cisspIdentity and Access Management· 10 min read· 18 May 2026
Privileged Access Management: Just-In-Time, Least Privilege, and PAM Systems
Privileged access is the greatest single risk factor in enterprise security. Attackers who gain privileged credentials — domain administrator accounts, root access, or service accounts with broad permissions — can access virtually any system and data in the organisation. Privileged Access Management (PAM) is the discipline of identifying, securing, and monitoring privileged accounts to reduce this risk. For the CISSP exam, PAM is tested as a governance and architecture topic in Domain 5, with specific attention to the concepts of least privilege, just-in-time access, and the controls that PAM systems provide.
The Principle of Least Privilege in Access Provisioning
The principle of least privilege states that every subject (user, process, system) should be granted only the minimum access rights required to perform its legitimate function, and nothing more. This applies to both the scope of access (which resources) and the level of access (what operations are permitted on those resources).
Least privilege is both a provisioning principle and an ongoing management obligation. At provisioning time, access should be granted based on the actual requirements of the role, not based on convenience or historical patterns of what previous holders of that role received. Provisioning based on copying another user's permissions ("give them the same access as Bob") is a common violation that leads to privilege creep.
Privilege creep occurs when users accumulate access rights over time as their roles change, without old access being revoked. An employee who moves from Finance to IT may retain all their Finance access while gaining new IT access. Over time, they have access to systems that far exceed what their current role requires. Regular access reviews (recertification) are the control for privilege creep.
For the exam: the principle of least privilege is the foundation of all access control. Provisioning should be role-based and minimal. Privilege creep is addressed through periodic access reviews.
Just-In-Time Access
Just-In-Time (JIT) access is an access provisioning model where privileged access is granted temporarily at the time it is needed and automatically revoked when the task is complete. Rather than maintaining standing privileged accounts that are always available for use (and always available for abuse), JIT access grants elevated permissions only for the duration of a specific task.
The JIT model dramatically reduces the attack surface of privileged accounts. Standing administrator accounts are attractive targets for attackers because they are always available — any time an attacker has access to the credentials, they can authenticate as an administrator. JIT accounts that only exist for minutes or hours cannot be abused outside those windows.
JIT access implementation typically involves a PAM system that: receives a request for elevated access, validates the requester's identity and authorisation for the task, provisions temporary credentials or elevates the account's permissions for a defined duration, logs all activity during the elevated session, and automatically de-provisions the access when the time window expires.
For the exam: JIT provisioning reduces the attack surface by eliminating standing privileges. It is the preferred model over permanent admin accounts because it limits the window during which stolen credentials can be exploited.
PAM Tools: Password Vaulting, Session Recording, and Privilege Elevation
PAM systems are technology platforms that implement privileged access controls. They provide several capabilities.
Password vaulting stores privileged credentials (administrator passwords, root passwords, service account credentials) in an encrypted repository. Users do not know the passwords for privileged accounts — they check them out from the vault for use, and the vault may automatically change the password after each use. This ensures that privileged credentials are never hardcoded in scripts, shared via email, or stored in insecure locations. Password rotation after each use eliminates the risk of credential sharing and limits the window during which a compromised credential can be used.
Session recording captures everything that happens during a privileged session: keystrokes, commands executed, screens viewed, and files accessed. Session recordings provide an immutable audit trail for privileged activity, support incident investigations, and serve as a deterrent against insider abuse.
Privilege elevation (also called just-in-time access or least privilege access) allows users to request temporary elevation to privileged roles for specific tasks. Rather than maintaining permanent administrator accounts, users work with standard accounts and request elevation when needed.
Privileged session management (PSM) proxies privileged sessions through the PAM system, ensuring that all privileged connections are logged, recorded, and subject to policy enforcement. The PAM system acts as a bastion host — administrators cannot connect directly to target systems, only through the PAM proxy.
For the exam: PAM systems provide password vaulting (no standing knowledge of privileged credentials), session recording (full audit trail), and privilege elevation (temporary access for specific tasks).
Service Account Management and Overprivilege Risks
Service accounts are non-human accounts used by applications and automated processes to authenticate to other systems. They are among the most dangerous accounts in an enterprise environment because they frequently have broad permissions and are often poorly managed.
Service account risks: they typically have non-expiring passwords (applications cannot handle password expiration), they often have excessive privileges (configured once and never reviewed), they are frequently shared across multiple applications, and they often have no MFA because they authenticate programmatically.
Service account best practices: use the principle of least privilege (service accounts should have only the permissions required for the application's specific functions), use separate accounts for different applications (never share service accounts), rotate credentials regularly and store them in a vault, use managed service accounts or group managed service accounts (gMSA) in Active Directory environments where the platform handles credential management automatically, and use certificate-based or token-based authentication where possible to eliminate long-lived shared secrets.
For the exam: service accounts are high-value targets due to broad permissions and poor management. The correct answers involve vaulting their credentials, rotating passwords, applying least privilege, and avoiding shared service accounts.
Account Access Reviews and Recertification
Access recertification (also called access reviews or entitlement reviews) is the periodic review of user access rights to ensure that access is still appropriate and aligned with current job functions. It is the control that addresses privilege creep.
Recertification typically involves generating a report of all access rights for each user (or all users with access to a specific resource) and distributing it to the appropriate resource owners or managers for review. Reviewers confirm that each access right is still needed, flag any access that should be revoked, and certify that the remaining access is appropriate. Identified excess access is then revoked through the normal access management process.
Recertification frequency depends on the sensitivity of the access: privileged accounts may be reviewed quarterly, general user access annually. High-risk access (privileged accounts, access to regulated data) warrants more frequent review.
For the exam: access recertification is the control for privilege creep. It is a periodic review by managers or resource owners, not by security staff.
Identity Lifecycle Management
The complete identity lifecycle encompasses provisioning (creating accounts and granting access when a user joins or changes roles), modification (updating access when roles change), and deprovisioning (removing access when users leave or change roles).
Provisioning should follow a documented, approved process with appropriate authorisation. Access requests should be approved by the manager or resource owner, not self-approved. In large organisations, identity governance and administration (IGA) platforms automate the provisioning lifecycle.
Deprovisioning is especially critical. Orphaned accounts — accounts for employees who have left or contractors whose engagement has ended — represent a persistent access risk. Automated deprovisioning triggered by HR system events (termination records) is the best practice.
Exam Tip
JIT provisioning reduces the attack surface by eliminating standing privileges — preferred over permanent admin accounts. Password vaulting ensures privileged credentials are never known to end users and are rotated after each use. Access recertification is the control for privilege creep. The exam tests the management process and governance of PAM, not the technical implementation of specific PAM products.
// PRACTICE_THIS_DOMAIN
Test your knowledge on Identity and Access Management
AI-generated practice questions mapped to this domain. Get instant explanations and track your progress.