Privileged Access Management (PAM)

what it is

Privileged access refers to any account with permissions that go beyond standard user access. System administrators, cloud platform owners, database administrators, network engineers, and security operators typically hold privileged access. So does anyone with the ability to provision other accounts, modify security configuration, or access the underlying infrastructure.

Privileged access management is the practice of controlling how that access is held and used. At minimum, it means separating privileged accounts from daily-use accounts, enforcing MFA, and maintaining a log of privileged actions. More mature implementations include dedicated PAM tooling with session recording, just-in-time access provisioning, and credential vaulting.

The core principle is that high-privilege credentials should not be the ones in use during ordinary work, because ordinary work is where exposure happens.

why it accumulates

In smaller environments, the people with admin responsibilities often use their admin accounts for everything. Email, Slack, browsing, and occasional admin tasks all run through the same account. This is practical when there's one or two people doing it, and the habit persists as teams grow.

Privilege spreads through convenience and legacy. A developer gets admin access to configure something; the access isn't reviewed afterward. A temporary elevated grant stays because nobody set a timeline. A shared service account holds admin-level credentials because it was easier to configure.

Without a deliberate PAM practice, the number of accounts holding significant privilege tends to grow over time, while the oversight of those accounts doesn't keep pace.

what it costs you

Admin accounts are valuable targets. A compromised admin credential gives an attacker the ability to read data, modify configurations, create new accounts, and cover tracks. Verizon's DBIR 2026 notes the use of stolen credentials was involved in 36% of breaches. When those credentials are admin-level, the potential damage extends across the systems they govern.

An admin account used for daily work is exposed to the same risks as any daily-use account: phishing, malicious browser extensions, clipboard theft, and accidental credential leakage. The difference is the consequence. A compromised standard user account reaches what that user can reach. A compromised admin account reaches everything the admin can reach.

The audit dimension is also relevant. SOC 2 includes specific controls around privileged access. ISO 27001 addresses access control for privileged user accounts. DORA, applying to financial entities, requires a risk-based approach to ICT access management that extends to privileged access. Demonstrating control over admin accounts is part of any serious access review.

what works

Everything downstream depends on knowing where privilege actually sits, so the work begins with an inventory of every elevated account: admins and superadmins in the directory, the cloud platforms, and the major SaaS tools, plus the service accounts holding admin-level rights that human-focused lists skip. The resulting list is almost always longer than anyone guessed.

MFA coverage on that list is the first thing worth checking. MFA blocks more than 99.2% of account-compromise attacks (Microsoft), and an admin account without it is the highest-privilege access in the environment protected by a password alone. No other single gap concentrates as much risk in one place.

Account separation is the structural control. Each person with admin responsibilities holds two accounts: a standard one for email, chat, and browsing, and a separate admin account used only when elevated access is required. The admin credential then never touches the contexts where phishing, malicious browser extensions, and accidental credential leakage live. Alongside separation, the inventory itself gets pruned: admin grants that accumulated over time and no longer match current responsibilities simply come off.

The last layer is evidence. Dedicated PAM tooling with session recording and just-in-time provisioning sits at the mature end of the spectrum, but most platforms already produce audit logs of admin actions, and enabling and retaining them provides the after-the-fact visibility that separates a controlled privileged environment from a merely trusted one.