diff --git a/docs/docs.json b/docs/docs.json
index 51c02d2bf4..be76a10c17 100644
--- a/docs/docs.json
+++ b/docs/docs.json
@@ -775,7 +775,23 @@
"group": "Infisical PAM",
"pages": [
"documentation/platform/pam/overview",
- "documentation/platform/pam/session-recording"
+ {
+ "group": "Getting Started",
+ "pages": [
+ "documentation/platform/pam/getting-started/setup",
+ "documentation/platform/pam/getting-started/resources",
+ "documentation/platform/pam/getting-started/accounts"
+ ]
+ },
+ "documentation/platform/pam/architecture"
+ ]
+ },
+ {
+ "group": "Product Reference",
+ "pages": [
+ "documentation/platform/pam/product-reference/auditing",
+ "documentation/platform/pam/product-reference/session-recording",
+ "documentation/platform/pam/product-reference/credential-rotation"
]
}
]
diff --git a/docs/documentation/platform/pam/architecture.mdx b/docs/documentation/platform/pam/architecture.mdx
new file mode 100644
index 0000000000..5f5a12433a
--- /dev/null
+++ b/docs/documentation/platform/pam/architecture.mdx
@@ -0,0 +1,77 @@
+---
+title: "Architecture"
+sidebarTitle: "Architecture"
+description: "Learn about the architecture, components, and security model of Infisical PAM."
+---
+
+Infisical PAM utilizes a secure, proxy-based architecture designed to provide access to private resources without exposing them directly to the internet. This system relies on a combination of the Infisical CLI, a Relay server, and a self-hosted Gateway. For more information on Gateways, refer to the [Gateway Overview](/documentation/platform/gateways/overview).
+
+## Core Components
+
+The architecture consists of three main components working in unison:
+
+
+
+ The client-side interface used to initiate access requests. It creates a local listener that forwards traffic securely to the Gateway.
+
+
+ A lightweight service deployed within your private network (e.g., VPC, on-prem). It acts as a proxy, intercepting traffic to enforce policies and record sessions before forwarding requests to the target resource.
+
+
+ The actual infrastructure being accessed, such as a PostgreSQL database, a Linux server, or a web application.
+
+
+
+## Access Flow
+
+```mermaid
+graph LR
+ subgraph Client ["User Environment"]
+ CLI["Infisical CLI"]
+ end
+
+ Relay["Relay Server"]
+
+ subgraph Network ["Private Network (VPC)"]
+ Gateway["Infisical Gateway"]
+ DB[("Target Resource (Database/Server)")]
+ end
+
+ CLI <-->|Encrypted Tunnel| Relay
+ Relay <-->|Reverse Tunnel| Gateway
+ Gateway <-->|Native Protocol| DB
+```
+
+When a user accesses a resource (e.g., via `infisical access`), the following workflow occurs:
+
+1. **Connection Initiation**: The Infisical CLI initiates a connection to the Relay server.
+2. **Tunnel Establishment**: The Relay facilitates an end-to-end encrypted tunnel between the CLI and the Gateway.
+3. **Proxy & Credential Injection**: The Gateway authenticates the request and connects to the target resource on the user's behalf. It automatically injects the necessary credentials (e.g., database passwords, SSH keys), ensuring the user never directly handles sensitive secrets.
+4. **Traffic Forwarding**: Traffic flows securely from the user's machine, through the Relay, to the Gateway, and finally to the resource.
+
+## Session Recording & Auditing
+
+
+
+A key feature of the Gateway is its ability to act as a "middleman" for all session traffic.
+
+- **Interception**: Because the Gateway sits between the secure tunnel and the target resource, it intercepts all data flowing through the connection.
+- **Logging**: This traffic is logged as part of [Session Recording](/documentation/platform/pam/product-reference/session-recording). The Gateway temporarily stores encrypted session logs locally.
