Identity security has long been the most troublesome “single point of failure” in modern cybersecurity: as a company automates more, the number of credentials, service accounts, tokens, and agents multiplies… making it increasingly difficult to know who (or what) can do what, when, and from where. In this context, Delinea has announced a definitive agreement to acquire StrongDM with a clear goal: to combine traditional Privileged Access Management (PAM) with a real-time, “just-in-time” authorization model designed for continuous environments, cloud-native infrastructures, and growing populations of non-human identities and AI agents.
A market driven by the rise of non-human identities
The catalyst for this movement isn’t just technological; it’s also statistical. Recent reports indicate that non-human identities (NHIs)—service accounts, integrations, automation, machine identities, and increasingly, AI agents—far surpass human users, with ratios cited around 82 to 1 in certain corporate settings.
This imbalance shifts the rules of engagement: a program or agent doesn’t get tired, doesn’t make typical human errors, but can operate 24/7, escalate actions at machine speed, and if poorly governed, become a magnifier of risk. The result is mounting pressure to transition from controls based on “sessions” or “static roles” to more granular models capable of authorizing each action at the exact moment it occurs.
What exactly is being acquired: PAM + runtime authorization in a single layer
According to the announcement, the combined platform aims to integrate:
- Enterprise PAM (Delinea’s traditional domain: managing privileged credentials, vaulting, rotation, auditing, etc.).
- Just-in-time “runtime” authorization (StrongDM’s specialty: allowing access to infrastructure and data with a focus on engineering/DevOps, with policies applied at the moment of use).
Delinea frames the outcome as an evolution toward a Zero Standing Privilege (ZSP) model: reducing or eliminating permanent privileges, replacing them with ephemeral, traceable permissions. This increasingly industry-favored concept aims to minimize exposure: if there’s no privileged credential that’s “always valid,” the attack surface diminishes, making it harder to steal, reuse, or abuse credentials.
Why now: shifting from “access” to “action governance”
The announcement emphasizes a paradigm shift: it’s no longer enough to simply “grant access” to a resource; now, it’s necessary to govern privilege at the moment of action. Practically, this means:
- Centralized policies that decide whether an identity (human, machine, or agent) can execute a specific privileged operation.
- The ability to apply least privilege dynamically, based on context (environment, risk level, time, device, security posture, etc.).
- Auditing and traceability per operation, not just per session.
According to industry insiders quoted by Delinea, credential theft or loss remains a dominant incident pattern, and the industry is moving identity control to the core of the defense model.
Projected closing and conditions: operation set for Q1 2026
Delinea states that the deal has been signed and is expected to close in the first quarter of 2026, subject to usual conditions, including regulatory review. Financial terms have not been publicly disclosed.
Quick overview: from traditional PAM to ZSP with real-time authorization
| Approach | What it solves | Main advantage | Typical risk if misapplied | Best suited for |
|---|---|---|---|---|
| Classic PAM (controlled persistent credentials) | Centralizes and safeguards privileged accounts | Comprehensive credential auditing and control | “Standing privileges” still exist (even if stored in vaults) | IT operations, regulated environments, system administration |
| JIT (on-demand access) | Grants privileges only when needed | Reduces exposure window | Operational complexity without automation | Support, emergency access, distributed teams |
| Runtime authorization (per action) | Decides and logs permissions in real-time | Granular, contextual control | Poor policy design can block critical operations | DevOps, production systems, databases, Kubernetes, CI/CD |
| ZSP (zero permanent privilege) | Removes “always active” privileges | Minimizes attack surface | Requires disciplined processes and good observability | Highly automated organizations under compliance pressure |
Strategic insight: consolidating “Identity Security” for agent-centric AI
This move aligns with a broader industry trend: identity security is moving beyond traditional IAM/PAM towards Identity Security as a cross-layer control approach—especially with proliferation of agents and automation. Industry analysts have long highlighted the growth of JIT approaches and privilege-less models as pragmatic ways to reduce risk without hindering operations.
In other words: if the near future involves AI agents performing real actions (not just making recommendations), the key question won’t be “who logged in” but what privileged action was authorized and under which policy.
FAQs
What specific problem does Delinea’s acquisition of StrongDM aim to resolve?
Unify PAM with runtime JIT authorization to minimize persistent privileged credentials and enforce policies and audits at a granular level for privileged actions.
What is Zero Standing Privilege (ZSP) and why is it gaining attention?
It’s an approach that seeks to eliminate persistent privileges: access is granted temporarily, on-demand, with contextual controls, reducing the attack window if credentials are compromised.
Why does agent-centric AI complicate identity security so much?
Because it multiplies non-human identities and automates actions; multiple reports warn of much higher ratios of NHIs compared to humans and the direct impact on security risk.
When is the acquisition expected to close?
The company indicates a planned closing in the first quarter of 2026, subject to usual conditions and regulatory review.
via: delinea