IT KORR Knowledge Center
Privileged Access Governance Guide
A guide for reducing standing administrative privilege through just-in-time activation, break-glass accounts, and periodic review.
Purpose
This guide covers the practical steps for reducing standing privileged access exposure — moving from permanent administrative privilege to time-boxed, justified, and audited activation. See Privileged Identity Management and Privileged Access for the full conceptual background.
Step 1 — Inventory Standing Privileged Access
- List every account holding an administrative or otherwise privileged role.
- Note whether each is a human account or a service account.
- Flag any account whose privileged role has no documented, current business justification.
Step 2 — Move to Just-in-Time Activation
- Enable just-in-time activation (e.g., Microsoft Entra PIM) for eligible administrative roles.
- Require justification for every activation, and approval for the highest-risk roles.
- Set an appropriate maximum activation duration per role — long enough for real work, short enough to limit exposure.
Step 3 — Secure Break-Glass Accounts
- Establish exactly the number of break-glass accounts needed for redundancy (commonly two).
- Exclude break-glass accounts from Conditional Access policy.
- Use strong, unique, fully random credentials stored securely — not in general staff-accessible locations.
- Configure active monitoring so any sign-in activity on a break-glass account triggers immediate review.
- Test break-glass accounts periodically without leaving them in routine use.
Step 4 — Review on a Recurring Schedule
- Review all standing (non-PIM) privileged role assignments at least quarterly.
- Extend the same review to service account privilege scope, not just human accounts.
- Document the review outcome and any access removed.
Related Resources
- Privileged Identity Management and Privileged Access — /knowledge-center/cybersecurity/identity-access-management/privileged-identity-management
- Identity & MFA Readiness Assessment — /tools/identity-mfa-readiness-assessment