+- **Upload**: Once the session concludes, the logs are securely uploaded to the Infisical platform for storage and review.
+
+## Security Architecture
+
+The PAM security model allows you to maintain a zero-trust environment while enabling convenient access.
+
+### End-to-End Encryption
+The connection between the Infisical CLI (client) and the Gateway is end-to-end encrypted. The Relay server acts solely as a router for encrypted packets and **cannot decrypt or inspect** the traffic passing through it.
+
+### Network Security
+The Gateway uses **SSH reverse tunnels** to connect to the Relay. This design offers significant security benefits:
+- **No Inbound Ports**: You do not need to open any inbound firewall ports (like 22 or 5432) to the internet.
+- **Outbound-Only**: The Gateway only requires outbound connectivity to the Relay server and Infisical API.
+
+For a deep dive into the underlying cryptography, certificate management, and isolation guarantees, refer to the [Gateway Security Architecture](/documentation/platform/gateways/security).
+
+### Deployment
+For instructions on setting up the necessary infrastructure, see the [Gateway Deployment Guide](/documentation/platform/gateways/gateway-deployment).
diff --git a/docs/documentation/platform/pam/getting-started/accounts.mdx b/docs/documentation/platform/pam/getting-started/accounts.mdx
new file mode 100644
index 0000000000..4ed0616f8f
--- /dev/null
+++ b/docs/documentation/platform/pam/getting-started/accounts.mdx
@@ -0,0 +1,47 @@
+---
+title: "PAM Account"
+sidebarTitle: "Accounts"
+description: "Learn how to create and manage accounts in PAM to control access to resources like databases and servers."
+---
+
+An **Account** contains the credentials (such as a username and password) used to connect to a [Resource](/documentation/platform/pam/getting-started/resources).
+
+## Relationship to Resources
+
+Accounts belong to Resources. A single Resource can have multiple Accounts associated with it, each with different permission levels.
+
+For example, your database would normally have multiple accounts. You might have a superuser account for admins, a standard read/write account for applications, and a read-only account for reporting.
+
+In PAM, these are represented as:
+- **Resource**: `Production Database` (PostgreSQL)
+ - **Account 1**: `postgres` (Superuser)
+ - **Account 2**: `app_user` (Read/Write)
+ - **Account 3**: `analytics` (Read-only)
+
+When a user requests access in PAM, they request access to a specific **Account** on a **Resource**.
+
+## Creating an Account
+
+
+ **Prerequisite**: You must have at least one [Resource](/documentation/platform/pam/getting-started/resources) created before adding accounts.
+
+
+To add an account, navigate to the **Accounts** tab in your PAM project and click **Add Account**.
+
+
+
+Next, select the **Resource** that this account belongs to.
+
+
+
+After selecting a resource, provide the credentials (username, password, etc.) for this account. The required fields vary depending on the resource type. For example, for a Linux server, you would enter the username and the corresponding password or SSH key.
+
+
+
+Clicking **Create Account** will trigger a validation check. Infisical will attempt to connect to the resource using the provided credentials to verify they are valid.
+
+## Automated Credential Rotation
+
+Infisical supports automated credential rotation for some accounts on select resources, allowing you to automatically change passwords at set intervals to enhance security.
+
+To learn more about how to configure this, please refer to the [Credential Rotation guide](/documentation/platform/pam/product-reference/credential-rotation).
diff --git a/docs/documentation/platform/pam/getting-started/resources.mdx b/docs/documentation/platform/pam/getting-started/resources.mdx
new file mode 100644
index 0000000000..4eaeebb745
--- /dev/null
+++ b/docs/documentation/platform/pam/getting-started/resources.mdx
@@ -0,0 +1,45 @@
+---
+title: "PAM Resource"
+sidebarTitle: "Resources"
+description: "Learn how to add and configure resources like databases and servers, and set up automated credential rotation."
