounts or agents for the customer to issue and manage, and biometric data never leaves the vendor’s phone. PAM AdminIT Ops
Endpoint Privilege Manager (EPM)Removes local admin rights from Windows, macOS and Linux endpoints; elevates trusted applications by policy and blocks ransomware and credential theftShared Services: discovery of local admin accounts and installed applications · audit of elevation events · feeds threat detection / SOC tooling — credential-theft and ransomware signals via Cortex XSIAM / XSOAR and SIEM integrations; unknown-application risk analysis via VirusTotal reputation lookups. No interactive session recording.
Human Local Admin Rights Removal (Windows, macOS, Linux Workstations) Endpoint Privilege Endpoint Privilege Manager Removes persistent local admin rights from end-user workstations. Trusted applications are elevated transparently based on policy when they need admin privileges. Unhandled applications can be requested with audit. Foundational control for Essential Eight (Restrict Administrative Privileges) and CIS hardening. Per CyberArk docs: on Linux, EPM provides sudo-command control — transparent application elevation applies to Windows and macOS. Endpoint SecurityCISO
Human Linux Sudo Management and Identity Bridging Endpoint Privilege Endpoint Privilege Manager Centralises management of sudo commands on Linux servers and workstations. Two integration paths: AD-Bridging (established — a PAM / PSM-for-SSH integration with a third-party bridge, letting Linux servers authenticate users from Active Directory) and Identity Bridge (newer — an EPM capability that brings Active Directory and modern cloud IdP identities into Linux sign-in, supported when users sign in through Secure Infrastructure Access SSH). Same identity governs Linux access as Windows. Replaces brittle, locally-managed sudoers files. Platform EngLinux Ops
Human Ransomware Containment and Credential Theft Prevention Endpoint Privilege Endpoint Privilege Manager TDR Out-of-the-box policies block ransomware behaviour patterns and contain encryption to non-sensitive areas. Detects and blocks attempts to steal Windows credentials (including LSASS), browser-stored credentials and cached session tokens — threat-protection policies apply to Windows endpoints. Closes the gap between identity controls and endpoint security. SOCEndpoint Security
Human Application Control (Allow/Deny Lists, Unknown App Handling) Endpoint Privilege Endpoint Privilege Manager Policy-based application control with allow-list, deny-list and greylist patterns. Unknown applications are checked against VirusTotal reputation and risk scores before execution, or run ring-fenced in Restrict mode. EPM also feeds Cortex XSIAM for privilege-aware incident response — a clean joint fit for existing PANW customers. Endpoint SecuritySOC
Human Privilege Deception — Credential Lures Endpoint Privilege Endpoint Privilege Manager TDR Plants decoy credential lures (LSASS, browsers) on the endpoint; an attacker touching one triggers real-time detection or blocking — turning the endpoint into a tripwire for credential theft. SOCEndpoint Security
Human Offline & Disconnected Endpoint Authorisation Endpoint Privilege Endpoint Privilege Manager Policies enforce from the agent’s local cache when off-network; the Offline Policy Authorization Generator issues one-time codes so an offline user can be granted an elevation out-of-band. Endpoint SecurityField IT
Human Day-One Least Privilege with QuickStart Policies Endpoint Privilege Endpoint Privilege Manager Pre-built QuickStart policy sets (Windows and macOS) give immediate baseline least-privilege protection without authoring policies from scratch — the fastest ramp from local-admin sprawl to managed privilege. Endpoint SecurityIT Ops
Human Endpoint / Loosely-Connected-Device Local-Account Discovery (via EPM) Endpoint Privilege Privilege Cloud EPM Discovery EPM agents scan local Windows, macOS and Linux accounts on managed endpoints — including loosely connected devices that are rarely on the corporate network — and forward a summarised list to the platform Discovery service (roughly daily), where auto-onboarding rules can bring them under Privilege Cloud management. Endpoint-agent discovery, distinct from the network-scan Privileged Account Discovery that replaces the CPM Scanner. PAM AdminEndpoint Security
Human Local Credential Rotation on Loosely Connected Devices Endpoint Privilege Privilege Cloud EPM A Privilege Cloud capability delivered through the EPM agent: rotates local account passwords on Windows, macOS and Linux endpoints that rarely touch the corporate network. The agent caches the rotation job, executes it on reconnection and syncs back to Privilege Cloud. PAM AdminEndpoint Security
Human Just-in-Time Temporary Admin Elevation (Time-Limited, Approval-Gated) Endpoint Privilege EPM A user requests ad-hoc elevation and receives time-boxed admin-group membership (1–120 hours, Windows and macOS) that reverts automatically — the break-glass / exception workflow that complements standing least-privilege policy without recreating permanent local admins. Per-application elevation is a separate policy mechanism, not time-boxed. Endpoint SecurityIT Ops
Workforce Password Management (WPM)Enterprise password vault for business applications — SSO and non-SSO apps alike, especially where SSO isn't available; for ordinary employee workflows, distinct from privileged-account vaultingShared Services: audit logging of which user accessed which application and when. No session recording; not in scope for privileged-session TDR analytics; no estate discovery.
Human Business App Credentials — SSO and Non-SSO Apps Alike, Especially Where SSO Isn’t Available (Legacy Web Apps, Vendor Portals) Workforce Access Workforce Password Management Secure password storage and one-click access for business applications — whether or not they support SSO, and especially valuable where SSO isn’t available (legacy web apps that don’t support SAML / OIDC, shared accounts, vendor portals). Replaces browser-saved passwords and consumer password managers with an enterprise-controlled vault. Visibility into who accessed which app and when. IAM TeamCISO
Human Shared Department Accounts (Social Media, Marketing Tools, Finance Systems) Workforce Access Workforce Password Management Securely shares credentials across a team without each user knowing the underlying password. Admins control which users have access, can revoke instantly, and audit usage. Ownership can be transferred when staff change roles. Solves the “post-it note on the monitor” problem at enterprise scale. IAM TeamDepartment Owners
Human Keeping Privileged Accounts Out of the Workforce Vault Workforce Access Workforce Password Management A workforce password manager is for business-app logins, not privileged accounts (root, admin, dba), which belong in Privilege Cloud. WPM doesn’t recognise an account as privileged on its own; instead, an admin can deny-list specific applications (by app, URL or domain) so users are blocked from saving credentials for them. Use it to keep nominated admin consoles out of the workforce vault and route privileged accounts to Privilege Cloud / PAM instead. IAM TeamPAM Admin
Human Secured Items — Notes, Keys & Files Workforce Access Workforce Password Management Beyond app credentials, WPM vaults arbitrary secured items — licence keys, PINs, serial numbers and file attachments — shared and audited under the same enterprise controls. IAM TeamDept Owners
Human Any Web App via Land & Catch (Infinite Apps) Workforce Access Workforce Password Management The browser extension auto-captures login fields on any web app not in the catalogue, so users add their own apps to the vault without admin effort — the answer to ‘what about apps not in the catalogue?’ IAM TeamWorkforce IT
Human Credential Usage & Access Audit Reports Workforce Access Workforce Password Management Audit A built-in report builder shows who accessed which personal or shared credential and when — the audit-evidence layer for business-app access. IAM TeamCompliance
Secure Web Sessions (SWS)Records, monitors and protects user activity inside web and SaaS applications after login, including SSO-federated appsShared Services: session recording and audit of in-app activity — recordings are stored in the SWS portal, encrypted with a customer-held key (the unified Audit session view covers SIA and SCA). No estate discovery; not a credential vault.
Human Session Recording & Monitoring for Web / SaaS Apps (Including SSO) Workforce Access Secure Web Sessions Audit Records user activity inside designated web apps via a browser extension — step-by-step screenshots with metadata — for audit and compliance, even where access is federated through SSO. Searchable session trail. IAM TeamCompliance
Human Privileged SaaS Administrator Accounts (Microsoft 365 Global Admin, Salesforce, Okta / Entra Super-Admin, Google Workspace) Workforce Access Secure Web Sessions WPM Identity Administration SaaS tenant-admin accounts carry org-wide blast radius — a compromised Microsoft 365 Global Admin or Okta super-admin can reach every user. Identity Administration fronts the account with SSO and adaptive MFA; WPM vaults and auto-fills the admin credential so it is never seen, shared or written down; and Secure Web Sessions records the admin console session step-by-step, with continuous authentication and in-session data controls (app-open step-up MFA is an Identity Administration authentication-policy control) — turning an unmonitored super-admin login into a recorded, controlled, audited session. IAM TeamCISO
Human Step-Up Authentication & Protection for High-Risk Web Apps Workforce Access Secure Web Sessions Secure Web Sessions sits in the browser after login and adds continuous authentication beyond the initial sign-on — re-verifying the user through the session rather than trusting the one-time login — while a fresh MFA challenge before a user opens a designated high-risk app is enforced by Identity Administration authentication policies. Together with session recording, this applies protection past the login point, extending Zero Trust into the session itself rather than stopping at the front door. IAM TeamCISO
Human In-Session Data Controls (Clipboard, Downloads) Workforce Access Secure Web Sessions Audit Session Protection blocks copy/paste and drag-and-drop in protected apps by default and can restrict downloads — DLP-style controls layered on top of the recorded session. ComplianceCISO
Human Field-Level Session Control Rules Workforce Access Secure Web Sessions If/then rules on specific fields and buttons inside a protected app — restrict what can be entered, or alert when a sensitive action is clicked. Policy enforcement inside the app, beyond recording. ComplianceIAM Team
Identity AdministrationThe platform access layer: single sign-on, adaptive MFA, federation with external IdPs (Okta, Entra ID, Ping) and SCIM lifecycle provisioningShared Services: supplies the SSO/MFA layer used across the platform and the Essential Eight mapping, and feeds its own sign-in telemetry to TDR/ITDR. Access certification and attestation is Identity Governance’s role, not this service’s.
Human SSO & Adaptive MFA to Business and SaaS Applications Workforce Access Identity Administration Single sign-on to web and SaaS applications via a SAML/OIDC app catalogue, with adaptive (risk-based) step-up MFA. This is the SSO/MFA layer referenced in the Essential Eight mapping and the authentication front door for every other service. IAM TeamWorkforce IT
Human Federation with an Existing Identity Provider (Okta, Entra ID, Ping) Workforce Access Identity Administration Federates the Idira tenant with an external IdP over SAML or OIDC — both IdP-initiated and SP-initiated — so a customer keeps Okta, Microsoft Entra ID or Ping as their primary identity provider while layering Idira identity security on top. TDR’s documented external telemetry ingestion covers Palo Alto Cortex risk scores and SIEM logon import — IdP-telemetry ingestion is not documented. IAM TeamIdentity Architect
Human Automated Joiner / Mover / Leaver Provisioning (SCIM) Workforce Access Identity Administration Identity Governance Automated user and group provisioning and de-provisioning via SCIM — inbound from an external IdP (e.g. Okta, Microsoft Entra ID), outbound to SCIM-enabled SAML apps — accounts created, changed and removed as people join, move and leave. Identity Administration executes the SCIM provisioning; Identity Governance drives the birthright/access policy behind it and certifies the result. (See also the Identity Governance Joiner-Mover-Leaver row, which governs the same lifecycle for apps beyond SCIM via Idira AI Profiles.) IAM TeamHR-IT
Human Phishing-Resistant Passwordless Authentication (FIDO2 / Passkeys) Workforce Access Identity Administration FIDO2 security keys, passkeys (WebAuthn) and biometrics (Windows Hello, Touch ID) give workforce users phishing-resistant, passwordless sign-in — closing the credential-theft entry point. FIDO2-certified. Windows Hello support is documented up to Windows 11 22H2. IAMSecurity Ops
Human Risk-Based Access with Behavioural Analytics Workforce Access Identity Administration Threat Detection & Response The behavioural-analytics engine is CyberArk Identity User Behavior Analytics (an additional licence within the TDR / ITDR layer), which baselines each user’s behaviour and maintains a rolling 7-day risk level; Identity Administration consumes that risk level at the access point to drive adaptive step-up MFA or blocking — risk-aware Zero Trust decisions at the front door. IAM TeamCISO
Threat Detection & Response (TDR / ITDR)The platform’s identity threat detection and response layer (successor to ISI): behavioural analytics over the identities, accounts and sessions Idira already manages, with automated response actionsShared Services: a platform shared service rather than a separately sold product — consumes documented signal sources (Identity sign-ins, Privilege Cloud / PAM sessions, SIEM logon import, Palo Alto Cortex risk scores) and pushes detections out to SIEM / SOAR (a natural bridge to Cortex XSIAM / XSOAR).
Human Privileged Session Risk Scoring with Automatic Suspend / Terminate Platform Shared Services Threat Detection & Response Suspicious activity inside a monitored privileged session is scored in near real time, and high-risk sessions are automatically suspended or terminated — containment at machine speed rather than a SOC analyst reviewing recordings after the fact. SOCSecurity Ops
Human Suspected Credential Theft — Automatic Rotation & Reconciliation Platform Shared Services Threat Detection & Response When credential theft is suspected on a vaulted account, TDR (SaaS) triggers automatic rotation; on PAM Self-Hosted, PTA reconciles the account when an out-of-band password change is detected — closing the exposure window before the stolen credential can be used. PAM AdminSecurity Ops
Human Unmanaged Privileged Account & PAM-Bypass Detection (SIEM Logon Import, Auto-Onboard) Platform Shared Services Threat Detection & Response Imports logon events from the SIEM (Splunk, IBM QRadar — not Sentinel) to detect privileged activity that bypasses the vault and surface unmanaged privileged accounts into Pending Accounts for onboarding (PTA on self-hosted can onboard automatically) — turning detection into coverage. Security OpsPAM Admin
