Quick take: Standing privileged access is a liability. PIM governs when a role can be activated; PAM protects the credentials used after activation. Together they shrink the attack window and make every privileged action attributable.
FinanceCo discovered that 40 engineers had permanent Global Administrator rights in their identity platform. Some had not used those rights in months, yet the accounts were targets every day. A compromised laptop with standing admin access triggered a security review that changed their identity model: no one gets privileged access by default; everyone must request it, justify it, and lose it automatically when time expires.
The problem it solves
Privileged accounts are high-value targets. If they are always active, attackers only need to steal one credential to own the environment. PIM and PAM solve this by making privilege eligible, time-bound, approved, and monitored. The goal is to eliminate standing access and ensure every privileged session is recorded and attributable.
Core concepts
| Concept | What it means in practice |
|---|---|
| PIM | Privileged Identity Management — governs elevation of directory/cloud roles. |
| PAM | Privileged Access Management — vaults credentials and brokers sessions. |
| Eligible assignment | User can activate a role when needed, but does not hold it permanently. |
| JIT activation | Time-bound elevation, often 1–8 hours. |
| Approval workflow | A second person must approve the activation. |
| Break-glass | Emergency accounts stored offline, audited, and rarely used. |
Architecture
How it works
PIM vs PAM
- PIM is about the right to act: who can become a cloud admin and for how long.
- PAM is about the credential used to act: vaulted passwords, SSH keys, or database credentials, often with session recording.
A complete solution uses both: PIM elevates the user’s role, then PAM provides the credential needed to perform the privileged operation.
Real-world scenario
FinanceCo’s senior SRE needed to investigate a production database issue. They activated the “Production DB Reader” role in PIM, completed MFA, and received approval from their manager. The role lasted two hours. They then checked out a credential from the PAM vault, which recorded their entire SQL session. When the issue was resolved, both the role and the credential automatically expired.
Advantages
- Shrinks attack surface: no standing admin access.
- Attributability: every activation and session is logged.
- Compliance friendly: demonstrates least privilege and separation of duties.
- Fast revocation: role and credential access can be pulled instantly.
Disadvantages
- Operational friction: approvals and MFA add steps to incident response.
- Approval bottlenecks: poorly tuned workflows slow down critical fixes.
- Cost and complexity: PAM vaults are sophisticated systems.
- Break-glass risk: emergency accounts must be tightly controlled or they become backdoors.
When to use it (and when not to)
Use PIM/PAM for any role or credential that can alter security settings, access sensitive data, or change production infrastructure.
Do not wrap routine read-only access in PIM; that creates noise and approval fatigue. Also, avoid PAM for ordinary user passwords.
Best practices
- Remove permanent privileged assignments entirely; move to eligible.
- Require approval for all production-impacting roles.
- Scope activations to specific resources, not global rights.
- Record and review privileged sessions regularly.
- Store break-glass credentials offline with dual control.
- Run access reviews quarterly for all privileged roles.
- Monitor for activation outside business hours or from unexpected locations.
When privilege is temporary, approved, and recorded, attackers have very little to steal and even less time to use it.
