Privileged Session Management (PSM)

PAM controls entry. PSM controls impact.

Most privileged access programs invest heavily in who gets access: approval workflows, JIT requests, MFA requirements, credential vaulting. These controls are necessary. They're also insufficient.

Once a privileged session starts (an SSH connection to a production server, an RDP session to a critical system, a cloud console login with administrative rights) the access controls have done their work. What happens inside that session is a different problem entirely. PSM is the discipline that governs it.

What is Privileged Session Management?

Privileged Session Management (PSM) is a security control that monitors, records, and governs the actions taken by privileged users and automated processes during active sessions on critical systems. It operates as a proxy or bastion layer between the user and the target system, monitoring activity, logging it for audit and forensic purposes, enabling real-time intervention when risk is detected, and hiding the actual credentials from the user so they cannot be stolen or reused.

Where PAM governs whether access is granted, PSM governs how that access is used.

Quick summary

The five capabilities that constitute PSM

PSM isn't a single feature. It's a control layer composed of five distinct capabilities. Implementing some without others leaves meaningful gaps.

1. Session recording

Every action in a privileged session (keystrokes, commands executed, screens viewed, files accessed, configurations changed) is recorded and stored as a tamper-evident log. Modern PSM platforms record sessions as searchable video with indexable text: an investigator can search all sessions from the past 90 days for every instance of a specific command, a specific file path, or a specific system action.

The compliance value is non-repudiation: no privileged user can claim they didn't execute a command that the session recording captured. The forensic value is reconstruction: when an incident occurs, the full sequence of actions leading to it is available for replay.

Critical prerequisite: recording produces non-repudiation only when sessions run under individual, verified identities. A session recording showing "svc_admin executed DROP TABLE" establishes what happened. It doesn't establish who did it if ten engineers share the svc_admin credential. Session recording combined with individual identity attribution is the minimum requirement for the forensic and compliance value to hold.

2. Real-time monitoring and session termination

A security administrator can observe active privileged sessions in real time, watching what commands are being executed, what files are being accessed, what changes are being made. When anomalous or unauthorized activity is detected, the session can be paused or terminated immediately, before the action completes or before data exfiltration occurs.

This is PSM's most operationally valuable capability for insider threat scenarios: a contractor who begins querying data outside their assigned scope, an administrator whose session shows signs of a credential being used by an unauthorized party, or an automated script exhibiting unexpected behavior can all be interrupted before the damage is complete.

3. Credential injection and concealment

In a PSM-managed session, the user doesn't see or receive the credential used to authenticate to the target system. The PSM tool retrieves the credential from a vault, injects it into the session on behalf of the user, and establishes the connection. The privileged password, SSH key, or service account token is never transmitted to the user's workstation, stored in their clipboard, or visible in the session recording.

This eliminates an entire class of credential theft: a user whose PSM session is fully recorded and whose workstation is fully compromised can't produce the credential because they never had it. Credential injection is what transforms session recording from a compliance tool into an active security control.

4. Session isolation and bastion access

PSM operates as a proxy between the user's device and the target system. The user connects to the PSM gateway. The PSM gateway connects to the target. The user's workstation never has a direct network path to the privileged system, which eliminates several attack vectors:

• Malware on the user's workstation can't traverse the connection to infect the target
• The target system's network exposure is limited to the PSM gateway, not every administrator's device
• Protocol inspection at the gateway layer allows command-level control that endpoint-to-endpoint connections can't provide

For external parties (contractors, managed service providers, vendors) session isolation also means that the PSM gateway is the only persistent credential the organization needs to manage for that access pattern. The vendor's internal systems and the customer's production infrastructure are never directly connected.

5. Command and activity control

Beyond recording what happens, PSM can prevent certain things from happening. Command control allows organizations to define approved commands and block unauthorized ones: a database administrator whose session controls allow SELECT queries but not DROP TABLE, can't accidentally or maliciously execute destructive operations, even with a credential that technically permits them.