Secrets ManagerRuntime secrets delivery to cloud-native applications, containers and CI/CD pipelines via REST API, SDK or CLI and a native Kubernetes authenticator — not via a per-server agent; plus dynamic (short-lived, just-in-time) AWS and GCP credentials via issuersShared Services: audit logging of secret retrieval (which workload retrieved which secret, when). No session recording; discovery of existing third-party-vault secrets is Secrets Hub's role, not this product's.
Machine CI/CD Pipeline Credentials (Jenkins, GitHub Actions, Azure DevOps, GitLab) Apps / DevOps Secrets Manager Eliminates hardcoded secrets in pipeline configs. Credentials injected at runtime. Pipelines are Tier 0 assets — compromise gives access to production. Native integrations, no code rewrite required. For the secretless end-state, see Secure Workload Access. DevOpsAppSec
Machine Container Workloads (Docker, Kubernetes Pods, Microservices) Apps / DevOps Secrets Manager Secrets injected at runtime — Kubernetes pods via the native Kubernetes authenticator, plain Docker containers via Summon, REST or SDK, and ECS / Fargate tasks via the AWS IAM authenticator. Eliminates secrets baked into container images. Each workload retrieves only what it needs. This is the recommended target state for containerised workloads — see CCP row for bridge scenarios. Platform EngDevSecOps
Machine Application-To-Database Credentials (Hardcoded Database Passwords) Apps / DevOps Secrets Manager Application retrieves database credentials at runtime via REST API or SDK. Credential never stored in code or config file. Rotation is policy-driven and zero-downtime — delivered through the Privilege Cloud Secrets Rotation Service integration rather than natively in Secrets Manager alone. App DevAppSec
Machine Cloud Workload Credentials (AWS, Azure, GCP API Keys) Apps / DevOps Secrets Manager Centralises cloud platform credentials. Where cloud-native identity (IAM roles, Managed Identity) is supported, eliminates static keys entirely. Where not, rotates and delivers on demand. Cloud EngSecurity Ops
Machine Infrastructure-As-Code Tools (Terraform, Ansible, Puppet) Apps / DevOps Secrets Manager Native integrations mean IaC tools retrieve credentials from the vault at execution time, keeping them out of playbooks and templates. Per CyberArk’s provider docs: retrieved values can still be written to Terraform state — use Terraform 1.10+ ephemeral values / 1.11+ write-only arguments. Platform EngDevOps
Machine Secretless Broker — App Holds No Credential Apps / DevOps Secrets Manager The Secretless Broker proxies the application’s connection to databases, HTTP services and SSH targets and injects the credential itself — the application never touches a secret at all (Self-Hosted). AppSecPlatform Eng
Machine Pipeline OIDC / JWT Authentication (No Bootstrap Secret) Apps / DevOps Secrets Manager The JWT authenticator lets GitHub Actions, GitLab, Azure DevOps and Bitbucket pipelines authenticate with their platform-issued OIDC token — eliminating the stored bootstrap credential (‘secret zero’ for CI/CD). DevSecOpsAppSec
Machine Kubernetes Secrets Provider (Push-To-File) Apps / DevOps Secrets Manager A dedicated Secrets Provider (init container, sidecar or standalone) populates Kubernetes Secrets or shared-volume files; rolling restarts on rotation can be automated via the documented Reloader integration — pods consume secrets natively with no vault API calls in application code. Platform EngDevSecOps
Machine Policy as Code — RBAC in Version Control Apps / DevOps Secrets Manager Authorisation is declarative YAML policy held in version control: security owns policy, developers own workloads, and every change is reviewable — separation of duties for secrets management. DevSecOpsSecurity Arch
Machine Geo-Distributed HA with Leader / Followers Apps / DevOps Secrets Manager Self-Hosted’s Leader/Follower architecture serves secret reads from local Followers across regions and keeps retrieval running through node loss — the architecture regulated and air-gap-leaning customers choose Self-Hosted for. Platform EngCISO
Secrets HubDiscovers and inventories secrets in non-Idira vaults (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, GCP Secret Manager) and replicates Idira-managed secrets out to themShared Services: secrets discovery across third-party vaults is this product's core function · audit of replication and rotation. No session recording.
Machine AWS Secrets Manager Sprawl (Multiple Accounts / Shadow Vaults) Third-Party Secrets Management Secrets Hub Discovery Secrets Hub discovers secrets across AWS Secrets Manager instances, then replicates Idira-managed secrets out to the native AWS vault. Developers continue consuming from AWS Secrets Manager natively while Idira becomes the source of truth for rotation and policy. Newly discovered AWS secrets can now be onboarded back into Idira for full lifecycle management. CISOCloud Security
Machine Azure Key Vault Sprawl Third-Party Secrets Management Secrets Hub Replicates Idira-managed secrets to Azure Key Vault using federated identity for trust — required for new Key Vaults since the client-secret app-registration method was deprecated (April 2026). Developers keep using Key Vault natively via Azure SDKs — rotation policy, oversight and audit are applied centrally from Idira behind the scenes. CISOCloud Security
Machine HashiCorp Vault / GCP Secret Manager Sprawl Third-Party Secrets Management Secrets Hub Discovery AWS, Azure and GCP get outbound sync from Idira plus discovery / scan, with per-secret onboarding of discovered secrets back into Idira (no bulk onboarding). HashiCorp Vault (KV v2) is discovery and outbound sync — no discovery-UI onboarding, though a documented manual sync workflow brings HashiCorp secrets under PAM rotation. Single pane of glass across all vault types — security teams see every secret in every vault, apply a global expiration setting, and drive down dormant or unused secrets. CISOSecurity Ops
Machine Mergers & Acquisitions Vault Integration (Newly Acquired Environments) Third-Party Secrets Management Secrets Hub Discovery Acquired teams keep their existing AWS, Azure, GCP or HashiCorp vaults — no developer disruption, no migration project. Secrets Hub discovers the existing secrets, the security team selects which to bring under enterprise management, and Idira takes over rotation while the native vault continues to serve developers natively. CISOIT Integration
Machine Discover Unmanaged & Shadow Secrets Across Cloud Stores Third-Party Secrets Management Secrets Hub Discovery Scans AWS Secrets Manager, Azure Key Vault, GCP Secret Manager and HashiCorp Vault to surface unmanaged, orphaned and shadow secrets — then onboards them to central policy, rotation and audit. CISOCloud Security
Agent-Based Credential Provider (CP)Agent installed on the application server; local credential cache means no network dependency at retrieval timeShared Services: audit logging of application credential retrieval. No session recording or estate discovery.
Machine SCADA / HMI Application Credentials (OT Environments) Legacy / On-Prem Applications Agent-Based CP Agent installed on the SCADA/HMI server caches credentials locally. Production keeps running even if the vault is temporarily unreachable — critical for OT environments where network reliability cannot be guaranteed. Zero-downtime rotation. OT SecurityPlant Ops
Machine Mainframe Applications (IBM Z/OS) Legacy / On-Prem Applications Agent-Based CP Credential delivery on IBM’s mainframe operating system z/OS — the z/OS provider connects through a Central Credential Provider (CCP) web-service tier while keeping a persistent local cache on the LPAR. Supports the dual-accounts pattern for zero-downtime rotation, particularly valuable in high-transaction mainframe environments where blackout windows are unacceptable. Mainframe OpsIT Ops
Machine Static / Homegrown Applications (Java, .NET, On-Premises) Requiring High Availability Legacy / On-Prem Applications Agent-Based CP Mission-critical on-premises apps that cannot tolerate network latency or vault unavailability. Local agent cache ensures credential is always available. Supports Windows, Linux, AIX, Solaris and z/OS. Applications call the local Application Password SDK to retrieve credentials (the Application Server Credential Provider is the no-code-change option for app servers). App DevIT Ops
Machine MES-To-ERP Integration Credentials (Manufacturing) Legacy / On-Prem Applications Agent-Based CP Agent on the integration server caches credentials for the MES-to-ERP connection (e.g. SAP). Rotation coordinated across both ends of the integration. Production line continuity is maintained even during a vault maintenance window. OT SecurityIT Ops
Central Credential Provider (CCP)No agent on the application server; applications call a centralised HTTPS web service to retrieve credentials at runtimeShared Services: audit logging of application credential retrieval. No session recording or estate discovery.
Machine Web Applications and Middleware (IBM WebSphere, Oracle WebLogic, Apache Tomcat) Legacy / On-Prem Applications CCP The documented no-code path for app servers is the Application Server Credential Provider (ASCP) — an agent-based integration that maps datasource credentials on the app server itself. Where an agent is undesired, applications can instead make an authenticated REST call to the CCP web service over HTTPS (mutual TLS supported), which requires a small code change. App DevIT Ops
Machine COTS Applications (ERP, Vulnerability Scanners, Backup Tools, IAM Platforms) Legacy / On-Prem Applications CCP Integrations for third-party software via the CyberArk Marketplace. Application calls CCP at startup to retrieve credentials — no code changes to the COTS product. CCP validates the application's identity before returning the secret. IT OpsSecurity Ops
Machine Automation Scripts and Scheduled Tasks Legacy / On-Prem Applications CCP Scripts retrieve credentials at runtime — via the local Credential Provider’s CLIPasswordSDK, or a REST call to the CCP web service — no hardcoded passwords. If a script is copied and shared, it retrieves a fresh credential that is already rotating. Credentials become invalid quickly if exfiltrated. IT OpsDevOps
Machine RPA Bots (Attended and Unattended — UiPath, Blue Prism, Automation Anywhere) Legacy / On-Prem Applications CCP Unattended bots call CCP at runtime to retrieve credentials — no standing access, no hardcoded passwords in bot configurations. Scales to large bot fleets from a load-balanced CCP cluster without deploying agents to every bot runner. RPA TeamIT Ops
Machine Containerised Apps as a Bridge to Secrets Manager SaaS Legacy / On-Prem Applications CCP Recommended target state for containerised workloads is Secrets Manager SaaS with the Kubernetes authenticator. CCP serves as a bridge solution where Secrets Manager SaaS is not yet deployed — provides agentless credential retrieval over HTTPS with no sidecar or init container required. Platform EngAppSec
Machine Estate-Wide Hardcoded-Credential Onboarding Legacy / On-Prem Applications Agent-Based CP CCP Discovery The entry point of every Credential Provider programme: identify the scripts, COTS apps and scheduled tasks holding embedded credentials across the estate — per the CyberArk Blueprint an inventory exercise using CMDB data, app-owner input and third-party code scanning (not an automated product scan) — then onboard them to vault-backed runtime retrieval, modifying each app to fetch credentials at runtime. IT OpsAppSec
Machine Application Authentication Before Secret Release Legacy / On-Prem Applications CCP CCP authenticates the calling application before releasing a secret — by allowed machines (IP address), OS user and client certificate (mTLS), combinable; application path and hash checks require the agent-based CP / ASCP — so a copied script or bot config can’t impersonate the real app. AppSecCompliance
Secure Workload Access (SWA)SPIFFE-based cryptographic identity for compute workloads (containers, VMs, serverless); short-lived identities tied to verified runtime attributes; built on Secrets ManagerShared Services: workload inventory/discovery and audit of identity issuance and use. No interactive session recording.
Machine Cloud Workloads Needing Cryptographic Identity (Containers, VMs, Serverless) Workload Identity Secure Workload Access Issues each workload a short-lived, cryptographically verifiable identity using the open SPIFFE standard — a SPIFFE Verifiable Identity Document (SVID), delivered as an X.509 certificate or JWT. The workload calls a local Workload API at start-up to obtain it, and the identity is earned through a two-stage chain of trust: node attestation proves the host or Kubernetes cluster, then workload attestation proves the specific process. Tied to what the workload is and where it runs, it is short-lived and automatically renewed. Because the workload proves who it is rather than presenting a stored password, there is no static credential to embed, leak or rotate — this is what removes the ‘secret zero’ bootstrapping problem. Platform EngCloud Security
Machine CI/CD Pipeline Identity (Secretless / Secret-Zero) — Pipeline Runners & Build Jobs Workload Identity Secure Workload Access The pipeline or runner authenticates with a short-lived SPIFFE identity instead of a stored secret — removing the ‘secret zero’ bootstrapping problem and the standing pipeline credential entirely. The secretless end-state for pipelines; complements Secrets Manager, which delivers a secret at runtime where a target still needs one. Platform EngDevSecOps
Machine Multi-Cloud Workload Communication (Cross-Boundary Authentication) Workload Identity Secure Workload Access AWS IAM roles, Kubernetes service accounts and on-prem credentials each only work inside their own boundary, so cross-environment communication usually falls back to shared static secrets or brittle network rules. Secure Workload Access gives every workload one portable SPIFFE identity trusted across clouds and on-prem alike, enabling mutual TLS (mTLS) and JWT-based authentication directly between workloads — no VPN, no shared API key, and no reliance on IP allow-lists. The result is zero-trust, workload-to-workload authentication that travels with the workload rather than the network. Cloud SecurityPlatform Eng
Machine Secretless Application Access (Databases, APIs, HTTPS) Workload Identity Secure Workload Access For targets that still expect a traditional secret (databases, APIs, HTTPS services), the application leans on its SPIFFE identity instead of holding the credential itself. Secure Workload Access is built on Secrets Manager, so where a secret is genuinely required the workload exchanges its verified identity for one at runtime — or the Secretless Broker (a Secrets Manager Self-Hosted component) injects it into the connection — and the application code never fetches, stores or sees the secret. This extends the secretless model to legacy and credential-based targets that can’t yet authenticate by identity alone. AppSecPlatform Eng
Machine Workload Identity Discovery & Inventory Workload Identity Secure Workload Access Discovery Continuously discovers workloads and their identities, secrets and certificates (via Discovery & Context) — surfacing unmanaged machine identities and long-lived credentials so they can be brought under control. Platform EngCloud Security
Machine Workload Identity for AI Agents Workload Identity Secure Workload Access Extends the same SPIFFE cryptographic identity to AI-agent runtimes alongside containers, VMs and serverless — and can extend SPIFFE identity to AI-agent workloads (configured separately from Secure AI Agents). AI PlatformCISO