+---
+
+A resource represents a target system, such as a database, server, or application, that you want to manage access to. Some examples of resources are:
+- PostgreSQL Database
+- MCP Server
+- Linux Server
+- Web Application
+
+## Prerequisites
+
+Before you can create a resource, you must have an **Infisical Gateway** deployed that is able to reach the target resource over the network.
+
+The Gateway acts as a secure bridge, allowing Infisical to reach your private infrastructure without exposing it to the public internet. When creating a resource, you will be asked to specify which Gateway should be used to connect to it.
+
+[Read the Gateway Deployment Guide](/documentation/platform/gateways/gateway-deployment)
+
+## Creating a Resource
+
+To add a resource, navigate to the **Resources** tab in your PAM project and click **Add Resource**.
+
+
+
+Next, select the type of resource you want to add.
+
+
+
+After selecting a resource type, provide the necessary connection details. The required fields vary depending on the resource type.
+
+**Important**: You must select the **Gateway** that has network access to this resource.
+
+In this PostgreSQL example, you provide details such as host, port, gateway, and database name.
+
+
+
+Clicking **Create Resource** will trigger a connection test from the selected Gateway to your target resource. If the connection fails, an error message will be displayed to help you troubleshoot (usually indicating a network firewall issue between the Gateway and the Resource).
+
+## Automated Credential Rotation
+
+Some resources, such as PostgreSQL, support automated credential rotation to enhance your security posture. This feature requires configuring a privileged "Rotation Account" on the resource.
+
+To learn more about how to configure this, please refer to the [Credential Rotation guide](/documentation/platform/pam/product-reference/credential-rotation).
diff --git a/docs/documentation/platform/pam/getting-started/setup.mdx b/docs/documentation/platform/pam/getting-started/setup.mdx
new file mode 100644
index 0000000000..8da9237128
--- /dev/null
+++ b/docs/documentation/platform/pam/getting-started/setup.mdx
@@ -0,0 +1,35 @@
+---
+title: "Setup"
+sidebarTitle: "Setup"
+description: "This guide provides a step-by-step walkthrough for configuring Infisical's Privileged Access Management (PAM). Learn how to deploy a gateway, define resources, and grant your team secure, audited access to critical infrastructure."
+---
+
+Infisical's Privileged Access Management (PAM) solution enables you to provide developers with secure, just-in-time access to your critical infrastructure, such as databases, servers, and web applications. Instead of sharing static credentials, your team can request temporary access through Infisical, which is then brokered through a secure gateway with full auditing and session recording.
+
+Getting started involves a few key components:
+- **Gateways:** A lightweight service you deploy in your own infrastructure to act as a secure entry point to your private resources.
+- **Resources:** The specific systems you want to manage access to (e.g., a PostgreSQL database or an SSH server).
+- **Accounts:** The privileged credentials (e.g., a database user or an SSH user) that Infisical uses to connect to a resource on behalf of a user.
+
+The following steps will guide you through the entire setup process, from deploying your first gateway to establishing a secure connection.
+
+
+
+ Before you can manage any resources, you must deploy an **Infisical Gateway** within your infrastructure. This component is responsible for brokering connections to your private resources.
+
+ [Read the Gateway Deployment Guide](/documentation/platform/gateways/gateway-deployment)
+
+
+ Once the Gateway is active, define a **Resource** in Infisical (e.g., "Production Database"). You will link this resource to your deployed Gateway so Infisical knows how to reach it.
+
+ [Learn about Resources](/documentation/platform/pam/getting-started/resources)
+
+
+ Add **Accounts** to your Resource (e.g., `postgres` or `read_only_user`). These represent the actual PAM users or privileged identities that are utilized when a user connects.
+
+ [Learn about Accounts](/documentation/platform/pam/getting-started/accounts)
+
+
+ Users can now use the Infisical CLI to securely connect to the resource using the defined accounts, with full auditing and session recording enabled.
