CyberArk TSA separation is the work of standing up a dedicated Newco privileged access deployment, rebuilding the vault and safes, onboarding and rotating Newco privileged credentials, reconnecting secrets to the applications that consume them, and exiting the seller vault before Newco admin and service credentials keep living inside the seller privileged access platform. The work sits inside the broader carve-out advisory program because the vault holds the most sensitive credentials in the estate. Treated casually, it leaves the seller holding the keys to Newco systems.
CyberArk separation starts with an inventory of the seller deployment, whether it is the self hosted Privileged Access Manager with a digital vault or the Privilege Cloud service. The buyer needs the safes and which hold Newco credentials, the accounts and which belong to Newco systems, the platforms and rotation policies, the application access through Application Access Manager or Conjur, the session management configuration, and the administrators. The vault is the highest value target in the estate, so the inventory is handled with the controls that sensitivity demands.
The seller runs Newco privileged accounts inside a shared vault alongside the rest of the seller business. The clean end state is a dedicated Newco deployment, often Privilege Cloud for a standalone business, contracted and administered by Newco. A shared seller vault is acceptable only as a bridge during the TSA, because the seller controls the platform that holds, rotates, and can retrieve Newco privileged credentials.
Target deployment strategy favors the cloud platform for most carve-outs because a standalone business rarely wants to operate vault infrastructure and its high availability requirements. Where the seller ran self hosted Privileged Access Manager, the separation is often a move to Privilege Cloud, settled early because it changes the architecture and the migration approach.
A clean inventory drives the sequence: the deployment build, the safe and account onboarding, the credential rotation, the secrets reconnection, and the cutover. Because the vault touches every privileged system, the inventory is also a dependency map of which systems must be ready for their credentials to move.
CyberArk is licensed by managed account or identity across its modules, often inside a broader seller agreement. That agreement does not transfer in a carve-out. Newco signs a direct subscription sized to its real privileged account count and the modules it needs, whether the core vault, session management, secrets management, or endpoint privilege. The risk is that Newco inherits a module set scaled for the seller enterprise.
CyberArk reads a carve-out as a buyer that must secure privileged access for a defined estate. Negotiating leverage comes from the account commitment and from a credible alternative privileged access platform. The buyer scopes the Newco subscription from the inventory before negotiating, and writes implementation support into the contract so the deployment and its rotation policies are validated before cutover.
Where the seller continues to vault Newco credentials through a TSA period, the pricing is cost-plus or fixed-fee with a defined exit ramp, and the TSA defines who administers Newco safes, how credentials are returned, and what the seller retains. This service carries unusual sensitivity because the seller literally holds Newco keys, so the exit ramp and the credential rotation at exit are written precisely.
Implementation, where a partner is engaged, is fixed fee for defined deliverables under disciplined change control. A vault stand up has a finite scope, contracted against named safes, accounts, and platforms rather than open ended consulting time. The engagement model is Fixed Fee plus Portfolio Retainer.
The Newco deployment is built and the safes are recreated, but credentials are not simply copied across. The defensible approach onboards Newco accounts into the Newco vault and rotates every credential so the secret the Newco vault holds is new and the secret the seller vault held is dead. Rotation is the cleanest boundary in any separation: once a credential is rotated into the Newco vault, the seller copy no longer opens the door.
The account inventory drives the onboarding. Domain and local administrator accounts, service accounts, database and infrastructure credentials, and cloud privileged identities are onboarded into the Newco safes in priority order. The platforms that define how each account type rotates are recreated so the Newco vault manages the credential lifecycle rather than holding a static secret.
Rotation order matters because rotating a service account credential breaks every consumer that has not been updated. The buyer sequences rotation with the application owners so the new secret is delivered to every consumer as it rotates, which is why the secrets reconnection runs alongside the rotation rather than after it.
The boundary is documented. The buyer records which accounts were onboarded and rotated, confirms the seller vault no longer holds live Newco credentials, and treats any credential that cannot be rotated, such as a vendor managed secret, as an explicit exception with its own remediation.
Application credentials are the part that breaks. CyberArk does not only store human administrator passwords, it delivers secrets to applications through Application Access Manager and Conjur, so application servers, batch jobs, and pipelines retrieve database and API credentials from the vault at runtime. Every one of those consumers points at the seller vault until it is repointed to the Newco deployment.
The buyer inventories every application that retrieves a secret from the seller vault and repoints it to the Newco deployment as the credential is onboarded and rotated. An application missed in this inventory keeps calling the seller vault, which both breaks at the moment the seller revokes access and leaves a live dependency on the seller platform. This is the discovery that catches buyers who treat CyberArk as a password store rather than a secrets broker.