Secure AI AgentsDiscovers autonomous AI agents across SaaS, cloud and developer environments, assigns each a managed identity, and brokers their access to tools through MCP servers; the Identity Broker enforces just-in-time, least-privilege access per task (zero standing privileges on Secure Infrastructure Access-based MCP servers — initial release: PostgreSQL, ZSP mode), with a full audit trail linking the Human initiator to the agent and its actionsShared Services: AI-agent discovery · audit logging of agent actions · behavioural monitoring of agent activity (announced — 2026 roadmap). No interactive session recording.
Agentic AI Agent Discovery & Inventory (Copilot Studio, AWS Bedrock / AgentCore, Custom Agents via API Import) Agentic Identity Secure AI Agents Discovery Most organisations have already adopted AI agents but can’t list them — an unmanaged, fast-growing set of identities. Secure AI Agents discovers agents across SaaS, cloud and developer environments (Microsoft Copilot Studio, AWS Bedrock and AgentCore; custom agents importable via API) and builds an inventory enriched with owner, purpose, status and context, with lifecycle states (Pending connection, Active, Suspended, Error). Visibility first: you can’t govern or secure agents you can’t see, and knowing the owner tells you which to prioritise. CISOAI/ML TeamSecurity Ops
Agentic AI Agent Identity & Managed Credentials (Register the Agent as a First-Class Identity) Agentic Identity Secure AI Agents Secrets Manager Secure Workload Access An AI agent that authenticates with an embedded API key or a shared service-account token is an unmanaged secret waiting to leak. Registering an agent in Idira gives it a managed, first-class identity with OAuth 2.1 credentials issued at registration, so access is authenticated, authorised and audited per agent identity — the same principle applied to humans and workloads. This is what lets every later control (privilege, audit, revocation) attach to a known identity instead of an anonymous process. Per CyberArk docs: agent credentials are issued once and cannot currently be rotated in place (delete and re-register to reissue). Secrets Manager and Secure Workload Access support AI-agent workload types as separately configured capabilities (SPIFFE JWT SVIDs require your own SPIFFE/SPIRE deployment) — not automatic from registration. Governance of agent identities through Identity Governance (certification / de-provisioning) is not a documented integration — treat as roadmap. IAM TeamPlatform EngAI/ML Team
Agentic Governed Tool & Data Access via MCP Servers (Model Context Protocol) Agentic Identity Secure AI Agents Secure Cloud Access Agents act by calling tools — databases, SaaS apps, internal services — increasingly through the Model Context Protocol (MCP). Secure AI Agents puts Idira in the path as the control point: an agent can connect only to MCP servers that have been registered and enabled — for example the Secure Cloud Access MCP Server, which gives AI development tools such as Amazon Q and Claude just-in-time cloud access without standing keys — and each request is brokered and authorised rather than the agent holding direct, standing access. This bounds what an agent is allowed to reach — the agentic equivalent of an allow-list — closing the ‘an agent can call anything its token permits’ gap. Initial-release scope (per CyberArk docs): SIA-based MCP database access is PostgreSQL-only and ZSP-mode-only; the SCA MCP Server elevates standalone AWS accounts only; tenant limits of 1,000 agents and 1,000 MCP servers apply. Security OpsPlatform EngAI/ML Team
Agentic Just-In-Time Privilege & Zero Standing Privileges per Task (Identity Broker) Agentic Identity Secure AI Agents A standing credential is the wrong control for something that decides its own next action. The Identity Broker — the control point also documented as the AI Agents Gateway — brokers and authorises every agent request. For MCP servers built on Secure Infrastructure Access, access is governed by the same least-privilege, ZSP policies used for Human and machine access; per the docs, other MCP servers may use different access-control mechanisms, and fully task-scoped grant-and-automatic-revocation is CyberArk’s stated design goal rather than documented behaviour today. Treats the agent as a first-class identity needing the same just-in-time governance as a privileged Human. CISOSecurity OpsAI/ML Team
Agentic Audit & Accountability for Agent Actions (Who Did the Agent Act For?) Agentic Identity Secure AI Agents Audit When an autonomous agent takes an action, the audit question is two-layered: what did the agent do, and on whose behalf? Secure AI Agents records a unified trail linking the initiating Human user to the AI agent identity, the tools it invoked and the MCP server or resource it reached — including session initialisation, tool discovery and tool execution — alongside admin lifecycle actions (create, suspend, delete). This is the accountability evidence auditors and incident responders need for agent activity, which generic AI tooling doesn’t produce. ComplianceSecurity OpsCISO
Agentic Agent Lifecycle & Access Revocation (Offboarding / Gateway Revocation) Agentic Identity Secure AI Agents Manages the agent identity from registration to retirement — suspend or delete an agent to immediately revoke its access through the AI Agents Gateway. Per CyberArk docs: suspension blocks Idira-brokered paths only — access the agent holds outside the gateway is unaffected, and deletion does not remove the agent from its host platform. CISOAI/ML Team
Agentic Behavioural Monitoring & Anomaly Detection (Announced — Roadmap) Agentic Identity Secure AI Agents Announced (2026 roadmap), not yet documented as shipped: behavioural monitoring of agent activity against its declared purpose. Today, documented risk analysis covers posture checks only (missing owner, long-pending connections), and containment is manual via suspend / disable. TDR/ITDR does not yet cover AI agents. CISOSecurity Ops
Agentic MCP Server Registration & Central Enable / Disable Agentic Identity Secure AI Agents The security-team side of MCP governance: register MCP servers centrally, enable / disable them, and disable a compromised server to block all agent access to it at once. Registration is manual and the inventory covers registered servers only — shadow-server discovery and open-source supply-chain scanning are not yet documented capabilities. Security OpsPlatform Eng
NGTS (Next-Generation Trust Security)PANW's certificate lifecycle management delivered by extending Strata Cloud Manager; automated discovery, issuance, renewal and rotation across firewalls, gateways, SASE and workloadsShared Services: certificate discovery and lifecycle audit are NGTS-native on the PANW network platform — distinct from the Idira identity shared-services plane (not the identity Audit space or TDR).
Machine Certificate Discovery Across the Network (Firewalls, Gateways, SASE, Workloads) Machine Identity Trust NGTS You can’t renew a certificate you don’t know exists — and the unknown one is what causes the after-hours outage. NGTS continuously discovers every certificate across the estate (firewalls, gateways, SASE, workloads), including shadow and forgotten ones, through active discovery — Scanafi and VSatellite scans, domain / cloud / Kubernetes scans and Strata Cloud Manager config sync — rather than trusting a manual spreadsheet. The foundation of the whole lifecycle — you can only automate renewal once the inventory is complete and live. Network SecurityPKI Team
Machine Automated Certificate Lifecycle Management (47-Day Renewal Cycle Readiness) Machine Identity Trust NGTS Manual certificate renewal already causes outages, and it becomes unworkable as public TLS lifetimes collapse. The CA/Browser Forum (ballot SC-081v3, passed April 2025) steps maximum public TLS validity down from 398 days to 200 (in effect since March 2026), 100 (March 2027) and 47 (March 2029) — roughly an 8x rise in renewal frequency, where a single missed renewal means a service outage. NGTS automates the full cycle — issuance, renewal, deployment, rotation and validation — CA-neutral via ACME, EST and SCEP. Internal PKI sits outside CA/Browser Forum rules, but the same automation case applies for crypto-agility and consistency. On the network enforcement points themselves — firewalls, gateways, inspection services and SASE — that means an expired certificate never takes the control plane offline. Network SecurityIT Ops
Machine Private PKI Modernisation (SaaS-Based CA Services) Machine Identity Trust NGTS Internal certificate authorities — usually ageing Microsoft ADCS — are brittle, hardware-bound and a constant maintenance burden, yet they underpin trust for the whole estate. NGTS replaces them with SaaS-based private PKI: built-in root and intermediate CA services and standards-based enrolment, with HA at the VSatellite-group level (each deployment runs in a single, immutable region) and no CA servers to patch or scale. The natural exit from legacy ADCS without giving up control of key operations. PKI TeamNetwork Security
Machine Post-Quantum Cryptography Migration Readiness Machine Identity Trust NGTS Post-quantum migration starts with knowing where your cryptography lives — you can’t swap algorithms you can’t see. Crypto inventory and PQC orchestration are delivered by Palo Alto Networks’ separate Quantum-Safe Security app (distinct from NGTS), which inventories cryptographic dependencies and orchestrates the large-scale reissuance needed to adopt post-quantum algorithms once they are mandated. Forward-looking but increasingly live: ‘harvest-now, decrypt-later’ risk is already driving PQC conversations in financial services and government. CISOPKI Team
Machine Private-Network Reach via VSatellite Machine Identity Trust NGTS A VSatellite extends NGTS into private and restricted networks for certificate discovery and provisioning where no direct internet path exists (a Strata NGFW extension is not documented). Network SecurityDC Ops
Identity Governance (IGA)AI-powered access certifications, automated provisioning/deprovisioning and entitlement discovery, delivered as Modern IGA (Zilla Comply, Zilla Provisioning — from the Zilla Security acquisition); governance of privileged access is via the separate Identity Compliance productShared Services: entitlement discovery across SaaS and custom apps · audit and compliance evidence (campaign reports, certification records). No session recording.
Governance Access Certifications and Reviews (APRA CPS 234, ISO 27001, Audit Cycles) Identity Governance Identity Governance Audit AI-powered access certifications across SaaS, cloud and on-prem applications. Managers review and certify their team's access on a schedule; risky combinations are flagged against an admin-defined segregation-of-duties policy matrix (CSV upload). Replaces spreadsheet-based certifications with continuous, evidence-backed reviews. AI Profiles cut access-review effort by ~80% and reduce permissions needing manual review by up to 75% (vendor figures). IAM TeamCompliance
Governance Automated SaaS Provisioning and De-Provisioning (Joiner-Mover-Leaver) Identity Governance Identity Governance New starters get the right access from day one based on role; movers get access adjusted on role change; leavers lose access automatically at termination. Extends beyond SCIM-supporting apps via Idira AI Profiles — attribute-defined profiles that recommend grants based on prevalence among similar users, with birthright access activated by the profile owner. Closes the most common audit finding: ex-employees retaining access. Complements the SCIM-based Joiner / Mover / Leaver row under Identity Administration: this is the governance-led view, reaching apps beyond SCIM via Idira AI Profiles. IAM TeamHR-IT
Governance Entitlement Discovery Across SaaS and Custom Applications (Microsoft 365 / Entra ID, Salesforce, Workday, ServiceNow, Google Workspace, Okta) Identity Governance Identity Governance Discovery Discovers fine-grained entitlements across SaaS apps and custom-built applications — not just “does a user have access to Salesforce” but “what Salesforce permissions does that user actually hold.” Backed by 250+ documented integrations (the vendor cites 1,000+) plus Idira Universal Sync (robotic automation for apps without APIs) and CSV upload — reaching apps that legacy IGA platforms can't. IAM TeamCISO
Governance Identity Compliance Reporting and Audit Evidence Identity Governance Identity Governance Audit Produces the evidence auditors need — who had access to what, who approved it, when access was reviewed, what changed. Certification campaign reports and an exportable evidence package provide the audit record (‘Identity Map’ is vendor positioning for this unified view, not a documented feature name). AI-driven business processes complete certifications up to 5× faster with ~80% less effort (vendor figures) — designed from the ground up for cloud-first enterprises. ComplianceIAM Team
Governance Governance of Privileged Access — Safe and Privileged-Account Access Certification (Identity Compliance) Identity Governance Identity Governance Audit Identity Compliance delivers access certification for PAM environments: it extends certification to Privilege Cloud and PAM Self-Hosted, so safe owners review who can access each Safe and privileged account on a schedule, flag and correct anomalies, and produce audit evidence. Brings privileged accounts under the same governance as ordinary application entitlements — closing the loop between PAM (secures and records access once granted) and IGA (certifies it should exist). PAM AdminIAM TeamCompliance
Governance Active Directory Clean-Up as Part of a PAM Uplift (Advisory / Emerging Positioning) Identity Governance Identity Governance Discovery Advisory / emerging positioning. For customers with a sprawling, messy Active Directory — a common starting point for a PAM maturity programme — IGA can treat AD as a governed application: discovering group memberships and nested-group entitlements, certifying them, and surfacing orphaned, stale and over-privileged accounts. Cleaning up AD group sprawl (especially privileged groups such as Domain Admins) cuts standing privilege before accounts come under PAM. IAM TeamPAM AdminCISO
Governance Segregation of Duties (SoD) & Toxic Access Combinations Identity Governance Identity Governance Detects SoD conflicts and risky entitlement combinations from an admin-defined conflict matrix (CSV policy upload) — with findings, request-time warnings and remediation workflows for SOX / APRA-style compliance. ComplianceIAM
Governance Orphan & Dormant Account Detection and Clean-Up Identity Governance Identity Governance Discovery Continuously discovers accounts with no valid owner and unused entitlements, then drives clean-up workflows — automatic revocation is documented for Okta, Entra ID and GitHub (re-verified at the next sync); other applications are remediated manually. IAMCompliance
Governance Non-Human Identity Governance Identity Governance Identity Governance Brings service accounts, API keys, RPA bots and shared accounts under the same certification and lifecycle processes as people — one system of record for every entitlement, Human or machine. Advisory: current docs don’t enumerate API-key or RPA-bot identity types — non-human accounts are governed via account-type filters. IAM TeamCompliance
Governance AI-Assisted Access Requests via ITSM Identity Governance Identity Governance Self-service access requests routed through native ITSM workflows (ServiceNow, Jira Service Management), with catalogue-based entitlement selection and segregation-of-duties warnings at request time — provisioning follows approval automatically. IAM TeamHR-IT