+
+
diff --git a/docs/documentation/platform/pam/overview.mdx b/docs/documentation/platform/pam/overview.mdx
index a6e0094f51..2b311c48c0 100644
--- a/docs/documentation/platform/pam/overview.mdx
+++ b/docs/documentation/platform/pam/overview.mdx
@@ -1,45 +1,67 @@
---
-title: "Infisical PAM"
+title: "Overview"
sidebarTitle: "Overview"
-description: "Learn how to manage access to resources like databases, servers, and accounts with policy-based controls and approvals."
+description: "Manage and secure access to critical infrastructure like databases and servers with policy-based controls and approvals."
---
Infisical Privileged Access Management (PAM) provides a centralized way to manage and secure access to your critical infrastructure. It allows you to enforce fine-grained, policy-based controls over resources like databases, servers, and more, ensuring that only authorized users can access sensitive systems, and only when they need to.
-### How it Works
+## The PAM Workflow
-Infisical PAM employs a resource-based model to organize and manage access. This model is designed to be intuitive and scalable.
+At its core, Infisical PAM is designed to decouple **user identity** from **infrastructure credentials**. Instead of sharing static passwords or SSH keys, users authenticate with their SSO identity, and Infisical handles the rest.
-#### 1. Create a Resource
+Here is how a typical access lifecycle looks:
-The first step is to define a resource you want to manage. A resource represents a target system, such as a PostgreSQL database. When creating a resource, you'll provide the necessary connection details, like the host and port.
+1. **Discovery**: A user logs into Infisical and sees a catalog of resources (databases, servers) and accounts they are allowed to access.
+2. **Connection**: The user selects a resource and an account (e.g., "Production DB" as `read_only`). They initiate the connection via the Infisical CLI.
+3. **Credential Injection**: Infisical validates the request. If allowed, it establishes a secure tunnel and automatically injects the credentials for the target account. **The user never sees the underlying password or key.**
+4. **Monitoring**: The session is established. All traffic is intercepted, logged, and recorded for audit purposes.
-
+## Core Concepts
-#### 2. Add Accounts to the Resource
+To successfully implement Infisical PAM, it is essential to understand the relationship between the following components:
-Once a resource is created, you can add accounts to it. An account represents a specific set of credentials (e.g., a username and password) that can be used to access the resource. This allows you to manage multiple sets of credentials for a single database or server from one place.
+
+
+ A lightweight service deployed in your network that acts as a secure bridge to your private infrastructure.
+
+
+ The specific target you are protecting (e.g., a PostgreSQL database or an Ubuntu server).
+
+
+ The specific identity on the Resource that the user is trying to access. One Resource can have multiple Accounts.
+
+
-
+### Relationship Model
-### Infisical PAM Features
+The hierarchy is structured as follows:
-#### Session Logging and Auditing
+```mermaid
+graph TD
+ GW[Gateway] --> |Provides Access| DB[Resource: Production DB]
+ GW[Gateway] --> |Provides Access| SRV[Resource: Linux Server]
+
+ DB --> A1[Account: admin]
+ DB --> A2[Account: readonly]
+
+ SRV --> A3[Account: ubuntu]
+```
-- **Session Logging**: All user sessions are extensively logged, providing a detailed and searchable record of activities performed during a session.
-- **Audit Logging**: Every significant event, such as a user starting a session or accessing an account's credentials, is recorded in audit logs. This gives you complete visibility over your project.
+1. **Gateway**: Deployed once per network/VPC. It provides connectivity to all resources in that environment.
+2. **Resource**: Configured within Infisical. It points to a specific IP/Host accessible by the Gateway.
+3. **Account**: Defined under a Resource. Users request access to a specific *Account* on a *Resource*.
-
+## Network Architecture
-#### Automated Credential Rotation
+Infisical PAM uses a secure proxy-based architecture to connect users to resources without direct network exposure.
-Infisical PAM can automatically rotate account credentials to enhance your security posture.
