Skip to main content
IT KORR
IT KORRKeeping Organizations Reliable & Resilient
Identity & Access Management · Download

Privileged Access Governance Guide

A guide for reducing standing administrative privilege through just-in-time activation, break-glass accounts, and periodic review.

IT KORR Knowledge Center

Privileged Access Governance Guide

A guide for reducing standing administrative privilege through just-in-time activation, break-glass accounts, and periodic review.

Purpose

This guide covers the practical steps for reducing standing privileged access exposure — moving from permanent administrative privilege to time-boxed, justified, and audited activation. See Privileged Identity Management and Privileged Access for the full conceptual background.

Step 1 — Inventory Standing Privileged Access

  • List every account holding an administrative or otherwise privileged role.
  • Note whether each is a human account or a service account.
  • Flag any account whose privileged role has no documented, current business justification.

Step 2 — Move to Just-in-Time Activation

  • Enable just-in-time activation (e.g., Microsoft Entra PIM) for eligible administrative roles.
  • Require justification for every activation, and approval for the highest-risk roles.
  • Set an appropriate maximum activation duration per role — long enough for real work, short enough to limit exposure.

Step 3 — Secure Break-Glass Accounts

  • Establish exactly the number of break-glass accounts needed for redundancy (commonly two).
  • Exclude break-glass accounts from Conditional Access policy.
  • Use strong, unique, fully random credentials stored securely — not in general staff-accessible locations.
  • Configure active monitoring so any sign-in activity on a break-glass account triggers immediate review.
  • Test break-glass accounts periodically without leaving them in routine use.

Step 4 — Review on a Recurring Schedule

  • Review all standing (non-PIM) privileged role assignments at least quarterly.
  • Extend the same review to service account privilege scope, not just human accounts.
  • Document the review outcome and any access removed.

Related Resources

  • Privileged Identity Management and Privileged Access — /knowledge-center/cybersecurity/identity-access-management/privileged-identity-management
  • Identity & MFA Readiness Assessment — /tools/identity-mfa-readiness-assessment

This document is a starting-point resource, not legal or compliance advice. Review it against your organization's actual systems before adoption — see the full Identity & Access Management Hub for the reasoning behind each recommendation, or use the Identity & MFA Readiness Assessment to evaluate your current posture.

Build: add8299 | Built: Jul 9, 2026 9:26 PM EDT