Platform Integrations

Show
Scope & Engineer

Use Case Methods

Idira connects to the outside world through a small set of distinct integration patterns — and each is owned by a specific product. Match a system to the pattern that fits how it needs to connect — an agentless app fetching a secret, a cloud-native workload, a human privileged session, an external identity provider, a cloud console, or a SaaS app to govern — and you have the product to reach for. This is the conceptual map; use Platform Lookup to find a specific named system, and the Use Case Targets to find every product that addresses a given target. (Representative of the common patterns — the live CyberArk Marketplace → is the authoritative, always-current catalogue.)

Agentless Secret Fetch

Handled byCCP

The app or tool fetches its secret from the Central Credential Provider — a central HTTPS web service — at runtime — no agent on the app host. The caller is authenticated by attributes (IP, OS user, path / hash, client certificate) before the credential is released, so nothing is stored in code or config. Runs as a web service on IIS. Best for COTS software, vulnerability scanners, RPA, backup tools, ITSM and scripts.

Local Credential Cache

Handled byAgent-Based CP

The Agent-Based Credential Provider — a lightweight provider installed alongside the application — keeps an encrypted local cache of the credentials it needs, so the app keeps working — and keeps rotating — even if the vault is briefly unreachable or the site is isolated. For OT / SCADA, mainframe and HA-critical apps where a vault round-trip per request can’t be tolerated.

Cloud-Native Secrets

Handled bySecrets Manager

Modern apps retrieve secrets from Secrets Manager on demand via an API / SDK, sidecar or Kubernetes Secrets Provider (push-to-file) — externalised from code and rotated centrally. Covers containers, Kubernetes, CI/CD and Infrastructure-as-Code, with the Secretless pattern and JWT / OIDC pipeline auth so the workload needs no bootstrap secret.

Third-Party Vault Sync

Handled bySecrets Hub

Secrets Hub keeps the customer’s existing cloud vaults in place — discovers the secrets already in AWS Secrets Manager, Azure Key Vault, GCP Secret Manager or HashiCorp Vault and replicates Idira-managed secrets out to them, so rotation, policy and audit sit above all of them in one control plane. Sync flows one way to every store — native rotation for AWS, Azure and GCP; discovery and sync for HashiCorp.

Workload Identity

Handled bySecure Workload Access

Gives the workload a short-lived, verifiable cryptographic identity on the open SPIFFE / SVID standard, so it authenticates by proving what it is — not by holding a stored secret. Enables Secretless access to databases, APIs and HTTPS services and workload-to-workload auth across cloud boundaries.

Session Brokering

Handled byPrivilege CloudPAM Self-HostedSIA

For a Human’s privileged session to a target: the Privileged Session Manager (PSM) brokers and records the session rather than handing an app a secret. Built-in connectors cover RDP, SSH, Telnet, web and database clients; for anything not shipped by default, a Marketplace or custom Universal Connector extends PSM to almost any thick-client, web or 3rd-party app. SIA is the modern VPN-less alternative for infrastructure.

Endpoint Agent (LCD)

Handled byPrivilege Cloud EPM

For local accounts on endpoints and loosely connected devices that are rarely on the network — the EPM agent discovers local Windows, macOS and Linux accounts and rotates their credentials, caching the job and running it on reconnection. Owned by Privilege Cloud, delivered through the endpoint agent; complements network-scan discovery and PSM-brokered sessions.

SSO & Federation

Handled byIdentity Administration

Not a credential connector — connects external identity providers (Entra ID, Okta, Ping) via SAML/OIDC federation and SCIM provisioning; TDR/ITDR draws on Idira’s own sign-in telemetry, SIEM logon imports and Cortex risk scores rather than direct IdP feeds. See the Identity providers & federation row.

ZSP Console Access

Handled bySecure Cloud Access

For just-in-time sessions into the AWS, Azure or GCP console and CLI — ephemeral, zero-standing access brokered per request, including from AI dev tools via the SCA MCP Server. Session brokering, not credential delivery.

App Governance

Handled byIdentity Governance

For governing who should have access to SaaS and custom apps — 250+ documented integrations (vendor cites 1,000+) plus SCIM and Universal Sync RPA for apps without APIs. Entitlement discovery and certification, not credential delivery.

Scope & Engineer

Platform Integrations

How third-party platforms connect to Idira — search for a specific system to see which product handles it and the mechanism it uses.

Start here

How to Choose — The Decision Spine

Work any target — even one not listed below — in three questions: which identity are you securing, which control family handles it, then which mechanism fits.