+When a user accesses a resource, their connection is routed securely through a Relay to your self-hosted Gateway, which then connects to the target resource. This ensures zero-trust access without exposing your infrastructure to the public internet.
-Here’s how it works:
-1. **Add a Rotation Account**: On the resource level, you configure a "rotation account." This is a master or privileged account that has the necessary permissions to change the passwords of other accounts on that same resource.
-
+For a deep dive into the technical architecture and security model, see [Architecture](/documentation/platform/pam/architecture).
-2. **Configure Rotation on Accounts**: For each individual account you want to rotate, you can simply enable rotation and set a desired interval (e.g., every 30 days).
-
+## Core Capabilities
-Infisical will then use the rotation account on the resource to automatically update the credentials of the target account at the specified interval, eliminating credential staleness.
+- **[Auditing](/documentation/platform/pam/product-reference/auditing)**: Track and review a comprehensive log of all user actions and system events.
+- **[Session Recording](/documentation/platform/pam/product-reference/session-recording)**: Record and playback user sessions for security reviews, compliance, and troubleshooting.
+- **[Automated Credential Rotation](/documentation/platform/pam/product-reference/credential-rotation)**: Automatically rotate credentials for supported resources to minimize the risk of compromised credentials.
diff --git a/docs/documentation/platform/pam/product-reference/auditing.mdx b/docs/documentation/platform/pam/product-reference/auditing.mdx
new file mode 100644
index 0000000000..e716b7f762
--- /dev/null
+++ b/docs/documentation/platform/pam/product-reference/auditing.mdx
@@ -0,0 +1,23 @@
+---
+title: "Auditing"
+sidebarTitle: "Auditing"
+description: "Learn how Infisical audits all actions across your PAM project."
+---
+
+## What's Audited
+
+Infisical logs a wide range of actions to provide a complete audit trail for your PAM project. These actions include:
+
+- Session Start and End
+- Fetching session credentials
+- Creating, updating, or deleting resources, accounts, folders, and sessions
+
+
+ Please note: Audit logs track metadata about sessions (e.g., start/end times), but not the specific commands executed *within* them. For detailed in-session activity, check out [Session Recording](/documentation/platform/pam/product-reference/session-recording).
+
+
+## Viewing Audit Logs
+
+You can view, search, and filter all events from the **Audit Logs** page within your PAM project.
+
+
diff --git a/docs/documentation/platform/pam/product-reference/credential-rotation.mdx b/docs/documentation/platform/pam/product-reference/credential-rotation.mdx
new file mode 100644
index 0000000000..c3204ff565
--- /dev/null
+++ b/docs/documentation/platform/pam/product-reference/credential-rotation.mdx
@@ -0,0 +1,47 @@
+---
+title: "Credential Rotation"
+sidebarTitle: "Credential Rotation"
+description: "Learn how to automate credential rotation for your PAM resources."
+---
+
+Automated Credential Rotation enhances your security posture by automatically changing the passwords of your accounts at set intervals. This minimizes the risk of compromised credentials by ensuring that even if a password is leaked, it remains valid only for a short period.
+
+## How it Works
+
+When rotation is enabled, Infisical's Gateway connects to the target resource using a privileged "Rotation Account". It then executes the necessary commands to change the password for the target user account to a new, cryptographically secure random value.
+
+## Configuration
+
+Setting up automated rotation requires a two-step configuration: first at the Resource level, and then at the individual Account level.
+
+
+
+ A **Rotation Account** is a master or privileged account that has the necessary permissions to change the passwords of other users on the target system.
+
+ When creating or editing a [Resource](/documentation/platform/pam/getting-started/resources), you must provide the credentials for this privileged account.
+
+ *Example: For a PostgreSQL database, this would typically be the `postgres` superuser or another role with `ALTER ROLE` privileges.*
+
+ 
+
+
+
+ Once the resource has a rotation account configured, you can enable rotation for individual [Accounts](/documentation/platform/pam/getting-started/accounts) that belong to that resource.
