Should a PAM provider be expected to offer a CIEM module (cloud infrastructure entitlement management)?
Gartner now treats CIEM as a “common” feature. It categorizes it as such in its latest Magic Quadrant dedicated to the PAM market.
In the previous edition, CIEM was optional. It isn’t the only element that joined the technical requirements this year. Secrets management for workloads followed the same path. The same goes for lifecycle management of privileged accounts and remote privileged access management.
Likewise, some criteria deemed “common” last year have become mandatory. Specifically, the discovery of privileged accounts, the recording of privileged sessions, and just‑in‑time privileged access management.
12 Providers, 3 “Leaders”
To stand a chance of appearing in Gartner’s PAM Magic Quadrant, seven criteria were deemed “mandatory” to meet:
- Centralized management and deployment of privileged access, controlling either access to accounts and credentials, or the execution of commands, or both
- Management and granting of temporary privileged access to authorized users
- Discovery of privileged accounts
- Storage and management of credentials for privileged accounts
- Management, supervision, recording, and auditing of privileged sessions
- Just‑in‑time privileged access management
- Role‑based administration, with centralized management of credential access policies
In addition, at least five of the following eight “common” elements had to be provided:
- Privilege elevation control by agent on Windows, UNIX/Linux, and macOS
- Secrets management for workloads
- Lifecycle management of privileged accounts
- CIEM
- Management of remote privileged access
- Automation of routine privileged operations tasks orchestrated and/or executed across multiple systems
- ZSP (zero standing privileges): no standing elevation to an existing account or role, but the creation of ephemeral roles and permissions
- Analysis of privilege patterns, misconfigurations, access behaviors, and anomalies
The placement within the Magic Quadrant results from evaluations along two axes. One, the “vision” axis, is forward‑looking and focuses on strategies (sector, geography, commercial, marketing, product). The other, the “execution” axis, reflects the ability to meet demand (customer experience, pre‑sales performance, quality of products/services).
On the “execution” axis, the situation is as follows:
| Rank | Provider | Year‑over‑year change |
| 1 | BeyondTrust | + 3 |
| 2 | CyberArk | + 1 |
| 3 | ARCON | – 2 |
| 4 | Delinea | – 2 |
| 5 | Savyint | new entrant |
| 6 | ManageEngine | – 1 |
| 7 | Segura | new entrant |
| 8 | One Identity | – 1 |
| 9 | Keeper Security | new entrant |
| 10 | WALLIX | – 4 |
| 11 | Netwrix | – 2 |
| 12 | StrongDM | new entrant |
On the “vision” axis:
| Rank | Provider | Year‑over‑year change |
| 1 | CyberArk | = |
| 2 | BeyondTrust | + 1 |
| 3 | Delinea | – 1 |
| 4 | WALLIX | = |
| 5 | One Identity | = |
| 6 | ARCON | + 1 |
| 7 | ManageEngine | – 1 |
| 8 | Savyint | new entrant |
| 9 | StrongDM | new entrant |
| 10 | Segura | new entrant |
| 11 | Netwrix | – 3 |
| 12 | Keeper Security | new entrant |
The three “leaders” are the same as in 2024. In alphabetical order: BeyondTrust, CyberArk, and Delinea. The French WALLIX remains among the “visionaries,” all the more so given its decline on the execution axis.
BeyondTrust can advance on machine identities
According to Gartner, BeyondTrust remains among the strongest performers in remote PAM and just‑in‑time access. It also distinguishes itself in CIEM. While its pricing stays broadly above market average, the SaaS offering now stands out in several evaluated scenarios thanks to the Pathfinder platform’s Essentials, Plus, and Flex bundles. The company also earns praise for its go‑to‑market strategy (direct and indirect sales network, volume discounts on commitments, effective cross‑selling) and customer support (including customer advisory boards and multiple training levels, including free options).
BeyondTrust’s offering still lacks maturity in workload identity and secrets management (notably the inability to manage third‑party managers). Overall, innovations over the past year were limited to integration/unification. In addition, BeyondTrust lags behind other leaders in leveraging GenAI for session management. Support is also seen as an area for improvement by some customers, as is the initial setup (which can be complex) and the UI/navigation.
CyberArk remains among the most expensive on the market
As a mature provider across its entire portfolio, CyberArk excels in workload identity and secrets management, as well as Windows PEDM. It also benefits from its CORA AI, applied to session summaries, anomaly detection in secrets, and rule recommendations. Another strength cited is the consistent collection of customer feedback via surveys and a customer advisory board. Gartner also appreciates its geographic strategy (local delivery capability) and the sector reach of its offering, especially into financial services and the public sector.
Privilege elevation requires distinct products for UNIX and Linux, and they are not feature‑parity. Overall, prices remain among the highest on the market, and CyberArk still does not offer multi‑year discounting. There is room for improvement in support and in initial configuration (which can be complex) as well as in upgrades of its self‑hosted PAM. The evolution of the business following the acquisition by Palo Alto Networks (announced in July) will be watched closely.
Delinea, lagging in remote PAM
Delinea remains one of the best performers for UNIX/Linux PEDM. It also stands out in workload identities and secrets management, as well as in CIEM. Gartner commends the technical support and the strong feedback collection. It notes the solution’s ease of use (unified engines, a single management console, good coverage of integrity reporting). There is also an agent available that leverages context to automate access decisions in cloud environments.
However, Delinea is, by contrast, less mature in remote PAM (limited self‑service enrollment, multiuser collaboration, and on‑demand creation of one‑time tokens for external identities). Depending on the tested scenarios, pricing is uneven: below market for companies with fewer than 1,000 employees, above market for larger ones. It’s also worth noting that managing privileged credentials and discovering accounts may require PowerShell customization. Gartner also notes that Delinea’s revenue growth has slowed, as has investment in sales and marketing.
SaaS adoption struggles at WALLIX
While strong on remote access, WALLIX continues to hold an advantage in PAM for industrial control systems. It benefits from a notable presence in manufacturing—similar to its footprint in financial services and the public sector. Gartner praises its support effectiveness, the user‑friendliness of the solution, and active customer engagement (including a customer advisory board).
Account discovery remains limited (focused on Active Directory) and JIT PAM remains immature (dependent on workflow/ITSM integrations). As with Delinea, pricing tends to favor smaller organizations, less so for larger ones. Gartner also observes that among SaaS‑offering providers, WALLIX has signed the fewest contracts (most customers still deploy on‑premises). Additionally, from its American lens, the lack of common certifications among competitors (FedRAMP, FIPS, SOC 2) is noted.