Human Access
A person logs into or operates the system.
PAMSIA / PSM + EPM
Machine — Legacy / OT Secret
A COTS, mainframe or OT app holds an embedded credential and can’t be recoded.
Secrets MgmtCredential Providers (CP / CCP)
Machine — Third-Party Vault
The secret already lives in AWS, Azure, GCP or HashiCorp — keep developers consuming it there.
Secrets MgmtSecrets Hub
Machine — Cloud-Native Secret
A modern app, container or CI/CD pipeline fetches its own secret at runtime.
Secrets MgmtSecrets Manager
Machine — Device Account
The login built into a PLC, RTU, HMI or switch — CPM rotates it in place.
PAMPrivilege Cloud / PAM Self-Hosted
Machine — Workload Identity
A workload (container, service mesh, CI job) needs an identity with no stored secret.
Secrets MgmtSecure Workload Access (SPIFFE / SVID)
Certificate / Key
A TLS or SSH certificate or key, not a password.
CLMNGTS
Telemetry
The system emits signals, not a credential to manage.
SIEM / SOARCortex XSIAM / XSOAR
AI Agent
An autonomous agent acting with delegated authority.
AgenticSecure AI Agents
Governance
Who has access to what — certified and provisioned on a schedule.
IGAIdentity Governance
Reading the machine cards: the differentiator is the nature of the application and where its secret lives. A modern, cloud-native app built to call a secrets API gets dynamic, short-lived secrets from Secrets Manager; a legacy / OT app that can’t be re-coded keeps using a static, vault-rotated password that a Credential Provider delivers (CPM rotates it) so it’s no longer hard-coded — in OT that value is often a shared device account, so PAM rotates the account while the Credential Provider feeds it to the app; a secret that must stay in the customer’s own AWS / Azure / GCP / HashiCorp vault is governed and rotated in place by Secrets Hub, with Idira as the source of truth; and a device account is the password on the equipment itself, which CPM rotates on the device. Workload Identity (Secure Workload Access) is the end state — the workload proves a cryptographic SPIFFE identity and holds no secret at all. The secrets-maturity path runs Credential Providers → Secrets Manager → Secure Workload Access — each step shortening how long the secret lives and how much it could expose if stolen, until there is no secret to steal.
By method
Representative, not exhaustive. A gap here doesn’t mean a system is unsupported — the CyberArk Marketplace has the full, current catalogue. Not every row is a credential connector — the Why column tells you how each one integrates. Most third-party apps fetch a vaulted secret, but PAM-managed targets (databases, servers, virtualisation, network appliances) are brokered and recorded by PSM / SIA; SIEM / SOAR consume telemetry rather than a credential; certificate authorities run through NGTS; and AI agents are governed by Secure AI Agents.
Example Third-Party Systems Category Identity Layer Idira product How it integrates Why
Rockwell Studio 5000 / RSLogix 5000 & 500, Schneider EcoStruxure Control Expert (Unity Pro), Siemens TIA Portal — engineering workstations & HMIsCritical Infrastructure / OT / SCADAHuman AccessSIA PSM EPMPAM SessionProblem: engineers program PLCs from Studio 5000 / RSLogix / Unity Pro on engineering workstations, often with shared local-admin logins and no record of who changed a controller. Fix: SIA / PSM brokers and records every privileged session and EPM removes standing local admin — controller access becomes controlled and fully audited.
Rockwell FactoryTalk services, Siemens SIMATIC / WinCC, Schneider EcoStruxure, AVEVA / Wonderware, GE Proficy, Honeywell Experion, Emerson DeltaV, Yokogawa CENTUM, ABB Ability, Inductive Automation Ignition, OSIsoft PI Historian, IBM z/OS mainframeCritical Infrastructure / OT / SCADAMachine — Application SecretAgent-Based CPCredential Provider SDKProblem: SCADA/HMI services, historian (PI / Wonderware) connections and integration scripts hold credentials — usually hard-coded in config files. Fix: the Credential Provider delivers each secret from the vault at runtime, and a local cache keeps the app authenticating and rotating even if the vault is briefly unreachable.
Rockwell Stratix & OT network switches, gateways, managed RTUs (SSH / SNMP)Critical Infrastructure / OT / SCADAMachine — Device AccountPAMMarketplace ConnectorProblem: OT switches, gateways and managed devices ship with default or shared admin passwords. Fix: where the device exposes SSH / SNMP, CPM rotates its built-in admin password directly on the device. Field controllers (PLCs) that can’t be rotated are protected by brokering all access through the jump host.
Rockwell FactoryTalk & OT gateway / historian TLS certificatesCritical Infrastructure / OT / SCADACertificate / KeyNGTSCertificate LifecycleProblem: OT gateways and historian services rely on TLS certificates that silently expire and trigger outages. Fix: NGTS discovers and auto-renews them so trust never lapses.
Splunk, IBM QRadar, Microsoft Sentinel, Cortex XSIAM / XSOAR, Elastic Security, Exabeam, Google Chronicle, LogRhythm, Securonix, Sumo Logic, Rapid7 InsightIDRSIEM / SOAR (Telemetry Consumers)TelemetryAudit TDR EPMTelemetry FeedConsume Idira audit events and TDR / ITDR detections as telemetry and threat signals — a logging / detection integration, not a runtime credential connector. A natural bridge to Cortex XSIAM / XSOAR for Palo Alto Networks accounts.
Palo Alto Cortex (risk-score ingestion), Splunk & IBM QRadar (logon-event import); Microsoft Sentinel is outbound telemetry onlyRisk & Event Ingestion (Inbound SIEM / XDR)TelemetryTDRTelemetry ImportThe inverse of the telemetry feed: TDR ingests risk scores from Palo Alto Cortex and imports privileged logon events from the SIEM (Splunk, IBM QRadar) — enriching identity risk scoring, powering PAM-bypass detection and surfacing unmanaged accounts into Pending Accounts for onboarding (PTA on self-hosted can onboard automatically).
VirusTotalThreat Intelligence / File ReputationTelemetryEPMReputation API LookupEPM checks unknown applications against VirusTotal risk scores before elevation decisions — reputation-informed application control rather than a credential connector. (The earlier WildFire lookup was retired in March 2025.)
Commvault, Cohesity (Marketplace plugins); Veeam (scripted CCP pattern); others — verify per vendor on the MarketplaceBackup & DRMachine — Application SecretPrivilege Cloud PAM Self-Hosted CCPMarketplace ConnectorBackup-platform admin credentials are vaulted and rotated via Marketplace CPM plugins with PSM session brokering; backup jobs and scripts can retrieve credentials at runtime via CCP calls (documented Veeam REST pattern). Connector coverage varies by vendor — confirm on the Marketplace before committing.
SAP S/4HANA & ECC, Oracle E-Business Suite, Oracle PeopleSoft, JD Edwards, Microsoft Dynamics 365, Infor, Epicor, IFS, SageERP & Legacy Business AppsMachine — Application SecretCCP / Agent-Based CPMarketplace ConnectorAgentless CCP for most; Agent-Based CP where the app must run through a vault outage.
SAP S/4HANA / ECC & Oracle EBS — privileged admin accessERP & Legacy Business AppsHuman AccessPAM SIAPAM SessionProblem: ERP admin access is broad and unrecorded. Fix: sessions brokered and recorded; the SAP plug-in vaults and rotates SAP accounts.
SAP / Oracle EBS — access entitlements & SoDERP & Legacy Business AppsGovernanceIdentity GovernanceGovernance APIProblem: entitlement creep and SoD risk go uncertified. Fix: certify ERP entitlements on a schedule and feed PAM into governance.
ServiceNow, BMC Helix (Remedy); Jira Service Management, Ivanti Neurons, ManageEngine ServiceDesk Plus, Freshservice, SolarWinds Service Desk, Cherwell, Zendesk, TOPdesk, HaloITSM — unverifiedITSM / Service DeskMachine — Application SecretCCPMarketplace ConnectorWorkflow automation retrieves credentials at runtime — ServiceNow via the CCP web service (external credential storage / MID Server), BMC via the Credential Provider (AIM) agent. The other listed vendors have no documented credential integration — verify per vendor on the Marketplace.
ServiceNow, Jira Service Management, BMC Helix (Remedy)ITSM Ticket Validation (Privileged Access)Human AccessPrivilege Cloud PAM Self-HostedTicketing / REST APIPAM validates a ticket number at credential checkout or session launch and embeds it in the audit record — the approver-to-session chain auditors ask for. Out-of-the-box ticketing modules cover ServiceNow and BMC Remedy; other systems (e.g. Jira Service Management) require a custom ticketing module. Distinct from the ITSM row above, where the ITSM tool itself fetches credentials via CCP.
ServiceNow / Jira SM / BMC Helix — access requests & provisioningITSM / Service DeskGovernanceIdentity GovernanceAPI / SCIM / RPA SyncProblem: joiner-mover-leaver access is manual and unaudited. Fix: requests and provisioning driven through the service desk.
UiPath, Blue Prism, Automation Anywhere, Microsoft Power Automate, Kofax; Pega (via CP / AIM agent); NICE, WorkFusion — unverifiedRPA / AutomationMachine — Application SecretCCPMarketplace ConnectorBots fetch a fresh credential per run — no standing passwords baked into bot configs. Pega integrates via the local Credential Provider (AIM) agent rather than CCP. NICE has no documented integration; WorkFusion is a partnership announcement only — verify on the Marketplace.
Tenable (Nessus / Tenable.io / Tenable.sc), Qualys, Rapid7 InsightVM, Tripwire, Outpost24; Microsoft Defender Vulnerability Management, Greenbone / OpenVAS — unverifiedVulnerability ManagementMachine — Application SecretCCPMarketplace ConnectorThe scanner fetches target credentials at scan time over HTTPS — no agent, no hardcoded scan accounts. Defender VM and Greenbone / OpenVAS have no documented CyberArk credential integration.
AlgoSec (ASMS / Firewall Analyzer), Tufin Orchestration Suite, FireMonNetwork Security Policy Management (NSPM)Machine — Application SecretAgent-Based CP / CCPMarketplace ConnectorFirewall- and network-policy management tools connect to the devices they analyse (Palo Alto Panorama, Check Point, Cisco, Fortinet, Juniper) using credentials retrieved from the vault at connect time rather than stored in the tool — AlgoSec via a local Credential Provider (AIM) agent installed on each ASMS machine, Tufin and FireMon via a configured vault connection.
LogicMonitor, SolarWinds (Orion / DPA), Zabbix; Datadog (outbound log feed only); ManageEngine OpManager, Nagios, PRTG — unverifiedIT Monitoring & ObservabilityMachine — Application SecretCCPMarketplace ConnectorMonitoring collectors request device credentials from the vault at poll time over HTTPS rather than storing them — a short-lived secret per poll, dual-account aware for zero-downtime rotation, every request audited. Datadog’s documented integration is log ingestion (Idira telemetry into Datadog), not credential fetch; OpManager, Nagios and PRTG have no documented credential integration.
ServiceNow Discovery (MID Server), Device42IT Asset Discovery / CMDBMachine — Application SecretCCPMarketplace ConnectorDiscovery and CMDB scans resolve credentials from the vault at scan time — the ServiceNow MID Server external credential resolver and Device42 call the CCP web service, so no scan credentials are stored in the CMDB.
Microsoft Entra ID (Azure AD), Okta, PingFederate / PingOne, OneLogin, ForgeRock, IBM Security Verify, Google Workspace, Active Directory / LDAP, plus a SAML/OIDC SSO app catalogueIdentity Providers & Federation (SSO)Human AccessIdentity AdministrationFederationFederation via SAML / OIDC and SCIM user provisioning through Identity Administration — an SSO / identity integration, not a vault credential lookup. Threat detection on federated sign-ins uses Idira’s own sign-in telemetry, SIEM logon-event import (Splunk, IBM QRadar) and Cortex risk scores — direct IdP telemetry ingestion is not documented.
Workday, SAP SuccessFactors, BambooHRHR Source-of-Truth (Inbound Provisioning)Human AccessIdentity AdministrationNative HR ConnectorNative inbound-provisioning connectors make the HR system the source of truth: joiners, movers and leavers flow into Identity Administration automatically and feed the Identity Governance JML use cases downstream.
Cisco Duo, RSA SecurID, Yubico / FIDO2 security keys, RADIUS-based authenticatorsThird-Party MFA / Strong AuthHuman AccessIdentity AdministrationRADIUS / MFAIdentity Administration adds adaptive MFA natively and integrates third-party authenticators — the CyberArk Identity Connector acts as a RADIUS client / server to bring Duo, RSA SecurID and similar tokens into the authentication policy, alongside phishing-resistant FIDO2 / passkeys.
Salesforce, Microsoft 365, Workday, ServiceNow, social-media & marketing consoles, and any web app via Land & CatchBusiness / SaaS Web ApplicationsHuman AccessSecure Web Sessions WPMBrowser ExtensionA browser extension secures web-app access where there is no PAM connector: WPM stores and auto-fills business-app credentials (SSO and non-SSO alike), and Secure Web Sessions adds recording, continuous authentication and in-session data controls (app-open step-up MFA via Identity Administration policies) to SaaS and web apps — captured via Land & Catch for any web app (App Capture utility is Firefox-only).
SailPoint, Saviynt, RSA Identity Governance & Lifecycle; Microsoft Entra ID Governance — unverifiedExternal IGA / GRC GovernanceGovernanceIdentity GovernanceGovernance APIWhere a customer already runs an enterprise IGA / GRC platform, Idira exposes privileged accounts, entitlements and access-certification evidence to it and consumes its provisioning decisions — so privileged access is certified and SoD-checked inside the organisation’s existing governance process. Microsoft Entra ID Governance has no documented CyberArk integration.