+
+ In the account settings:
+ 1. Toggle **Enable Rotation**.
+ 2. Set the **Rotation Interval** (e.g., every 7 days, 30 days).
+
+ 
+
+
+
+## Supported Resources
+
+Automated rotation is currently supported for the following resource types:
+
+- **PostgreSQL**: Requires a user with `ALTER ROLE` permissions.
+
+
+ We are constantly adding support for more resource types.
+
diff --git a/docs/documentation/platform/pam/product-reference/session-recording.mdx b/docs/documentation/platform/pam/product-reference/session-recording.mdx
new file mode 100644
index 0000000000..954f2f9928
--- /dev/null
+++ b/docs/documentation/platform/pam/product-reference/session-recording.mdx
@@ -0,0 +1,60 @@
+---
+title: "Session Recording"
+sidebarTitle: "Session Recording"
+description: "Learn how Infisical records and stores session activity for auditing and monitoring."
+---
+
+Infisical PAM provides robust session recording capabilities to help you audit and monitor user activity across your infrastructure.
+
+## How It Works
+
+When a user initiates a session by accessing an account, a recording of the session begins. The Gateway securely caches all recording data in temporary encrypted files on its local system.
+
+Once the session concludes, the gateway transmits the complete recording to the Infisical platform for long-term, centralized storage. This asynchronous process ensures that sessions remain operational even if the connection to the Infisical platform is temporarily lost. After the upload is complete, administrators can search and review the session logs on the Infisical platform.
+
+## What's Captured
+
+The content captured during a session depends on the type of resource being accessed.
+
+
+
+ Infisical captures all queries executed and their corresponding responses, including timestamps for each action.
+
+
+ Infisical captures all commands executed and their corresponding responses, including timestamps for each action.
+
+
+
+## Viewing Recordings
+
+To review session recordings:
+
+1. Navigate to the **Sessions** page in your PAM project.
+2. Click on a session from the list to view its details.
+
+
+
+The session details page provides key information, including the complete session logs, connection status, the user who initiated it, and more.
+
+
+
+### Searching Logs
+
+You can use the search bar to quickly find relevant information:
+
+**Sessions page:** Search across all session logs to locate specific queries or outputs.
+
+
+**Individual session page:** Search within that specific session's logs to pinpoint activity.
+
+
+## FAQ
+
+
+
+ Yes. All session recordings are encrypted at rest by default, ensuring your data is always secure.
+
+
+ Currently, Infisical uses an asynchronous approach where the gateway records the entire session locally before uploading it. This design makes your PAM sessions more resilient, as they don't depend on a constant, active connection to the Infisical platform. We may introduce live streaming capabilities in a future release.
+
+
diff --git a/docs/documentation/platform/pam/session-recording.mdx b/docs/documentation/platform/pam/session-recording.mdx
deleted file mode 100644
index e9061430c4..0000000000
--- a/docs/documentation/platform/pam/session-recording.mdx
+++ /dev/null
@@ -1,60 +0,0 @@
----
-title: "Session Recording"
-sidebarTitle: "Session Recording"
-description: "Learn how Infisical records and stores session activity for auditing and monitoring."
----
-
-Infisical's Privileged Access Management (PAM) provides robust session recording capabilities to help you audit and monitor user activity across your infrastructure.
-
-## How It Works
-
-When a user initiates a session through the Infisical Gateway, a recording of the session begins. The gateway securely caches all recording data in temporary encrypted files on its local system.
-
-Once the session concludes, the gateway transmits the complete recording to the Infisical platform for long-term, centralized storage. This asynchronous process ensures that sessions remain operational even if the connection to the Infisical platform is temporarily lost. After the upload is complete, administrators can search and review the session logs in the Infisical UI.
-
-## What's Captured
-
-The content captured during a session depends on the type of resource being accessed.