This is the most active form of PSM control. It shifts the model from "detect and respond" to "prevent." Combined with real-time monitoring, command control provides defense in depth within the privileged session itself.

What PSM does not protect against: the prerequisites for value

PSM's security and compliance benefits are conditional on several foundational requirements being met. When they're not, PSM records what happened without establishing who did it, or prevents some actions while missing others.

Individual identity attribution

Shared privileged accounts (svc_admin, root, dbadmin) destroy the forensic value of session recording. A complete session recording of actions taken under a shared account produces compliance evidence without accountability. Every session recorded by PSM has to be traceable to a specific, verified individual identity. This requires that JIT workflows, MFA, and individual accountability are prerequisites to PSM session initiation, not optional layers on top.

No bypass paths

PSM value degrades proportionally to the availability of bypass paths. An engineer who can SSH directly to a production server without going through the PSM bastion (just this once, the bastion was slow) has taken an unrecorded privileged session. Network controls should enforce that direct connections to critical systems from non-PSM sources are blocked, not just discouraged.

Active review of session recordings

Recorded sessions that are never reviewed provide compliance evidence but no operational security value. Anomaly detection on session recordings (automated flagging of unusual commands, data volumes, access patterns, or session durations) is the operationalization of session recording as a real-time control rather than a post-incident forensic tool.

Coverage of non-interactive sessions

Automated scripts, RPA processes, scheduled jobs, and AI agents take privileged actions in sessions that look nothing like human interactive sessions. Traditional PSM tools designed for SSH and RDP interactive sessions don't naturally govern these automated privileged activities. Extending PSM coverage to non-interactive privileged activity is an emerging requirement that most PSM deployments haven't yet addressed.

Cloud and SaaS: PSM's coverage gap

Traditional PSM architectures were designed for SSH, RDP, and database connections to on-premises servers. Modern privileged activity has migrated significantly to cloud consoles and SaaS administrative panels, environments where traditional bastion-proxy architectures don't apply.

An administrator working in the AWS Management Console, making IAM changes in Azure Active Directory, or modifying Salesforce profiles is taking privileged actions that fall outside the coverage of most legacy PSM deployments. The actions are logged by cloud-native audit services (CloudTrail, Azure Monitor) but not recorded as sessions, not proxy-intercepted for command control, and not subject to real-time monitoring through the PSM platform.

Closing this gap requires either extending PSM tools that support cloud console session recording (some modern platforms do), integrating cloud-native audit logs into the PSM monitoring workflow, or accepting that cloud console activity receives audit coverage but not full session management coverage. The last option is the current reality for most organizations, and the gap is widening as cloud administration displaces on-premises administration.

PSM as a data source for access governance

PSM generates the richest privileged activity data in the environment. Most organizations treat it as a compliance archive: recordings stored for regulatory requirements, searched only when an incident occurs. This underutilizes what PSM makes available.

Session recordings are usage evidence. A privileged account holder whose session recordings show zero relevant activity in 90 days is demonstrably over-provisioned. The usage evidence exists. The access certification workflow should surface it.

The integration between PSM and IGA that most organizations are missing:

• PSM usage data informs access reviews.
  When a certifier reviews a privileged entitlement, they should see whether the underlying session recordings show actual usage, not just whether the account was provisioned. "No sessions in 90 days" is a materially different certification input than "no data."
• PSM anomaly alerts trigger access reviews.
  When real-time monitoring flags a session for unusual behavior, that signal should flow into the identity governance platform, potentially triggering an emergency access review, a temporary access suspension, or a CISO notification alongside the operational response.
• Deprovisioning triggers PSM cleanup.
  When an access certification removes a privileged entitlement, the PSM policy that governs that identity's session behavior should be updated simultaneously. Orphaned PSM policies for deprovisioned accounts are a governance gap.

