COMMENTARY: Traditional privileged access management (PAM) tools have long played a critical role in identity security. However, they often lack a threat-led approach that connects a company’s PAM story to broader cyber risks within an organization, potentially leading to business-critical exposures falling through the cracks.While PAMs can safeguard high-privileged accounts, it still remains the organization’s responsibility to identify and decide which accounts are the most critical and which identities present the greatest risk.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]That’s not a simple task. Once an attacker gains initial access – whether through a phishing email, a vulnerable public-facing app, or a compromised endpoint – the next move is often privilege escalation. Understanding where those escalations are most likely to succeed requires context: which identities are exposed, how they’re connected, and where those pathways ultimately lead.That’s why attack path analysis – an important component of a continuous threat exposure management (CTEM) framework – can help security teams.Looking at PAM from an exposure management context, we see patterns of where attackers are likely to pivot once inside, meaning that once identified, teams should fix the following issues ASAP and not leave them to languish in the queue:CTEM offers the operational framework needed to address all these risks dynamically. Instead of relying on annual audits or static privilege reports, CTEM emphasizes a threat-led approach, which lets security teams do the following:For CISOs, this offers both strategic clarity and operational leverage. It shifts the conversation from whether there’s a PAM in place at all to whether the team can optimize its PAM to reduce business-critical exposures. It also can answer the question of whether the PAM tool actually does anything to reduce risk in case of an attack.These are far more meaningful questions when aligning identity controls with business risk.Ultimately, if identity is the new perimeter, then embedding PAM within a CTEM framework is not just about building another stack – it activates a strategic risk control.PAM can become a vital component of identity security, but in hybrid, cloud-native environments, teams must understand PAM in the context of ongoing threat exposure: Who can reach what? How do they execute the attack? And, what’s the impact?One thing's for sure: if the team doesn’t figure it out first, the attackers will.Yaron Mazor, principal customer advisor, XM CyberSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
- Shadow accounts with latent admin privileges: Dormant or unmanaged accounts may retain administrative privileges because of old policies or incomplete deprovisioning. These are often excluded from PAM oversight, but retain access to critical systems.
- Vaulted credentials with no password rotation policy: Privileged accounts that are vaulted for the first time or configured for use with automation are often vaulted without enforcing proper credential rotation. These tend to get a pass because of productivity issues or downtime risks, but over time, they become static, high-value targets. It’s essential to find attack paths that are exploiting these credentials.
- Disabled privileged session isolation and auditing: PAM tools typically offer session isolation and auditing. But if those features are disabled by performance concerns or operational pushback, privileged sessions become opaque – making lateral movement and credential harvesting harder to detect.
- PAM systems with excessive standing privileges: PAMs require elevated access to perform credential management, but if the tool itself holds persistent domain admin or root access without just-in-time controls, it can become a single point of compromise.
- Insufficient PAM infrastructure hardening: Attackers increasingly target PAM systems themselves. If any of the PAM components are exposed, they become very attractive entry points or stepping stones in the attack chain.
- Prioritize privileged accounts that are both exposed and reachable from mapped attack paths.
- Identify the credentials attackers are most likely to abuse in a lateral movement scenario and privilege escalation points.
- Validate whether PAM policies are actively mitigating attacker pathways in real-world conditions.