-
-### Database Sessions
-
-For database connections, Infisical captures all queries executed and their corresponding responses.
-
-
-Support for additional resource types like SSH, RDP, Kubernetes, and MCP is coming soon.
-
-
-## Viewing Recordings
-
-To review session recordings:
-
-1. Navigate to the **PAM Sessions** page in your project.
-2. Click on a session from the list to view its details.
-
-
-
-The session details page provides key information, including the complete session logs, connection status, the user who initiated it, and more.
-
-
-
-### Searching Logs
-
-You can use the search bar to quickly find relevant information:
-
-- **On the main Sessions page:** Search across all session logs to locate specific queries or outputs.
-- **On an individual session page:** Search within that specific session's logs to pinpoint activity.
-
-
-
-
-
-## FAQ
-
-
-
- Yes. All session recordings are encrypted at rest by default, ensuring your audit data is always secure.
-
-
- Currently, Infisical uses an asynchronous approach where the gateway records the entire session locally before uploading it. This design makes your PAM sessions more resilient, as they don't depend on a constant, active connection to the Infisical platform. We may introduce live streaming capabilities in a future release.
-
-
diff --git a/docs/images/pam/architecture/session-logging.png b/docs/images/pam/architecture/session-logging.png
new file mode 100644
index 0000000000..cc64aad4a1
Binary files /dev/null and b/docs/images/pam/architecture/session-logging.png differ
diff --git a/docs/images/pam/getting-started/accounts/add-account-button.png b/docs/images/pam/getting-started/accounts/add-account-button.png
new file mode 100644
index 0000000000..7ff6c459ed
Binary files /dev/null and b/docs/images/pam/getting-started/accounts/add-account-button.png differ
diff --git a/docs/images/pam/getting-started/accounts/create-account.png b/docs/images/pam/getting-started/accounts/create-account.png
new file mode 100644
index 0000000000..af79dc365a
Binary files /dev/null and b/docs/images/pam/getting-started/accounts/create-account.png differ
diff --git a/docs/images/pam/getting-started/accounts/select-resource.png b/docs/images/pam/getting-started/accounts/select-resource.png
new file mode 100644
index 0000000000..cba352726e
Binary files /dev/null and b/docs/images/pam/getting-started/accounts/select-resource.png differ
diff --git a/docs/images/pam/getting-started/resources/add-resource-button.png b/docs/images/pam/getting-started/resources/add-resource-button.png
new file mode 100644
index 0000000000..0769b572c2
Binary files /dev/null and b/docs/images/pam/getting-started/resources/add-resource-button.png differ
diff --git a/docs/images/pam/getting-started/resources/create-resource.png b/docs/images/pam/getting-started/resources/create-resource.png
new file mode 100644
index 0000000000..8477d62971
Binary files /dev/null and b/docs/images/pam/getting-started/resources/create-resource.png differ
diff --git a/docs/images/pam/getting-started/resources/credential-rotation-account.png b/docs/images/pam/getting-started/resources/credential-rotation-account.png
new file mode 100644
index 0000000000..f44e5e6709
Binary files /dev/null and b/docs/images/pam/getting-started/resources/credential-rotation-account.png differ
diff --git a/docs/images/pam/getting-started/resources/rotate-credentials-account.png b/docs/images/pam/getting-started/resources/rotate-credentials-account.png
new file mode 100644
index 0000000000..8c9113b9be
Binary files /dev/null and b/docs/images/pam/getting-started/resources/rotate-credentials-account.png differ
diff --git a/docs/images/pam/getting-started/resources/select-resource-type.png b/docs/images/pam/getting-started/resources/select-resource-type.png
new file mode 100644
index 0000000000..e14b2ab3a8
Binary files /dev/null and b/docs/images/pam/getting-started/resources/select-resource-type.png differ