Industry use cases

Financial services: contractor supervision. A global bank grants 40 third-party contractors quarterly access to production database systems for performance tuning and maintenance work. All contractor sessions route through a PSM gateway: credentials are injected (contractors never see the database password), all commands are recorded and searchable, and a bank security analyst monitors high-risk sessions in real time. When a contractor executes an unexpectedly large SELECT against a customer data table, the session is paused, and the contractor is asked to justify the query before it's allowed to complete. The session recording provides the complete audit trail for the bank's quarterly contractor access review.

Healthcare: insider threat detection. A hospital system's PSM platform flags a session from a privileged IT administrator: unusual data export commands, access to patient record tables outside the administrator's normal workflow, and a session duration three times longer than the administrator's historical baseline. The session is terminated automatically based on risk scoring. The session recording is provided to the hospital's security team and, within 24 hours, to HR and legal. The recording establishes the precise sequence of actions taken, the data accessed, and the time of each event: evidence sufficient to support the subsequent investigation.

Technology company: IGA integration. An enterprise SaaS company integrates PSM session activity data with its identity governance platform. Quarterly access reviews for privileged accounts now include a session activity summary: last session date, session count in the review period, and a flag for any sessions that triggered anomaly alerts. Certifiers reviewing 200 privileged accounts discover that 38 have had zero sessions in the review period: accounts that belong to engineers who changed roles, left the company, or simply no longer perform the function that justified the privilege. All 38 are deprovisioned in the same cycle.

PSM vs. PAM: understanding the relationship

PSM is a component of PAM, not an alternative to it. The two address different phases of the privileged access lifecycle.

The most effective implementations integrate both: PAM makes sure that sessions start only with verified, approved, appropriately scoped credentials. PSM makes sure that everything that happens during the session is visible, attributable, and governable.

Frequently Asked Questions

What is Privileged Session Management (PSM)?

Privileged Session Management is a security control that monitors, records, and governs what privileged users and automated processes do during active sessions on critical systems. It operates as a proxy between the user and the target system, capturing session activity for forensic and compliance purposes, allowing real-time monitoring and session termination, injecting credentials so users never see them, and optionally controlling which commands can be executed within a session.

What is the difference between PAM and PSM?

PAM (Privileged Access Management) governs who gets privileged access, through credential vaulting, JIT workflows, MFA, and approval processes. PSM (Privileged Session Management) governs what happens after access is granted, through session recording, real-time monitoring, credential injection, and command control. PAM controls entry. PSM controls impact. Both are required for a complete privileged access security program.

What is the difference between PAM and IAM?

IAM (Identity and Access Management) governs access for all users across all systems, defining who can access what based on roles, attributes, and policies. PAM is a subset of IAM focused specifically on the management of privileged accounts and high-consequence access. PAM adds controls appropriate to the elevated risk of privileged access: credential vaulting, session recording, JIT workflows, and anomaly detection that standard IAM does not require for routine user access.

Why does session recording only have compliance value if sessions are tied to individual identities?

A session recording establishes what happened: every command, every file accessed, every change made. It doesn't establish who did it if multiple individuals share the credential used to initiate the session. A shared account session recording is forensic evidence with no subject to attribute it to. Individual identity attribution, requiring each user to authenticate individually to initiate a PSM-managed session, even if the underlying credential is shared, is the prerequisite that gives session recordings both compliance and accountability value.

How does PSM support compliance with PCI DSS, SOX, and HIPAA?

Each of these frameworks requires documented controls over access to sensitive systems and evidence that those controls are enforced. PSM addresses these requirements directly: session recordings provide the non-repudiable audit trail that compliance auditors require for evidence that privileged access was monitored. Real-time monitoring and termination demonstrate active supervision. Credential injection demonstrates that credentials are protected from exposure. Specific requirements (PCI DSS Requirement 10 (logging), SOX IT general controls (access monitoring), HIPAA Security Rule (audit controls)) are addressed by PSM's core capabilities.

Related Terms

• Privileged Access Management (PAM)

• Privileged Cloud Access

• Just-in-Time (JIT) Access

• Credential Vaulting

• Identity Threat Detection and Response (ITDR)

• Access Certification

• Non-Human Identity (NHI)

• Zero Trust Architecture