Session management and access policies are rebuilt so administrators connect to Newco systems through the Newco vault with the same recording and control. The privileged session paths that ran through the seller deployment are recreated, and the connection components for Newco targets are configured. The governance over who may retrieve which credential aligns with the broader SailPoint governance separation so privileged entitlements are certified.
Identity for the vault itself is reconnected to the Newco identity provider so administrators authenticate to the Newco vault through Newco single sign on and multi factor authentication, rather than depending on the seller directory.
Cutover transfers privileged access from the seller vault to the Newco deployment. Because every privileged credential is sensitive, the cutover is sequenced safe by safe with rotation, and the runbook covers the account onboarding, the rotation order, the secrets reconnection, the session paths, and a clear statement of when the Newco vault becomes authoritative for each account type.
Validation confirms privileged access works through the Newco vault. Administrators can retrieve credentials and open privileged sessions, applications retrieve their secrets at runtime, rotation runs on schedule, and the recordings capture sessions. The buyer confirms a real application retrieves a rotated secret and a real administrator opens a recorded session before declaring the move complete.
Stabilization runs while rotation settles and any missed consumers surface. Failed retrievals, broken application credentials, and rotation errors are triaged within agreed service-level commitments and treated with priority because a broken privileged credential can halt a production system. The buyer confirms every Newco consumer points at the Newco vault before certifying privileged access for TSA exit.
The credential boundary is the proof of exit. A clean separation leaves every Newco privileged credential rotated into the Newco vault and dead in the seller vault, with the seller unable to retrieve a working Newco secret. The buyer confirms the seller deployment holds no live Newco credentials before the TSA tail closes.
CyberArk separation cost is driven by the managed account count, the module set, and the effort of onboarding and rotating credentials across the estate. The discipline is to size the subscription and modules to Newco real needs, prioritize the highest risk accounts, and use rotation as the boundary rather than attempting to copy secrets.
The common failure mode is treating CyberArk as a password vault and missing the application consumers. The vault brokers secrets to applications at runtime, so a separation that onboards human accounts but ignores the application secrets leaves production systems calling the seller vault. Buyers that inventory every secret consumer first avoid breaking applications at the moment the seller revokes access.
The common security mistake is copying credentials instead of rotating them. The fix is to rotate every onboarded credential so the seller copy is dead, which is both cleaner and more defensible than a credential that exists in two vaults. A PMO maintains the dependency map across the vault, identity, and every privileged system, escalating blocks inside forty eight hours.
A clean CyberArk separation produces a Newco that holds its own keys, with its own vault, rotated credentials, and a seller that can no longer open Newco systems. The discipline runs through the TSA exit acceleration program under a Fixed Fee plus Portfolio Retainer engagement model.
Yes. The clean end state is a dedicated Newco deployment, often Privilege Cloud, contracted and administered by Newco, holding its own safes and rotated credentials. A shared seller vault is acceptable only as a bridge during the TSA, because the seller otherwise holds, rotates, and can retrieve Newco privileged credentials.
Rotated. Copying a secret leaves it live in two vaults, while rotating a credential into the Newco vault makes the seller copy dead. Rotation is the cleanest and most defensible boundary in a privileged access separation, which is why the work onboards Newco accounts and rotates every credential rather than exporting secrets.
The application secrets. CyberArk delivers credentials to applications at runtime, so every application, batch job, and pipeline that retrieves a secret points at the seller vault until it is repointed. An application missed in the inventory keeps calling the seller vault and breaks the moment the seller revokes access.
Because the vault touches every privileged system, the timeline depends on onboarding and rotating credentials across the estate without breaking consumers. Most buyers plan three to five months so rotation can be sequenced with application owners and the secrets reconnection can keep pace.
Tenant strategy, the connector rebuild, and the certification restart for Newco.
Read the article →Federation strategy, the application reconnect, and the single sign on cutover.
Read the article →Tenant strategy, the identity move, and the conditional access rebuild.
Read the article →The 90-day governance, IT, finance, HR and procurement separation plan we run on live carve-outs. Get the playbook plus the bi-weekly Day One Letter — short, signal-heavy, buyer-side.
No spam. Unsubscribe in one click. · Read the overview first →

Fixed-fee proposal in 48 hours. Senior team on day one. The first conversation is always free.
Seven buyer-side moves to exit a Transition Services Agreement on time and below budget. The mark-up, the extension-fee curve, exit sequencing, and the 11-month calendar.
Stand up a clean identity tenant first — every application cutover and every security control depends on it, and the seller holds the keys until you do.
One tactic, one benchmark, or one pattern from a recent buyer-side engagement. Short. Signal heavy. Free.
Subscribe to The Day One Letter →