Why the Privileged Session Manager caps concurrent sessions at 100 and how that affects security and performance

If you’re navigating the world of privileged access, you’ve probably bumped into a familiar constraint: a limit on how many sessions a Privileged Session Manager (PSM) can handle at once. In CyberArk’s ecosystem, that limit sits at 100 concurrent sessions per PSM. It’s not a random number pulled from the air; it’s a thoughtful cap designed to keep the system reliable, secure, and auditable as organizations juggle sensitive access.

Let me explain why this cap exists and what it means for real-world use.

What does "100 concurrent sessions" actually mean?

• It’s the maximum number of active privileged sessions a single PSM instance can support at any moment. If ten users each have an elevated RDP or SSH session open, and another ten folks request new privileged access, you’re approaching that 100 mark.

• The limit is about balance. CyberArk wants to ensure the PSM can perform its core duties—capture and replay sessions, monitor activity, secure credentials, and produce audit trails—without getting bogged down by too many simultaneous requests.

• It’s not a hard “you’re broken” rule, but a performance guardrail. Cross it, and the system may slow down, or new session requests might be blocked until some sessions end.

Why would a cap exist in the first place?

• Resource management: Each concurrent session consumes CPU, memory, and I/O. A cap helps avoid runaway usage that could degrade not just the PSM, but adjacent systems.

• Audit reliability: When you’re recording and indexing countless privileged actions, you want to avoid gaps or degraded logging quality. The cap helps maintain consistent, trustworthy records.

• Security posture: Predictable behavior makes it easier to enforce policy, trigger alerts, and validate that access controls are doing what they’re supposed to do.

What happens if you hit the limit?

• Launch delays or failures: If the environment is busy, a new privileged session may be denied or queued until capacity frees up.

• User experience hit: Operators may experience response lag when requesting new sessions, which can ripple into workflow delays.

• Potential risk if not managed: In peak times, if new sessions can’t start, teams might be tempted to work around controls. That’s a pitfall you want to avoid; it underscores why capacity planning matters.

A practical way to think about it: imagine you’re running a busy help desk

• Each privileged session is like a hot ticket in a queue. If the queue is too long, the work slows down, and people get frustrated. The solution isn’t to ignore the queue, but to add more lanes.

Strategies to manage more than 100 concurrent sessions without compromising security

If your organization faces frequent demand for privileged access, there are sensible, safe ways to operate beyond a single PSM’s 100-session boundary:

• Deploy multiple PSM instances and use load balancing

• Put several PSM nodes behind a load balancer so requests for privileged sessions can be distributed. This broadens the effective capacity while keeping each node within its 100-session limit.

• The load balancer acts as the traffic conductor, routing requests to the least-busy PSM, and helping with failover if one node goes offline.

• Segment access by scope and role

• Not every user needs access to the same set of systems. By dividing responsibilities—e.g., one PSM handles database servers, another handles network devices—you can allocate sessions more evenly and prevent a single service from becoming a bottleneck.

• This also reduces the surface area you need to monitor at once, which can simplify auditing.

• Optimize session routing and policy

• Smart routing rules can steer requests to the most appropriate PSM instance based on resource availability or the target system type.

• Fine-tuned policies help ensure that only legitimate, policy-compliant sessions count toward the limit.

• Plan for peak loads with scheduling and queuing

• If you know certain windows have higher demand (patch nights, quarterly audits), you can stagger access windows or require approval flows that smooth out usage.

• Consider a priority scheme where critical systems or users receive shorter guarantees or higher priority when the system is near capacity.

• Build in redundancy and resilience

• A resilient design isn’t just about one hot spare. It’s about a small fleet of PSMs that can take over gracefully if one node tops out.

• Regular health checks, simulated failovers, and clear runbooks help keep the service steady when things get busy.

• Strengthen monitoring and alerting

• Real-time dashboards showing current session counts per PSM, queued requests, and system load can spot trouble before it becomes a problem.

• Alerts that trigger when a PSM approaches or hits the 100-session mark help operators take timely action—like redistributing load or scaling out.

• Align with auditing and compliance needs

• The cap isn’t just a performance lever; it supports predictable audit trails. With defined capacity, you can design retention policies, ensure complete session histories, and meet regulatory expectations without surprises.

Common misconceptions worth clearing up

• “We can never exceed 100.” Not exactly. The limit is per PSM instance. A well-architected environment uses multiple PSM nodes to handle higher demand gracefully.

• “Increase capacity means always adding hardware.” Not necessarily. It’s often about smarter distribution, policy tuning, and scalable architecture. Sometimes, modest hardware improvements on a Jensen of nodes or better load balancing does wonders.

• “The limit is a hard floor.” It’s a target, a guardrail you plan around. With proper planning, you can keep operations smooth while meeting security and compliance goals.

Why this matters for security teams and auditors

• Predictability builds trust. Knowing there’s a sensible cap helps security teams model demand, allocate resources, and set expectations with stakeholders.

• Clear auditing and visibility. When session activity stays within reason, logging and recording stay consistent. That consistency matters in audits and incident investigations.

• Risk management in a busy environment. A plan to scale across PSMs reduces the chance that staff will try to bypass controls under pressure.

A quick mental model you can use

• Think of a PSM like a guard at a busy entrance. The guard can handle a certain number of visitors at once, ensuring everyone is checked and recorded. If too many people arrive, some have to wait or be redirected to a different entrance. To keep things smooth, you might add more guards (PSMs) or reorganize how folks queue up so that the line never spirals out of control.

Practical tips you can apply today

• Map your peak times and current session patterns. Do you routinely hit the ceiling, or is it a rare event? This helps decide whether a minor adjustment or a full-scale architectural refresh is needed.

• Review user groups and permissions. Sometimes tightening who actually needs privileged access can reduce demand at the gate.

• Establish clear escalation paths. When the limit is approached, have a documented process to pause nonessential sessions or deploy additional PSM nodes.

• Regularly test capacity as part of your resilience program. Simulate high-load scenarios to verify that adding PSMs or re-routing requests actually preserves performance and traceability.

A note on the broader landscape

As organizations push toward stronger security posture, Privileged Access Management isn’t a one-and-done checkbox. It’s a living discipline that blends policy, technology, and culture. The 100-session cap is a practical piece of that puzzle, reminding us to design systems that are not just secure, but also usable under pressure. It’s about balancing control with agility, risk with performance, and guardianship with day-to-day operations.

If you’re working with CyberArk Sentry and PSM in a real environment, you’ll come to appreciate how a thoughtful capacity strategy protects both people and data. The limit isn’t a brick wall; it’s a guidepost that helps you plan for reliability, maintain order as you scale, and keep privileged sessions auditable and secure.

In the end, the goal is straightforward: empower teams to get the access they need, when they need it, without compromising security or clarity. A well-sized PSM deployment—backed by proper architecture, monitoring, and governance—does just that. And while 100 concurrent sessions per PSM may look like a modest number on paper, it’s a meaningful anchor for keeping privilege access clean, controlled, and trustworthy in the everyday rhythm of a security-conscious organization.