PAM and MFA under 23 NYCRR Part 500 now define baseline control

At a glance

What this is: Delinea argues that 23 NYCRR Part 500 now requires PAM and broader MFA enforcement as enforceable cybersecurity baseline controls.

Why it matters: For IAM, PAM, and identity governance teams, the article reframes privileged access as a regulated control surface that must be monitored, certified, and evidenced.

By the numbers:

• For large "Class A" entities, Privileged Access Management became legally required as of May 1, 2025.
• Now, nearly all users must now use Multi-Factor Authentication as of November 1, 2025.

👉 Read Delinea's guide to PAM and MFA compliance under 23 NYCRR Part 500

Context

23 NYCRR Part 500 is New York DFS's cybersecurity regulation for covered financial entities, and its second amendment shifts privileged access from a best practice to an enforceable control expectation. In practice, the article is about how PAM, MFA, and audit evidence now sit inside the compliance boundary for identity security.

The regulatory pressure matters because privileged accounts are the access layer most likely to be abused for ransomware, insider misuse, and credential theft. For IAM programmes, the key change is not only stronger authentication but also provable control over elevation, monitoring, and review across privileged and third-party access.

Key questions

Q: How should security teams implement PAM for regulated privileged access?

A: Start by inventorying every privileged path, then classify which accounts, sessions, and elevation events fall under regulatory scope. Enforce least privilege, require MFA at use, record sessions, and produce evidence that shows the control operated in practice, not only on paper.

Q: Why do privileged access controls fail when MFA only covers vault checkout?

A: Because the security decision is made too early. An attacker or insider can still use the credential later, so MFA must follow the session and elevation path. Regulated environments need assurance at the point where privilege is exercised, not just where the secret is stored.

Q: How can organisations prove privileged activity is actually governed?

A: By combining access reviews, session recording, command logging, and exception approval records into one evidence chain. If an auditor cannot reconstruct who used privilege, when it was used, and why it was allowed, the programme is not yet governed enough for regulated review.

Q: Who is accountable when privileged access controls do not meet Part 500 expectations?

A: Accountability sits with the named control owners, the CISO, and the highest-ranking officer responsible for annual certification. The programme must therefore produce defensible evidence, clear exceptions, and measurable control coverage that senior leadership can stand behind.

Technical breakdown

Why Part 500 treats privileged access as a control plane

Part 500's access control requirements assume that privileged accounts are the highest-risk path into systems and sensitive data. That is why the amendment ties least privilege, annual access review, central oversight, and MFA together rather than treating them as separate hygiene tasks. In practical terms, the regulation is describing a control plane where identity, elevation, and auditability must be connected. For Class A entities, this is not an architecture preference. It is now the minimum compliance pattern for privileged operations.

Practical implication: map every privileged workflow to a named control owner, an audit trail, and an annual review record.

Why vault-only MFA is not enough for regulated privilege use

The article makes a useful distinction between MFA at the vault, MFA at session start, MFA on the server, and MFA at privilege elevation. That matters because an attacker or internal user can bypass controls that exist only at the point of credential retrieval. Regulated privilege use requires the identity to be verified where the privilege is actually exercised, not only where the secret is stored. In other words, the trust decision must follow the access path, not stop at the vault.

Practical implication: enforce MFA at elevation and session initiation, not just at secret checkout.

How session recording turns PAM into audit evidence

The compliance value of PAM under Part 500 is not limited to blocking access. Session recording, command-level logging, and secure retention create evidence that regulators and internal auditors can use to reconstruct privileged activity. The article also points to anomaly detection and SIEM integration, which turns PAM into a monitoring source rather than a point control. That combination matters because DFS expects not just prevention but demonstrable governance over privileged behaviour.

Practical implication: retain privileged session records in a form that supports investigations, attestations, and board reporting.

Threat narrative

Attacker objective: The objective is to use privileged access to reach critical systems or sensitive data while avoiding timely detection and accountability.

1. Entry begins when privileged access is obtained through weakly governed credentials, insufficient MFA enforcement, or third-party access paths that are not tightly controlled.
2. Escalation occurs when standing privileges, incomplete session oversight, or unchecked privilege elevation allow the actor to move from access to administrative action.
3. Impact follows when privileged misuse leads to ransomware, insider abuse, credential theft, regulatory failure, or inability to reconstruct activity for response and reporting.

Breaches seen in the wild

• BeyondTrust API key breach — compromised BeyondTrust API key led to unauthorized SaaS access.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Part 500 turns privileged access from an internal policy issue into a regulated identity control surface. The article is right to emphasise that PAM is no longer optional for Class A entities, because DFS has converted privileged access into a baseline expectation for accountability, monitoring, and review. That shifts the programme conversation from tool selection to evidencing control effectiveness. The practitioner conclusion is that privileged access governance now has to stand up in regulatory review, not just security review.