DigiCert, Sectigo, Entrust, GlobalSign, Let’s Encrypt, Microsoft ADCS, AWS Private CA, Google CAS (CA-neutral via ACME / EST / SCEP)Certificate Authorities / PKICertificate / KeyNGTSVSatelliteNGTS is CA-neutral — discovers, issues, renews and rotates certificates across public and private CAs via ACME, EST and SCEP. A VSatellite acts as the connector that reaches private networks for discovery and provisioning (a Strata NGFW extension is not documented). Certificate lifecycle management, not credential vaulting.
Thales (SafeNet) Luna SA, Entrust nShieldHardware Security Modules (Key Custody)Certificate / KeyPAM Self-Hosted NGTSHSM Key ProtectionThe PAM Self-Hosted vault server key can be protected in a customer-controlled HSM, and NGTS supports HSM-backed key operations — the key-custody story for sovereignty-sensitive government and financial environments.
Oracle, Microsoft SQL Server, MySQL, PostgreSQL, MariaDB (generic ODBC), IBM Db2, Sybase / SAP ASE, MongoDB, SAP HANA, Teradata (generic ODBC), Snowflake (community / custom web plugin), Amazon RDS / Aurora, Azure SQL Database, Google Cloud SQL; Cassandra, Redis — no documented pluginDatabasesHuman AccessPrivilege Cloud PAM Self-Hosted SIAPAM SessionManaged as PAM targets — DBA credentials vaulted and rotated by CPM, sessions brokered by PSM (with SQL command capture) or accessed VPN-less with ZSP via SIA. MariaDB and Teradata rotate via the generic ODBC plugin; Snowflake has no official CPM plugin; Cassandra and Redis have none documented — verify on the Marketplace.
Oracle / SQL Server / MySQL / PostgreSQL — application & service accountsDatabasesMachine — Application SecretAgent-Based CP CCPMarketplace ConnectorProblem: apps connect with hard-coded connection-string passwords. Fix: the Credential Provider delivers and rotates them so nothing is embedded.
Oracle / SQL Server / PostgreSQL — database TLS certificatesDatabasesCertificate / KeyNGTSCertificate LifecycleProblem: TLS certificates securing DB connections expire and cause outages. Fix: NGTS discovers and auto-renews them.
Palo Alto Networks PAN-OS, Cisco (IOS / NX-OS / Meraki), Check Point, Juniper, Fortinet, F5, Citrix ADC (NetScaler), Arista (via custom / adapted SSH plugin); HPE Aruba, SonicWall, Zscaler, Infoblox, A10 Networks — unverified / communityNetwork & Security AppliancesHuman AccessPrivilege Cloud PAM Self-Hosted SIAPAM SessionManaged as PAM targets — admin credentials vaulted and rotated by CPM, sessions brokered by PSM (or SIA for modern VPN-less access). Not a runtime credential-fetch integration. HPE Aruba, SonicWall, Zscaler, Infoblox and A10 have no documented plugin — community or custom only; verify per vendor on the Marketplace.
PAN-OS / Cisco / F5 / Fortinet — local device admin / enable accountsNetwork & Security AppliancesMachine — Device AccountPAMMarketplace ConnectorProblem: local device and enable passwords are shared and rarely changed. Fix: CPM rotates them directly on the appliance.
PAN-OS / Cisco / F5 / Fortinet — appliance & firewall TLS certificatesNetwork & Security AppliancesCertificate / KeyNGTSCertificate LifecycleProblem: device and firewall certificates expire and trigger outages. Fix: NGTS automates discovery and renewal.
HPE iLO, Dell iDRACOut-of-Band Server Management (BMC)Human AccessPrivilege Cloud PAM Self-HostedPAM SessionBaseboard management controllers are root-level access to the physical server beneath the OS — BMC credentials are vaulted and rotated via Marketplace CPM plugins, with sessions brokered and recorded by PSM.
Windows Server, Linux (RHEL, Ubuntu, SUSE, Oracle Linux, Amazon Linux), Unix (IBM AIX, Oracle Solaris, HP-UX), IBM iSeries (AS/400), IBM z/OS; OpenVMS — not in current docs (legacy; verify on the Marketplace)Operating Systems & ServersHuman AccessPrivilege Cloud PAM Self-Hosted SIAPAM SessionManaged as PAM targets — privileged OS accounts vaulted and rotated by CPM, sessions brokered by PSM (RDP / SSH) or VPN-less via SIA; legacy Unix and mainframe via PSM connectors.
Windows Server & Linux (RHEL / Ubuntu) — service & cron accountsOperating Systems & ServersMachine — Application SecretAgent-Based CPMarketplace ConnectorProblem: service and scheduled-task accounts are static and shared. Fix: vaulted, rotated and delivered by the Credential Provider.
Windows / Linux — SSH host & authorised keys + machine TLS certificatesOperating Systems & ServersCertificate / KeySSH Manager NGTSCertificate LifecycleProblem: SSH keys and machine certificates sprawl and expire. Fix: SSH Manager for Machines governs and rotates SSH host & authorised keys; NGTS discovers and auto-renews the TLS certificates.
Windows, macOS & Linux workstations and laptops; loosely connected / remote devices not always on the corporate network; local (non-directory) accountsEndpoints & Loosely-Connected DevicesHuman AccessPrivilege Cloud EPMEndpoint AgentThe EPM agent on each endpoint discovers local accounts and rotates their credentials — caching jobs and executing them on reconnection — for devices that rarely reach the network. Owned by Privilege Cloud and delivered through the EPM agent; distinct from network-scan discovery and PSM-brokered sessions.
RDP, SSH, Telnet, VNC, SFTP, web / admin consoles, database clients (SSMS, Toad, SQL*Plus), thick-client / fat-client apps (SAP GUI, Oracle Forms), mainframe emulators (IBM 3270 / AS/400 5250)Privileged session protocols & thick-client appsHuman AccessPrivilege Cloud PAM Self-Hosted SIAPAM SessionPSM brokers and records the privileged session to the target — built-in connectors for RDP, SSH, Telnet, web and database clients; the PSM Universal Connector covers VNC, thick-client / fat-client and mainframe-emulator apps (e.g. OT operator HMIs over VNC). SIA is the modern VPN-less path for infrastructure.
VMware vCenter / ESXi / vSphere, Microsoft Hyper-V (via Windows platforms), Nutanix Prism (Marketplace web connector); Citrix Hypervisor (XenServer) — unconfirmed; Proxmox VE, Red Hat Virtualization (EOL), Oracle VM — no documented pluginVirtualisation & HypervisorsHuman AccessPrivilege Cloud PAM Self-Hosted SIAPAM SessionManaged as PAM targets — management-plane credentials vaulted and rotated by CPM, sessions brokered by PSM; SIA for modern VPN-less access where supported.
VMware vCenter / Hyper-V / Nutanix — automation & orchestration accountsVirtualisation & HypervisorsMachine — Application SecretCCPMarketplace ConnectorProblem: automation accounts for the hypervisor are hard-coded in scripts. Fix: resolved from the vault via CCP.
VMware vCenter & ESXi — host TLS certificatesVirtualisation & HypervisorsCertificate / KeyNGTSCertificate LifecycleProblem: hypervisor management certificates expire and disrupt operations. Fix: renewed automatically by NGTS.
AWS Management Console / CLI, Azure Portal, GCP Console; AWS IAM, Entra ID and GCP IAM rolesCloud Service Provider ConsolesHuman AccessSecure Cloud AccessZSP Console AccessEngineers — and AI dev tools via the SCA MCP Server — get just-in-time, zero-standing access to cloud consoles and CLIs: ephemeral access created per request and auto-revoked, no standing IAM users or admin roles, every action audited. A session-brokering integration, not a credential fetch.
AWS / Azure / GCP — cloud application & function secretsCloud Service Provider ConsolesMachine — Application SecretSecrets Manager Secrets HubNative API / SDKProblem: cloud apps and serverless functions need secrets. Fix: Secrets Manager delivers them, and Secrets Hub syncs vaulted secrets into the native cloud vaults (AWS Secrets Manager / Azure Key Vault / GCP) with Idira as the source of truth.
AWS / Azure / GCP — cloud workloads & serverlessCloud Service Provider ConsolesMachine — WorkloadSecure Workload AccessSPIFFEProblem: cloud workloads rely on stored keys. Fix: given a verifiable short-lived identity instead of a secret.
Wiz (CIEM / CNAPP)Cloud Security / CIEMHuman AccessSecure Cloud AccessRisk-Finding ImportWiz discovers identities with excessive standing cloud permissions and toxic combinations; the finding triggers a Secure Cloud Access ZSP policy so the identity reconnects just-in-time with zero standing privilege — remediation can be automated via Wiz rules. CIEM finds the over-privilege; SCA removes it.
AWS IAM users & access keys, AWS Management Console accounts (dual-account zero-downtime rotation)Cloud Platform IAM Accounts & API KeysHuman AccessPrivilege Cloud PAM Self-HostedMarketplace ConnectorCloud-platform IAM users, console accounts and long-lived access keys are vaulted and rotated by CPM (dual-account pattern for zero-downtime key rotation) — complementing SCA’s ZSP console access by managing the static cloud credentials that must still exist.
AWS IAM access keys / programmatic credentialsCloud Platform IAM Accounts & API KeysMachine — Application SecretSecrets Manager Secure Cloud AccessMarketplace ConnectorProblem: long-lived access keys persist and leak. Fix: vaulted and rotated by Secrets Manager, or replaced with short-lived STS credentials via Secure Cloud Access.
AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, GCP Secret ManagerThird-Party Cloud VaultsMachine — Application SecretSecrets HubVault SyncIdira becomes the source of truth for rotation, policy and audit; developers keep consuming natively. AWS, Azure and GCP get outbound sync plus discovery with per-secret onboarding back into Idira; HashiCorp Vault (KV v2) is discovery + outbound sync only.
Jenkins, GitHub Actions, GitLab CI, Azure DevOps, Bitbucket; CircleCI, Argo CD, TeamCity, Bamboo, Harness, Octopus Deploy, Spinnaker — generic REST / APICI/CD & DevOps PipelinesMachine — Application SecretSecrets ManagerNative API / SDKSecrets injected at runtime via API/SDK — none stored in pipeline configs. Documented integrations: Jenkins, GitHub Actions, GitLab, Azure DevOps, Bitbucket; others via generic REST / API (Argo CD via the External Secrets Operator).
Pipeline runners & build jobs (e.g. on Kubernetes or cloud compute)CI/CD & DevOps PipelinesMachine — WorkloadSecure Workload AccessSPIFFEProblem: pipeline jobs hold static secrets. Fix: each job gets a short-lived verifiable identity (SPIFFE). For hosted GitHub Actions / GitLab / Azure DevOps, the documented pattern is the Secrets Manager JWT / OIDC authenticator.
Jenkins / GitHub Actions / GitLab CI — code-signing certificates & keysCI/CD & DevOps PipelinesCertificate / KeyCode Sign ManagerCertificate LifecycleProblem: code-signing keys are copied onto build servers. Fix: protected in the vault/HSM with signing automated in the pipeline by Code Sign Manager.
Java / Spring Boot, .NET, Node.js, Python & Go services, AWS Lambda, Azure Functions, Google Cloud FunctionsCloud-Native Apps & MicroservicesMachine — Application SecretSecrets ManagerNative API / SDKApp retrieves secrets via REST/SDK; rotation is policy-driven and zero-downtime.
Kubernetes, Red Hat OpenShift, Amazon EKS, Azure AKS, Google GKE, Rancher, VMware Tanzu, Docker; Amazon ECS / Fargate (AWS IAM authenticator); HashiCorp Nomad — undocumented; Podman — Conjur runtime onlyContainers & KubernetesMachine — WorkloadSecrets Manager + SWANative API / SDKNative Kubernetes authenticator delivers secrets to pods; ECS / Fargate tasks use the AWS IAM authenticator; SWA gives workloads a verifiable identity.
Kubernetes / OpenShift / EKS / AKS / GKE — Secrets & container credentialsContainers & KubernetesMachine — Application SecretSecrets ManagerNative API / SDKProblem: secrets get baked into manifests/images. Fix: retrieved at runtime via the Kubernetes authenticator.
Terraform / OpenTofu, Ansible, Puppet; Chef, Pulumi, SaltStack, AWS CloudFormation / CDK, Azure Bicep / ARM, Crossplane — generic APIInfrastructure-as-CodeMachine — Application SecretSecrets ManagerNative API / SDKIaC tools pull credentials at execution time — documented: Terraform, Ansible, Puppet (OpenTofu via the Terraform provider); others via generic APIs. Terraform values can still be written to state — use 1.10+ ephemeral / write-only forms.
Microsoft Copilot Studio, AWS Bedrock & AgentCore, Amazon Q, Claude, custom agents (OAuth 2.1 / API import), MCP-compatible toolsAI Agents & MCP PlatformsAI AgentSecure AI AgentsIdentity BrokerDiscovered and governed by Secure AI Agents — each agent gets a managed identity, and its access to tools is routed through the Identity Broker (also called the AI Agents Gateway) audited end to end; ZSP enforcement applies to SIA-based MCP servers (others may use different access controls).
Microsoft Copilot Studio & AWS Bedrock Agents — secrets agents use to reach tools / APIsAI Agents & MCP PlatformsMachine — Application SecretSecrets ManagerNative API / SDKProblem: agents embed API keys to call tools. Fix: the credentials are vaulted and delivered at runtime, not stored.
SPIFFE / SPIRE, Istio & Envoy service mesh, Linkerd, HashiCorp Consul, Kubernetes service accounts, cross-cloud (AWS / Azure / GCP) workloadsWorkload-to-Workload AuthMachine — WorkloadSecure Workload AccessSPIFFE SVIDA verifiable, short-lived SPIFFE identity replaces a shared secret entirely.
Microsoft 365 / Entra ID, Salesforce, Workday, ServiceNow, Google Workspace, Okta, SAP — 250+ documented integrations (vendor cites 1,000+)SaaS & Custom App GovernanceGovernanceIdentity GovernanceAPI / SCIM / RPA SyncIGA connects via 250+ documented integrations (vendor cites 1,000+), SCIM, Universal Sync RPA (for apps without APIs), direct-database connectors and flat-file ingestion — entitlement discovery, provisioning and certification rather than credential delivery.

