Choosing a PAM tool: vault, session recording, JIT under NIS2 and DORA

Who owns this decision

CISO and IT operations jointly. Compliance and Audit in the steering group. In banking add the BAIT officer.

Key criteria to weight

• Just-in-Time and Zero Standing Privilege

  Modern audit expectation: no permanent admin rights.

• Session recording and replay

  Audit standard for privileged actions in banking and insurance.

• Coverage of Windows, Unix, Cloud, K8s, databases, network

  Heterogeneous stacks need a broad connector library.

• Integration with IAM and IGA

  PAM without IGA integration produces identity drift.

• Roll-out without 12-month consultancy

  PAM implementations often fail on complexity.

• EU hosting and key custody

  Cloud PAM vaults must be EU-resident; check key custody for critical functions.

Step-by-step decision flow

1. 1

   Privilege inventory

   Which accounts, which systems, which skills. Is the joiner-mover-leaver discipline current?

2. 2

   Sub-discipline delimitation

   PASM (vault), PEDM (endpoint privilege mgmt), AAPM (app-to-app), CIEM (cloud IAM).

3. 3

   Vendor longlist

   Enterprise: CyberArk, BeyondTrust, Delinea, One Identity Safeguard. Cloud: HashiCorp Vault, Azure PIM, AWS IAM Identity Center. DevOps: Doppler, Akeyless. EU: ARCON, Wallix.

4. 4

   Shortlist and PoC

   2-3 vendors, PoC with three real use cases (SSH bastion, cloud admin, DB admin).

5. 5

   Memo and roll-out plan

   Decision memo plus phased plan: domain admins first, tier-2 after 6 months, cloud PAM and CIEM in wave 3.

Compliance note

BAIT BTO 6, VAIT, NIS2 Art. 21 (i), DORA Art. 9, ISO 27002:2022 A.8.2 Privileged Access Rights.

Common pitfalls

• !PAM tool is bought without identity lifecycle (IGA). Result: vault full of dead accounts.
• !Vendor choice based on demo wow, not connector depth for your stack.
• !Migration path missing. Project runs 18-24 months.
• !Cloud PAM and on-prem PAM operated in parallel. Double cost and double audit.

FAQ