MFA requirements under Part 500 expose a common governance blind spot: verifying the credential is not the same as governing the privilege. The regulation's focus on MFA at access, session, and elevation points shows that a single control point does not satisfy the risk model. This is especially relevant where organisations still treat vault checkout as the main assurance boundary. The practitioner conclusion is that access path design, not only authentication strength, determines compliance credibility.

Identity auditability is now part of the control itself, not a downstream reporting exercise. Section 500.6 and the monitoring provisions make logging, command reconstruction, and secure retention core evidence for cybersecurity due diligence. That means PAM programmes have to produce artefacts that can be consumed by DFS, auditors, and incident responders without manual reconstruction. The practitioner conclusion is that audit trails must be designed as operational evidence from day one.

Third-party privileged access is the governance pressure point most organisations still under-prepare for. The article's mapping of Part 500 to vendor and contractor oversight shows that regulated entities must extend privilege controls beyond internal administrators. That aligns with the wider identity governance problem of inherited trust across service providers. The practitioner conclusion is that offboarding, review, and monitoring of external privileged access need the same discipline as employee access.

Privileged access is now a board and executive accountability issue, not just an IAM implementation detail. The annual certification requirement changes the programme from a technical control set to a governed assurance process with named accountable officers. That increases the importance of defensible metrics, evidence quality, and exception handling. The practitioner conclusion is that IAM leaders need a compliance narrative that senior management can certify without ambiguity.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The State of Non-Human Identity Security.
• For a broader control lens, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs, where provisioning, rotation, and offboarding are tied to governable identity evidence.

What this signals

Identity blast radius: as privileged access becomes a regulated control surface, the programme risk is no longer whether MFA exists somewhere in the stack but whether every elevation path is measurable and certifiable. Teams that cannot reconstruct privileged use will struggle to satisfy both auditors and incident responders, especially where third-party access is involved.

The wider signal is that regulatory expectations are converging on evidence-rich identity governance, not just access policy. If privileged session records, access reviews, and exception approvals cannot be tied together, the operating model is too fragmented for modern compliance.

For identity leaders, this is the point to align Part 500 control design with the Ultimate Guide to NHIs , Regulatory and Audit Perspectives and the NIST Cybersecurity Framework 2.0 so that auditability and operational response are built into the same workflow.

For practitioners

• Map all privileged workflows to Part 500 control points Document where access is granted, where elevation occurs, where MFA is enforced, and where the session is recorded. Then confirm each path has an owner and an evidence trail that can support annual certification.
• Enforce MFA at the point of privilege use Do not rely on vault checkout alone. Require MFA at session initiation, server login, and privilege elevation so that the assurance follows the access path rather than stopping at the secret repository.
• Separate internal and third-party privileged oversight Track contractor and vendor admin access as a distinct review population. Apply the same logging, approval, and offboarding discipline to external privileged sessions that you apply to employee admins.
• Build audit-ready session evidence Retain command-level logs, recordings, and exception approvals in a form that allows investigations, DFS notifications, and annual attestations without manual reconstruction.
• Prepare certification packs for executives Assemble a recurring evidence set that shows PAM operation, MFA coverage, access review completion, and exception handling so the CISO and highest-ranking officer can certify with confidence.

Key takeaways

• Part 500 now treats privileged access as a regulated control surface, which moves PAM from best practice into compliance baseline territory.
• The practical risk is not only weak authentication but weak evidence, because DFS expects organisations to prove how privilege was granted, used, and reviewed.
• Teams that cannot enforce MFA at the point of privilege use and preserve audit-ready session records will struggle to certify compliance credibly.

Key terms

• Privileged Access Management: Privileged Access Management is the set of controls used to restrict, monitor, and evidence high-risk administrative access. In regulated environments it is not just about blocking abuse, but about proving who had elevated access, when it was used, and whether it was approved and reviewed appropriately.
• Just-in-time privilege: Just-in-time privilege is temporary access granted only when a task requires it and removed when the task is complete. For regulated identity programmes, the value is not only reduced standing exposure, but also clearer evidence that elevation was intentional, scoped, and time-bound.
• Privileged session recording: Privileged session recording captures administrative activity so it can be reviewed, investigated, and reconstructed later. It becomes an audit and response asset when paired with secure retention, command logging, and identity context that ties the session back to the person or system using it.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Delinea: PAM at the center of 23 NYCRR Part 500 compliance. Read the original.