Integration Methods

Scope & Engineer

Integration Methods

An SE reference for the integration methods — what each badge in the ‘How it integrates’ column of the Integrations table means, and when Idira uses it. Not every integration is a connector or a credential fetch; these are the distinct mechanisms — brokered sessions, API calls, vault sync, telemetry, workload identity and more.

Marketplace Connector

A pre-built integration from the CyberArk Marketplace — drop-in PSM connection components, CPM rotation plugins and app / SIEM integrations maintained by CyberArk and partners. Always the first place to look before building anything custom; the live Marketplace is the authoritative, current catalogue.

PAM Session

A privileged session brokered and recorded by PSM. The user connects through Idira to the target (RDP, SSH, web, database client) and never sees the credential; the session is isolated, monitored and replayable. SIA is the modern VPN-less equivalent for infrastructure.

Endpoint Agent

The EPM agent installed on each endpoint reaches devices that are rarely on the network — discovering local accounts and rotating their credentials, caching jobs and executing them on reconnection. The reach mechanism behind Privilege Cloud’s loosely-connected-device (LCD) discovery and rotation; not a brokered session or a runtime credential fetch.

ZSP Console Access

Just-in-time, zero-standing access to a cloud console or CLI (AWS, Azure, GCP) brokered per request by Secure Cloud Access — including from AI dev tools via the SCA MCP Server. Session brokering, not credential delivery; nothing standing is left behind.

Native API / SDK

Direct programmatic integration through the third party’s own API, SDK, SCIM or REST interface — covering secrets retrieval, HR-driven lifecycle, ITSM ticketing, reputation lookups and RPA sync. The catch-all when there’s no packaged connector but the system exposes an interface.

Vault Sync

One-way replication of Idira-managed secrets out to a third-party vault (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, HashiCorp Vault) by Secrets Hub. The customer keeps their existing vaults; rotation, policy and audit sit above all of them in one control plane.

Federation

Identity federation via SAML / OIDC plus SCIM provisioning, delivered by Identity Administration against external IdPs (Entra ID, Okta, Ping). An SSO / identity integration, not a vault credential lookup — TDR / ITDR draws on Idira’s own sign-in telemetry, SIEM logon imports and Cortex risk scores.

Telemetry Feed

Outbound. Idira sends its own activity and audit telemetry to a SIEM / XDR / SOAR (Splunk, Sentinel, QRadar, Cortex) for correlation and response — Idira as the source of identity signal.

Telemetry Import

Inbound. Idira ingests logs and risk signals from a SIEM / XDR (privileged logon events, Cortex risk scores) to enrich identity-risk scoring, power PAM-bypass detection and surface unmanaged accounts into Pending Accounts for onboarding (PTA on Self-Hosted can onboard automatically) — Idira as the consumer.

HSM Key Protection

The vault’s top-level encryption keys are held in a hardware security module rather than software, for the highest assurance and FIPS / regulatory compliance. An infrastructure-hardening option for the vault itself, not a system integration.

Identity Broker

Routes an AI agent’s access to tools and MCP servers through the Secure AI Agents Identity Broker (the AI Agents Gateway), enforcing JIT / ZSP and auditing every action end to end. Each agent gets a managed identity rather than a static credential.

SPIFFE SVID

Workload identity on the open SPIFFE standard: a workload proves what it is with a short-lived, cryptographically verifiable SVID instead of holding a stored secret. Delivered by Secure Workload Access for Secretless workload-to-workload auth across cloud boundaries.

VSatellite

Certificate and machine-identity integration for NGTS: VSatellite bridges to certificate authorities and endpoints for discovery and automated lifecycle, delivered through Strata Cloud Manager. For PKI / CLM rather than credential or session access.

Solutions Architecture

Scope & Engineer

Solutions Architecture

What gets deployed where for the two PAM deployment models — so you can walk a customer through the architecture and size the on-premises footprint with confidence. PAM Self-Hosted runs the entire stack inside the customer environment; PAM Privilege Cloud splits the same capabilities across the Idira-managed cloud backend and a lightweight on-prem Connector. The maps below show each component in its zone, followed by what changed in the rotation engine (CPM → Secrets Rotation Service).

Verified against CyberArk Docs — PAM Self-Hosted Architecture and Privilege Cloud Architecture.

Scope & Engineer

PAM Self-HostedDeployment Architecture — Everything On-Premises

In PAM Self-Hosted the customer hosts and patches the entire stack inside their own environment — there is no Idira-managed cloud plane. This is the model for hard data-sovereignty, air-gap or isolation requirements (SOCI / CI Fortify). Modern SaaS services (SIA, SCA) can be integrated from V14.4+, but the core PAM stack below stays on-premises.

Customer environment — on-premisesOn-prem · Customer-managed
Core stack. Customer-hosted, customer-patched. Credentials and session recordings never leave the environment.
Digital Vault (EPV)The hardened, isolated “Storage Engine” — encrypted store for all credentials, SSH keys and session recordings.
Password Vault Web Access (PVWA)The web console — request, retrieve and manage privileged accounts; admin dashboard.
PrivateArk ClientWindows admin client — sets up the Vault hierarchy, Safes and users.
Central Policy Manager (CPM)Automatic credential rotation, verification and reconciliation against targets.
Privileged Session Manager (PSM)RDP/proxy session brokering with full video + command recording into the Vault.
PSM for SSH (PSMP)SSH/Unix session proxy + text recording; can bridge to AD for Unix provisioning.
Optional / additional — on-premisesOn-prem · Customer-managedOptional
HA Cluster & DR VaultoptionalDigital Cluster Vault Server for high availability, plus a replicated Disaster-Recovery Vault.
Privileged Threat Analytics (PTA)optionalBehavioural detection of privileged-account abuse; can auto-terminate risky PSM sessions.
On-Demand Privileges Manager (OPM)optionalLeast-privilege super-user elevation on Unix/Linux using the user’s own account.
Credential Providers (CP / CCP)optionalApplication & machine credential delivery — Application Password Provider (local cache) and Central Credential Provider (agentless HTTPS).
Customer-managed (on-prem)Optional / add-on

Data path: users reach PVWA (or a native client via PSM); PSM / PSM for SSH broker the session to the target and stream the recording into the Vault; the CPM rotates the target credential and writes it back to the Vault. Everything stays inside the customer network. High availability comes from the Vault cluster and a DR Vault.

Scope & Engineer

PAM Privilege CloudDeployment Architecture — Cloud + Connector

Privilege Cloud is a two-leg architecture: Idira hosts and runs the Vault and the major services as SaaS, and you deploy a lightweight Connector in your environment for session isolation and to reach your targets. With the Secrets Rotation Service (SRS) — the recommended rotation service for new deployments (CPM-based track remains supported) — there is no CPM on the Connector; rotation is a cloud service executed locally by the Connector Management Agent.

Idira Privilege Cloud backendSaaS · Idira-managed
Hosted, maintained and upgraded by Idira — nothing here for the customer to host or patch.
Privilege Cloud VaultThe cloud-hosted Vault — credential and SSH-key storage, security mechanisms and logging.
Privilege Cloud Portal (PVWA)The web UI — manage Safes/accounts, connect to targets, monitor sessions.
Secrets Rotation Service (SRS)SaaS rotation engine — active-active, auto-scaling, full-Safe coverage. Recommended for new deployments; replaces CPM.
Discovery serviceRuns discovery scans and applies rules to onboard relevant accounts.
Identity AdministrationSSO/MFA, IdP federation and user provisioning for the platform.
Connector Management portalTracks Connector versions/health; interfaces between cloud services and the on-prem agent.
Customer environment — the Connector (on-prem)On-prem · Customer-managed
A lightweight Windows Connector (one or more for HA) that reaches your targets — up to ~70% fewer on-prem hosts than Self-Hosted (unsourced estimate).
Privileged Session Manager (PSM)Session brokering + recording, runs on the Connector. Same broad target coverage as Self-Hosted.
PSM for SSH (Unix connector)SSH session proxy for Unix/Linux targets.
Connector Management AgentInstalls/monitors components and executes the SRS rotation plugins against targets — this is what replaces the on-prem CPM.
Identity ConnectorBridges the organisation’s Active Directory into Identity Administration.
Secure Tunnel clientoptionalSecure link for SIEM integration and Idira Remote Access (vendor/offline access).
CPMlegacyOnly in the older “with CPM” variant — not deployed when SRS is used (the recommended service for new deployments).
Idira Shared ServicesSaaS · Idira-managedOptional
Secure Infrastructure Access (SIA)optionalVPN-less, agentless infrastructure access; bundled with Privilege Cloud (deploy the connector).
Remote Access & HTML5 GatewayoptionalBrowser-based vendor/offline access without a VPN.
Cross-Region Disaster RecoveryoptionalService continuity across AWS regions — ~5-minute RPO/RTO.
Idira-managed (SaaS)Customer-managed (Connector)Optional / add-on
In Short

In the Idira cloud (managed for you)

Vault, Portal/PVWA, SRS, Discovery, Identity Administration and the Connector Management portal — Idira hosts, secures and upgrades all of it. No vault servers to build, harden or patch.

On your Connector (you host)

PSM, PSM for SSH, the Connector Management Agent and the Identity Connector — on one or more lightweight Windows servers. Only outbound 443 is required; no inbound firewall ports.

The rotation change — no CPM

RecommendedSRS

Rotation moved to the cloud SRS; the Connector Management Agent runs the rotation plugins locally. A standalone CPM service only exists in the older “with CPM” variant.

What Changed — CPM → Secrets Rotation Service

Before — Central Policy Manager (CPM)

On Privilege Cloud, rotation ran as the CPM service on the connector machine in your environment — the same connector that hosts PSM — which you deployed and kept patched. (On PAM Self-Hosted the CPM is a full vault-tier server component.)

Now — Secrets Rotation Service (SRS)

Delivered byPrivilege Cloud

Rotation is a SaaS service in the Privilege Cloud backend — active-active, auto-scaling, with full-Safe coverage by default. The only on-prem piece is the Connector Management Agent on the connector machine, which executes cached rotation plugins against targets — no CPM service runs there anymore. Immediate rotation with real-time status, plus REST APIs for CI/CD.

PAM Self-Hosted — Unchanged

Delivered byPAM Self-Hosted

The self-hosted deployment continues to run the full on-prem stack — Vault, CPM and PSM inside the customer environment. SRS is the recommended rotation service for new Privilege Cloud deployments and is becoming the platform standard.

Glossary

Scope & Engineer

Glossary

Plain-English definitions of the acronyms used across this guide — aimed at new starters, so skim it first if the jargon is unfamiliar.

