Standard identity and access management handles ordinary users adequately — directory services, SSO, MFA, role-based access. Privileged access is different. Administrators with broad system permissions, service accounts with persistent credentials, break-glass accounts for emergency access, database administrators with direct query rights, cloud root accounts with no recovery path. Each of these is a concentrated risk that ordinary IAM controls do not adequately address, and the security industry has converged on Privileged Access Management as the dedicated discipline.
Why Privileged Access Is Different
A standard user account compromise typically gives an attacker the user's access — meaningful but bounded. A privileged account compromise typically gives an attacker substantial portions of the environment. The asymmetry in blast radius means privileged accounts need disproportionately strong controls. Standard IAM controls — SSO, MFA, periodic password rotation — are necessary but not sufficient for privileged access. Additional disciplines are needed: credential vaulting, session recording, just-in-time provisioning, additional approval workflows, ongoing monitoring of privileged sessions for anomalous behaviour.
The Core PAM Capabilities
Credential vaulting — privileged credentials stored in a hardened vault rather than in password managers or in user knowledge. Session recording — privileged sessions captured for after-the-fact review and forensics. Just-in-time access — privileged rights granted only when needed and revoked when the task completes. Approval workflows — break-glass access requires explicit approval rather than persistent rights. Discovery — finding privileged accounts that exist outside the PAM programme. Each of these is its own capability; the PAM platforms (CyberArk, BeyondTrust, Delinea, and others) bundle them into integrated products.
Service Accounts: The Underrated Category
Service accounts — non-human accounts used by applications, services, and automation — often hold privileged access with persistent credentials that rarely rotate. They are also the category most consistently underinvested in. Service account credentials hardcoded in scripts. Service accounts with broad permissions because nobody scoped them tighter. Service accounts that were created for a long-gone project and continue to operate. Strong PAM programmes inventory service accounts deliberately, rotate their credentials through the vault, and review their permissions against actual use. Programmes that focus on human privileged users while neglecting service accounts leave material exposure in the underrated category.
A pattern in breach investigations: the entry point was a service account whose credentials had been hardcoded in a script in a repository, the credentials had not rotated in years, and the account had broader permissions than the original use case required. Each of these is addressable individually; together they constitute a class of risk that human-focused PAM does not address. Service account discipline is part of mature PAM, not adjacent to it.
Cloud Privileged Access
Cloud platforms have introduced new categories of privileged access — root accounts on AWS, owner accounts on Azure, billing administrators on GCP. The blast radius is substantial because cloud privileges can affect billing, infrastructure, identity providers, and downstream services. Cloud Infrastructure Entitlement Management (CIEM) platforms have emerged specifically for this dimension, often as extensions of PAM or as standalone offerings. For organisations operating significant cloud infrastructure, CIEM is increasingly necessary alongside traditional PAM.
Implementation Pattern That Holds Up
Start with discovery — find the privileged accounts that exist, both known and forgotten. Bring the highest-risk accounts into the vault first — domain administrators, cloud root accounts, database administrators on sensitive systems. Implement session recording on the in-scope accounts. Add just-in-time provisioning for breakglass access. Extend coverage progressively to service accounts, application-level privileged access, and cloud entitlements. Each stage produces value; trying to implement everything simultaneously produces an overburdened programme that stalls.
Components of a Programme That Earns Its Cost
- Inventory of privileged accounts across human and service categories
- Vault-managed credentials for privileged accounts with rotation enforced
- Session recording on privileged sessions with retention appropriate to forensic needs
- Just-in-time provisioning for break-glass and emergency access
- Approval workflows for elevated privileged actions
- Discovery process running continuously to find new privileged accounts
- Integration with security monitoring — privileged actions feed the SIEM with correlation rules
- Cloud entitlement management for cloud-specific privileged categories