diff --git a/docs/images/pam/overview/create-account.png b/docs/images/pam/overview/create-account.png
deleted file mode 100644
index 34f1c74346..0000000000
Binary files a/docs/images/pam/overview/create-account.png and /dev/null differ
diff --git a/docs/images/pam/overview/create-resource.png b/docs/images/pam/overview/create-resource.png
deleted file mode 100644
index ac34b9dca8..0000000000
Binary files a/docs/images/pam/overview/create-resource.png and /dev/null differ
diff --git a/docs/images/pam/overview/credential-rotation-account.png b/docs/images/pam/overview/credential-rotation-account.png
deleted file mode 100644
index 5e379eccc8..0000000000
Binary files a/docs/images/pam/overview/credential-rotation-account.png and /dev/null differ
diff --git a/docs/images/pam/overview/rotate-credentials-account.png b/docs/images/pam/overview/rotate-credentials-account.png
deleted file mode 100644
index 3c908cd49c..0000000000
Binary files a/docs/images/pam/overview/rotate-credentials-account.png and /dev/null differ
diff --git a/docs/images/pam/overview/session-page.png b/docs/images/pam/overview/session-page.png
deleted file mode 100644
index 5c2fa41cf5..0000000000
Binary files a/docs/images/pam/overview/session-page.png and /dev/null differ
diff --git a/docs/images/pam/product-reference/auditing/audit-logs.png b/docs/images/pam/product-reference/auditing/audit-logs.png
new file mode 100644
index 0000000000..f8e9d8b3bc
Binary files /dev/null and b/docs/images/pam/product-reference/auditing/audit-logs.png differ
diff --git a/docs/images/pam/product-reference/session-recording/individual-session-page-search.png b/docs/images/pam/product-reference/session-recording/individual-session-page-search.png
new file mode 100644
index 0000000000..d4f31218d3
Binary files /dev/null and b/docs/images/pam/product-reference/session-recording/individual-session-page-search.png differ
diff --git a/docs/images/pam/product-reference/session-recording/individual-session-page.png b/docs/images/pam/product-reference/session-recording/individual-session-page.png
new file mode 100644
index 0000000000..2efd603126
Binary files /dev/null and b/docs/images/pam/product-reference/session-recording/individual-session-page.png differ
diff --git a/docs/images/pam/product-reference/session-recording/sessions-page-search.png b/docs/images/pam/product-reference/session-recording/sessions-page-search.png
new file mode 100644
index 0000000000..eaebbd70a2
Binary files /dev/null and b/docs/images/pam/product-reference/session-recording/sessions-page-search.png differ
diff --git a/docs/images/pam/product-reference/session-recording/sessions-page.png b/docs/images/pam/product-reference/session-recording/sessions-page.png
new file mode 100644
index 0000000000..4be14838a9
Binary files /dev/null and b/docs/images/pam/product-reference/session-recording/sessions-page.png differ
diff --git a/docs/images/pam/session-recording/individual-session-page-search.png b/docs/images/pam/session-recording/individual-session-page-search.png
deleted file mode 100644
index ce369f5156..0000000000
Binary files a/docs/images/pam/session-recording/individual-session-page-search.png and /dev/null differ
diff --git a/docs/images/pam/session-recording/individual-session-page.png b/docs/images/pam/session-recording/individual-session-page.png
deleted file mode 100644
index 2926caf675..0000000000
Binary files a/docs/images/pam/session-recording/individual-session-page.png and /dev/null differ
diff --git a/docs/images/pam/session-recording/sessions-page-search.png b/docs/images/pam/session-recording/sessions-page-search.png
deleted file mode 100644
index a90cda5871..0000000000
Binary files a/docs/images/pam/session-recording/sessions-page-search.png and /dev/null differ
diff --git a/docs/images/pam/session-recording/sessions-page.png b/docs/images/pam/session-recording/sessions-page.png
deleted file mode 100644
index 8faab291db..0000000000
Binary files a/docs/images/pam/session-recording/sessions-page.png and /dev/null differ