Privileged access management: are your controls keeping up?

TL;DR: Privileged access management reduces blast radius by limiting standing access, enforcing just-in-time credentials, and adding session monitoring, according to Opal Security and Verizon breach data. The real issue is that privileged identity sprawl outpaces human-scale governance, so access review alone is not enough.

NHIMG editorial — based on content published by Opal Security: Privileged Access Management, Gatekeeping for the Greater Good

By the numbers:

• Some 32% of reported incidents were related to privilege misuse.

Questions worth separating out

Q: How should security teams reduce risk from privileged accounts that never seem to go away?

A: They should treat standing privilege as a temporary exception, not a baseline entitlement.

Q: Why do service accounts create so much governance risk?

A: Service accounts often hold broad permissions, run unattended, and persist long after the integration that created them has changed.

Q: What breaks when privileged access is not monitored at the session level?

A: You lose evidence of what the credential actually did, which makes misuse harder to detect, investigate, and attribute.

Practitioner guidance

• Inventory every privileged identity class Map superuser, domain admin, local admin, application, emergency, service, and vendor accounts so ownership and authority are explicit.
• Replace standing privileged secrets with task-scoped access Use just-in-time credentials for administrative work where operationally possible, with automatic expiry after the approved task completes.
• Remove interactive use from service accounts Prevent service accounts from being used like human admin logins and narrow their network reach to only the systems they truly need.

What's in the full article

Opal Security's full article covers the operational detail this post intentionally leaves for the source:

• Detailed examples of privileged account categories and where each one tends to create control debt.
• Specific control patterns for just-in-time access, jump boxes, and certificate-based privileged authentication.
• Practical differences between handling superuser, local admin, and service accounts in day-to-day operations.
• The vendor's own implementation framing for logging, monitoring, and encrypted access paths.

👉 Read Opal Security's analysis of privileged access management and least privilege →

Privileged access management: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →