Privileged Access Management

Privileged access bounded. The patterns.

The PAM model in 2026

Privileged access is anything that can change production state. Database admin credentials, cloud root access, kubectl admin context, payment processor keys. The blast radius of a compromise here is total.

Standing privilege is the enemy. An admin role that exists permanently is one stolen credential away from full compromise. The modern model is just-in-time: you ask for elevation, you get a time-bounded session, the session expires.

Three core controls: identity verification at request time, time-bounded sessions, and full audit. Each layer is independent; together they define modern PAM.

Just-in-time elevation

Engineer requests elevation through a portal or CLI. The request specifies what (service, resource), why (ticket or incident link), and how long (typically 1-4 hours).

Approval flow varies by sensitivity. Routine prod debugging: peer approval. Database root: manager approval. Payment systems: two-person approval with security review.

Granted elevation creates short-lived credentials, often through AWS IAM session tokens, GCP impersonation, or HashiCorp Vault dynamic secrets. When the session expires, access is gone.

Session recording and audit

Every privileged session is recorded. Terminal sessions captured by tools like Teleport or AWS Session Manager. Database sessions captured by query logs.

Recordings are reviewable but not always reviewed. Sample 5% for routine quality control; review 100% for high-sensitivity environments and incident investigations.

Audit trail is immutable. Append-only storage, signed with company keys, retained per compliance requirements. SOC2 wants 1 year minimum; PCI requires 2.

Break-glass procedures

Real emergencies need fast access. Standing privilege is wrong; no privilege is also wrong. Break-glass accounts solve this: rarely-used, heavily-controlled, fully-audited.

Break-glass usage triggers immediate notification to security team. Every use is followed by a postmortem regardless of incident severity. The bar is high to reduce normalisation.

Annual drill: invoke break-glass deliberately. Verify the procedure works. Catch broken integrations or stale credentials before a real emergency exposes them.

Operating PAM at scale

Tools: Teleport, BeyondTrust, CyberArk for enterprise. AWS SSO with permission sets for AWS-native. HashiCorp Vault dynamic secrets for credential generation.

Quarterly review: who has standing access that could be JIT? Each conversion eliminates a long-lived credential.

Track elevation request volume and approval times. Slow approvals push engineers toward workarounds; fast approvals without scrutiny defeat the system. The healthy balance is a 5-15 minute median approval time with documented rationale.