Delinea, a provider of a privileged access management (PAM) platform, today revealed it will acquire StrongDM, a provider of a platform for authorizing access to IT infrastructure.

The core technology developed by StrongDM is used mainly by DevOps and engineering teams to programmatically reduce cybersecurity risks by eliminating the need to grant long‑term access to IT infrastructure. Instead, authorization to access IT infrastructure is granted on a just‑in‑time basis to both human administrators and non‑human identities attached to third‑party applications.

Phil Calvin, chief product officer for Delinea, said StrongDM extends the scope of the existing identity security portfolio to IT infrastructure to provide a spectrum of offerings for securing identities across a continuum of scenarios.

Existing Delinea offerings address the need to secure sessions by adding an ability to secure identity access in near real time, which, in addition to being applied to IT infrastructure, can also be extended to non‑human identities such as artificial intelligence (AI) agents, noted Calvin. Managing identities in the age of AI agents will prove to be especially challenging for organizations that will soon be deploying thousands of them running on a wide range of heterogeneous platforms, he added.

Unfortunately, most cybersecurity teams, in the absence of any centralized method for managing identity, are usually unable to see what privileges have been assigned. It’s usually only during the forensics phase of a breach that they discover privileges were over‑provisioned. The Delinea platform makes it possible for cybersecurity teams to instead review privileges to ensure the blast radius of any potential breach is limited, noted Calvin.

Once the deal is formally closed, Delinea will begin working on integrating the two product portfolios, which include a Delinea Iris AI framework that identifies threats and applies guardrails in real time. Collectively, the Delinea portfolio will now support both ephemeral and credential‑based access models while enabling a deliberate transition toward a zero standing privilege (ZSP) model.

For all intents and purposes, identity is now the perimeter that cybersecurity teams are expected to defend. The challenge is that many individuals often have multiple identities associated with different job functions. More challenging still, many of the individuals accessing applications and services are not employees but rather temporary contractors.

Cybercriminals are, of course, trying to steal as many credentials as possible. In many cases, cybercriminals log into applications much like any other normal user for months before starting to exfiltrate data and inject malware. Many organizations might not even realize credentials have been stolen until months after the fact.

It’s not clear what will be needed to encourage more organizations to unify the management of access and authorization in a way that is tied to specific sets of credentials, but the sooner they do, the more likely the overall cybersecurity posture of the organization will improve. In the meantime, cybersecurity teams should assume that most of the credentials being used have been compromised, which, at the very least, means they should be regularly rotated as part of a larger effort to manage the lifecycle of both human and non‑human identities.