ACME
Automated Certificate Management Environment — open protocol for automated certificate issuance and renewal; one of the standards NGTS uses for CA-neutral enrolment.
ACSC
Australian Cyber Security Centre — the ASD body that publishes the Essential Eight and CI Fortify guidance.
AD
Active Directory — Microsoft’s directory service for Windows users, groups and computers; the IGA ‘AD clean-up’ use case governs it.
ADCS
Active Directory Certificate Services — Microsoft’s on-premises certificate authority — the ageing internal CA that NGTS modernises and replaces.
Agent-Based CP
Agent-based Credential Provider — a local agent and credential cache on the application server, so the app keeps working if the vault is unreachable.
AI Agents Gateway
Secure AI Agents enforcement point — CyberArk’s product-marketing name for the control point between AI agents and the tools they use; the same component as the Identity Broker.
APRA CPS 234
APRA Prudential Standard CPS 234 (Information Security) — requires APRA-regulated Australian entities (banks, insurers, super funds) to maintain information-security controls including access management; a driver for access certifications and reviews.
ARA
Application Risk Analysis — a former EPM threat-intelligence service; retired by CyberArk on 31 March 2025 and replaced by the VirusTotal integration EPM now uses to assess unknown-application risk.
ASD
Australian Signals Directorate — Australia’s signals-intelligence and cyber-security agency; parent of the ACSC.
BYOK
Bring Your Own Key — customer-managed encryption keys, e.g. for data sovereignty in Privilege Cloud.
CA
Certificate Authority — the trusted issuer of digital certificates; NGTS is CA-neutral and can modernise internal CAs.
CCP
Central Credential Provider — agentless HTTPS web service that applications call to retrieve credentials at runtime.
CI/CD
Continuous Integration / Continuous Delivery (or Deployment) — automated software build, test and release pipelines (e.g. Jenkins, GitHub Actions, GitLab CI); a common consumer of secrets.
CLM
Certificate Lifecycle Management — discovery, issuance, renewal, rotation and validation of digital certificates (NGTS).
CORA
CORA AI — Idira’s built-in AI assistant; summarises sessions and audit activity across the platform.
COTS
Commercial Off-The-Shelf — packaged third-party software (rather than custom-built); typically integrated for credentials via the CCP.
CPM
Central Policy Manager — the credential-rotation engine. On Privilege Cloud it is superseded by the SaaS Secrets Rotation Service (SRS); it remains an on-prem component on PAM Self-Hosted.
CSF
Cybersecurity Framework — the NIST framework (CSF 2.0) whose six functions Idira products map across.
DPA
Dynamic Privileged Access — the former name of Secure Infrastructure Access (SIA).
EDR
Endpoint Detection and Response — endpoint threat-detection tooling; EPM complements it by removing standing local-admin rights.
EPM
Endpoint Privilege Manager — removes local admin rights and controls application elevation on endpoints.
EPV
Enterprise Password Vault — CyberArk’s hardened, isolated Digital Vault that stores credentials in the PAM Self-Hosted deployment.
EST
Enrollment over Secure Transport — a certificate-enrolment protocol NGTS supports as part of its CA-neutral orchestration.
HMI
Human-Machine Interface — the operator console in OT / industrial environments; a target type in critical-infrastructure deployments.
IaC
Infrastructure as Code — provisioning infrastructure from machine-readable definition files (e.g. Terraform, CloudFormation, Ansible) rather than manual setup; a common place for hard-coded secrets, which Secrets Manager removes.
IAM
Identity and Access Management — managing who can access what; the ‘privileged-few’ assumption is the belief that securing only named admins is enough.
Identity Broker
Secure AI Agents control point — registers MCP servers behind a single gateway URL and routes every AI-agent→tool request through itself, enforcing authentication, JIT / ZSP authorisation and audit. Also branded the AI Agents Gateway.
IdP
Identity Provider — the system that authenticates users and asserts their identity (e.g. Microsoft Entra ID, Okta, Ping). Idira can federate with an external IdP or act as one.
IGA
Identity Governance and Administration — discovering, certifying, provisioning and de-provisioning access (originally Zilla Security).
IIS
Internet Information Services — Microsoft’s Windows web server; the Central Credential Provider (CCP) runs as a web service on it.
ISI
Identity Security Intelligence — the former name of the platform’s behavioural threat-detection service; support ended March 2026, superseded by Threat Detection & Response (TDR).
ISPM
Identity Security Posture Management — continuous discovery and a live risk inventory of identities, accounts and entitlements; the always-on visibility layer Idira runs across the estate.
ITDR
Identity Threat Detection and Response — the discipline TDR implements: continuous monitoring after access is granted.
ITSM
IT Service Management — tooling and processes for managing IT services and requests (e.g. ServiceNow, Jira Service Management); often integrated for access requests and approvals.
JIT
Just-in-Time — access granted only for the time needed, e.g. temporary group membership or a time-limited checkout of a vaulted account.
JWT
JSON Web Token — a signed token format; one of the forms a SPIFFE SVID can take to authenticate a workload or AI agent.
LDAP
Lightweight Directory Access Protocol — the standard protocol for querying directory services such as Active Directory.
MCP
Model Context Protocol — open protocol that lets AI tools/agents call external tools; used by the SCA MCP Server and the Identity Broker.
MES
Manufacturing Execution System — shop-floor production system in OT environments; a common Credential Provider target.
MFA
Multi-Factor Authentication — requiring more than a password to sign in; Identity Administration provides adaptive (risk-based) MFA.
mTLS
Mutual TLS — TLS where both client and server authenticate with certificates; how Secure Workload Access establishes workload-to-workload trust.
NGTS
Next-Generation Trust Security — PANW's CLM platform, built on Venafi (via the CyberArk acquisition) and delivered by extending Strata Cloud Manager.
NIST
National Institute of Standards and Technology — the US body that publishes the Cybersecurity Framework (CSF).
OEM
Original Equipment Manufacturer — third-party equipment vendors whose engineers often need time-bound remote access (a Vendor Privileged Access scenario).
OIDC
OpenID Connect — a modern federation/SSO protocol built on OAuth 2.0; used to federate Idira with external IdPs.
OT
Operational Technology — the control systems that run physical processes (plants, utilities, manufacturing); see also SCADA.
PAM
Privileged Access Management — securing, vaulting and monitoring elevated accounts.
Identity Compliance
Access certification for PAM environments — extends IGA access certification to Privilege Cloud and PAM Self-Hosted Safes and privileged accounts (Idira internal name).
PKI
Public Key Infrastructure — the certificates, keys and CAs that underpin TLS and machine trust (managed by NGTS).
PQC
Post-Quantum Cryptography — encryption algorithms designed to resist quantum attack; NGTS inventories dependencies and coordinates migration to them.
Precision AI
Precision AI — Palo Alto Networks’ proprietary AI (machine learning, deep learning and generative AI) embedded across its security platforms; the AI capability the Idira platform draws on.
PSM
Privileged Session Manager — the vault-brokered engine that proxies and records privileged sessions (video plus text — keystrokes, SQL commands, window titles). Native to both Privilege Cloud and PAM Self-Hosted.
PSMP
Privileged Session Manager for SSH — the SSH / Unix session proxy (also written PSM for SSH); brokers and records SSH sessions. Idira positions SIA to eventually supersede it.
PVWA
Password Vault Web Access — the web console for PAM Self-Hosted (request and retrieve credentials, launch and monitor sessions); the Privilege Cloud Portal is its SaaS equivalent.
RBAC
Role-Based Access Control — granting access by assigned role rather than to individuals.
RMP
Risk Management Program — the security obligations critical-infrastructure entities must meet under Australia’s SOCI Act, explicitly including privileged access controls.
RPA
Robotic Process Automation — software bots that automate tasks; they hold credentials, usually delivered via the CCP.
RPO/RTO
Recovery Point / Recovery Time Objective — the data-loss and downtime targets for disaster recovery (e.g. Privilege Cloud’s 5-minute cross-region DR).
SAML
Security Assertion Markup Language — the long-established federation/SSO standard for exchanging authentication between an IdP and an application.
SASE
Secure Access Service Edge — converged network-and-security edge platform; NGTS manages the TLS certificates across it.
SCA
Secure Cloud Access — native, credential-less ZSP access to AWS, Azure and GCP consoles and CLIs.
SCADA
Supervisory Control and Data Acquisition — industrial control systems in OT environments; a key Agent-Based CP use case.
SCEP
Simple Certificate Enrollment Protocol — a widely used certificate-enrolment protocol NGTS supports (CA-neutral).
SCIM
System for Cross-domain Identity Management — the standard for automated user/group provisioning and de-provisioning between systems (e.g. to/from Okta and Entra ID).
SIA
Secure Infrastructure Access — VPN-less, agentless access to Windows, Linux, databases and Kubernetes (formerly Dynamic Privileged Access / DPA).
SIEM
Security Information and Event Management — log aggregation and analytics (Splunk, Sentinel, QRadar, Cortex XSIAM) that consume Idira audit and TDR telemetry.
SOAR
Security Orchestration, Automation and Response — automated incident-response workflows (e.g. Cortex XSOAR) that can act on identity signals.
SOC
Security Operations Centre — the team and tooling that monitor and respond to threats; Cortex is PANW’s SOC platform.
SOCI
Security of Critical Infrastructure — the Australian SOCI Act 2018 and its Risk Management Program obligations for critical-infrastructure operators.
SP
Service Provider — in SAML federation, the application that trusts an IdP for authentication (the counterpart to the IdP). Not to be confused with SP-1 / SP-2 / SP-3, the AESCSF Security Profiles — cumulative maturity targets set by an operator's assessed criticality.
SRS
Secrets Rotation Service — the SaaS credential-rotation engine in the Privilege Cloud backend; the recommended rotation service for new deployments (CPM-based track remains supported), executed in your environment by the Connector Management Agent. Replaces the customer-managed CPM for Privilege Cloud.
SPIFFE
Secure Production Identity Framework For Everyone — an open standard for cryptographic workload identity that Secure Workload Access implements.
SPIRE
SPIFFE Runtime Environment — the open-source implementation that issues SPIFFE identities (SVIDs); underpins Secure Workload Access.
SSO
Single Sign-On — one authenticated session granting access to many applications; delivered by Identity Administration.
SSP
Secure Standing Privilege — a persistent vaulted account governed by Idira; required for break-glass and non-federated targets.
Strata NGFW
Strata Next-Generation Firewall — Palo Alto Networks next-generation firewall. In the Idira certificate flow the documented private-network connector is the VSatellite; an NGFW connector role is not documented.
SVID
SPIFFE Verifiable Identity Document — the short-lived credential (an X.509 certificate or JWT) a workload presents as proof of its SPIFFE identity.
SWA
Secure Workload Access — SPIFFE-based cryptographic identity for compute workloads, built on Secrets Manager.
SWS
Secure Web Sessions — records, monitors and protects what users do inside web/SaaS apps after login, including SSO-federated apps (session recording, continuous authentication, in-session controls; app-open step-up MFA via Identity Administration policies).
TDR
Threat Detection & Response — the platform shared service that detects and responds to identity threats after access is granted; the successor to Identity Security Intelligence (ISI).
TLS
Transport Layer Security — the protocol securing network connections with certificates; its shrinking 47-day validity drives the NGTS use case.
VSatellite
NGTS connector appliance (Venafi heritage) — extends the NGTS SaaS service into private / on-prem networks for certificate discovery and provisioning.
WPM
Workforce Password Management — enterprise password vault for business apps, for SSO and non-SSO apps alike, especially where SSO isn't available.
ZSP
Zero Standing Privileges — no persistent operational account; an ephemeral account is created per session and removed afterwards.

Resources & References

Reference Material

Resources & References

Where to go for authoritative, public reference material. Everything here is publicly accessible — the Idira and Palo Alto Networks sites for product overviews and strategy, and CyberArk Docs as the engineering source of truth this guide is verified against.

Primary Sources

Product overviews, solution pages, customer stories and analyst recognition across the whole platform — Human, machine and agentic.
The engineering source of truth. Full technical documentation, setup & admin guides, APIs and release notes for every product — what this guide is verified against.
Network-native and Strata documentation, including Strata Cloud Manager / NGTS for certificate lifecycle management.

Strategy, analyst & thought-leadership

2026 Identity Security Landscape Report → — the demand drivers and statistics referenced throughout this guide.

The Executive Guide to Identity Security Platforms → — the platform-consolidation business case.

2025 Gartner® Magic Quadrant™ for PAM → — analyst positioning.

Idira: Our Journey to Democratize Privilege Controls → — the launch blog and platform vision.

Identity Security blog → — ongoing articles and product updates.

Two reference layers. The Idira overview pages are the customer-facing positioning pages (solution pages, datasheets, customer stories) — several products share one page, so each is listed once. The CyberArk Docs table is the engineering source of truth this guide is verified against, one link per product (where a product has no dedicated docs space yet, the link points to the CyberArk Docs portal home). Every external link here is re-checked at each quarterly review.

Idira Overview Pages

Human IdentityIdentity & Access Management → · Privileged Access Management → · Vendor Privileged Access → · Endpoint Privilege Manager → · Workforce Password Management → · Human Identity Security →

GovernanceIdentity Governance →

Machine IdentitySecrets Management → · Unified Secrets Governance → · Application Credentials Delivery → · Machine Identity Security →

AgenticAgentic Identity Security →

CertificatesStrata Cloud Manager (NGTS) →

PlatformIdira Platform →

CyberArk Docs by Product

ProductCyberArk Docs (source of truth)
HUMAN IDENTITY
Identity AdministrationCyberArk Docs — Identity Administration →
Privilege CloudCyberArk Docs — Privilege Cloud →
PAM Self-HostedCyberArk Docs — PAM Self-Hosted →
Secure Infrastructure AccessCyberArk Docs — Secure Infrastructure Access →
Secure Cloud AccessCyberArk Docs — Secure Cloud Access →
Vendor Privileged AccessCyberArk Docs — Remote Access (Vendor) →
Workforce Password ManagementCyberArk Docs — Workforce Password Management →
Secure Web SessionsCyberArk Docs — Secure Web Sessions →
Endpoint Privilege ManagerCyberArk Docs — Endpoint Privilege Manager →
MACHINE IDENTITY
Secure Workload AccessCyberArk Docs — Secure Workload Access →
Secrets ManagerCyberArk Docs — Secrets Manager (SaaS) →
Secrets HubCyberArk Docs — Secrets Hub →
Credential Providers (Agent-Based CP / CCP)CyberArk Docs — Credential Providers →
CERTIFICATES
NGTSPalo Alto Networks Tech Docs →
AGENTIC
Secure AI AgentsCyberArk Docs — Secure AI Agents →
GOVERNANCE
Identity GovernanceCyberArk Docs — CyberArk IGA →
Identity ComplianceCyberArk Docs — Identity Compliance →
PLATFORM SHARED SERVICES
CORA AICyberArk Docs — CORA AI →
Threat Detection & Response (TDR / ITDR)CyberArk Docs — Threat Detection and Response →
Discovery & ContextCyberArk Docs — Discovery & Context →
Cloud VisibilityCyberArk Docs — Cloud Visibility →

This Idira Identity Security Reference Guide was compiled with Claude using only publicly available documentation from Idira, Palo Alto Networks and CyberArk, and verified against live vendor docs — always confirm details against the sources linked throughout before relying on them. Version 5.6 · last reviewed 3 July 2026 · next quarterly refresh due first week of October 2026. Independent, unofficial reference — not an official Palo Alto Networks, Idira or CyberArk site and not endorsed by them; views are my own and all trademarks belong to their respective owners. Built and maintained personally by Andy Stewart.