The most expensive privileged access failure we triaged in 2026 came down to a single domain administrator account whose password had not been changed since 2019. The account belonged to a former employee. The password was on a credential dump that surfaced six weeks before the breach. The attacker logged in remotely, escalated within minutes, and had the run of the environment for three days before the incident response team noticed. The post-mortem produced one of the most uncomfortable lines we have ever written into an executive briefing: “This was not a sophisticated attack. It was a forgotten account.”
Privileged access management — PAM — has been a discipline for two decades. The reason it remains the highest-leverage control in 2026 is that the failure modes are still mostly the same: too many privileged accounts, too few rotations, no session monitoring, and no clear inventory of who can become whom. The Verizon DBIR has consistently flagged credential abuse as the dominant initial-access vector. The Microsoft Digital Defense Report tracks privileged credential misuse as one of the most frequently exploited paths to lateral movement. CISA has issued repeated advisories urging organizations to inventory and rotate privileged credentials — advice most have not yet operationalized.
This brief is written for security leaders, identity architects, and CTOs whose privileged access program has aged in place. We will walk through three engagements, the patterns that connect them, and the disciplined PAM architecture that closes the gap.
Why Privileged Access Failures Keep Producing Breaches in 2026
The structural reason privileged access remains the dominant lateral-movement vector is that most environments have privilege sprawl no human has fully inventoried. Domain admins from a 2018 migration. Service accounts created during a hackathon. Local administrator passwords reused across hundreds of endpoints. Cloud IAM roles with wildcard permissions installed during a Terraform refactor. Each of these is a key. The attacker only has to find one. Mandiant’s M-Trends consistently highlights privileged credential abuse as the path from initial access to ransomware deployment.
“Privileged access is the discipline most organizations think they have solved and most attackers know they have not. The gap between the two perceptions is where ransomware lives.”
Senior identity architect, iSECTECH engagement notes
Three Engagements That Defined Our Privileged Access Playbook
Engagement One: The Domain Admin Account That Outlived the Employee by Three Years
The anchor engagement involved a manufacturer whose Active Directory contained 47 domain admin accounts, of which 19 had not been used in over a year. One belonged to a former IT director who had departed in 2019. The credential surfaced on a dump of a third-party service that had reused passwords. The attacker tested the credential, found it still active in the manufacturer’s environment, and used it to deploy ransomware across the production network. The remediation took six weeks. The audit findings filled forty pages. The lesson, in the CTO’s words: “We had a privileged access program. We just did not have anyone who actually ran it.”
Engagement Two: The Service Account With the Same Password as the Web Server
The second engagement involved a healthcare organization whose backup service account shared a password with the public-facing web server’s local administrator account. An attacker who compromised the web server through a known CVE was, three commands later, executing as a backup operator on the domain controller. The compromise was discovered eight days later when backup snapshots began failing in unusual patterns. The forensic analysis showed the attacker had been planning a wiper deployment that the backup-failure alert interrupted. The remediation included a complete password vault rollout, mandatory rotation, and a session-recording requirement for any interactive use of a privileged account.
Engagement Three: The Cloud IAM Role That Anyone in the Internet Could Assume
The third engagement is the cloud-native variant of the same problem. A SaaS company’s AWS environment contained an IAM role with a trust policy that allowed any principal in the world to assume it. The role had read access to a production S3 bucket containing customer billing data. The trust policy had been pasted from a sample answer during a hackathon eighteen months earlier. CloudTrail showed the role had not been assumed externally — a near miss — but the discovery rewrote the company’s view of cloud-side privileged access. The remediation included an organization-wide service control policy denying wildcard principals, a complete IAM trust-graph audit, and quarterly review cycles for every privileged role.
The Six Privileged Access Failure Modes We See Most Often
After hundreds of engagements, the failure modes are recurring. The first is privilege sprawl — too many accounts with too much access, accumulated over years of org changes. The second is unrotated credentials — service accounts whose passwords have not changed in years. The third is shared interactive sessions — multiple humans using a single privileged account, with no individual accountability. The fourth is missing session monitoring — privileged sessions that produce no recording, no logs, and no auditable trail. The fifth is helpdesk reset weakness — privileged accounts whose recovery process can be social-engineered. The sixth is cloud-IAM neglect — the assumption that cloud IAM is a separate problem when it is, in fact, the same discipline applied to a new perimeter.
“The PAM programs that work are the ones that treat privileged access as inventory. You cannot defend what you cannot count.”
iSECTECH privileged access review summary
What a Disciplined Privileged Access Architecture Looks Like
The architectures that hold share four properties. They centralize privileged credentials in a vault that no human reads directly. They issue just-in-time access for interactive use, with mandatory session recording. They rotate credentials automatically on a defined cadence. And they produce a single, queryable inventory of every privileged identity — human, service account, machine, OAuth grant — across every environment the organization runs. NIST’s privileged-access guidance and the Forrester PAM landscape both reinforce this pattern. The vendors that sell the tooling are competent; the discipline that makes the tooling work is the customer’s responsibility.
“PAM is one of the rare cybersecurity disciplines where the tooling is mature, the playbooks are public, and the failure mode is almost always organizational rather than technical.”
Sean Metcalf, Active Directory security architect, public conference commentary
What Boards Should Demand This Quarter
The most useful question a board can ask the CISO this quarter: “How many privileged accounts exist in our environment, when was each last used, and when was each last rotated?” If the CISO cannot produce the answer in under a week, the privileged access program is operating on faith. A second high-leverage question: “What is our process for revoking privileged access when an employee or contractor departs, and how quickly does it complete?” If the answer is not “within hours, with audit-quality evidence,” the company is one departure away from a forgotten-account incident.
How This Connects to the Rest of Your Security Program
Privileged access touches every other discipline. The Kerberoasting findings we documented in our Kerberoasting field notes are downstream of weak service-account hygiene. The cloud misconfiguration patterns we covered in our 2026 cloud misconfiguration brief are largely IAM problems wearing a different label. And the MFA fatigue compromises we discussed in our MFA fatigue brief usually only become catastrophic when the compromised account also held privileged access.
What to Do This Week
Three actions before Friday. First, ask your identity team to produce a complete inventory of privileged accounts — human, service, and cloud — and the last-used and last-rotated date for each. Second, identify any privileged account that has not been used in 90 days and disable it. Third, confirm that every privileged interactive session produces a recording or, at minimum, an auditable log. Authoritative external references include the CISA privileged access advisories, the Verizon DBIR, and NIST identity guidance.
Talk to a Senior Privileged Access Practitioner
If your privileged access program has aged in place, that gap is worth closing this quarter. iSECTECH’s senior practitioners run privileged access audits that produce a defensible inventory and a sequenced remediation plan. Book a confidential privileged access review with our senior team.
Why Just-in-Time Access Is the Single Highest-Leverage PAM Investment
If a security leader could only invest in one privileged access change in 2026, the highest-leverage choice is just-in-time access. The principle is simple: no human carries standing privileged credentials. When privileged access is needed, the human requests it, the system grants it for a bounded time window, and the access is revoked automatically when the window closes. Just-in-time access collapses the dwell-time advantage attackers depend on. A compromised credential is rarely useful when the credential only exists for thirty minutes at a time. The implementation effort is non-trivial, but the security return is among the highest in any privileged access program. Forrester research on identity maturity has consistently placed just-in-time access among the top three indicators of a mature PAM program.
The Tier Zero Discipline That Most Organizations Never Implement
The most consequential PAM concept that most organizations never operationalize is Tier Zero — the small, defined set of identities and systems that, if compromised, give an attacker the entire environment. Domain controllers, identity providers, root keys, the privileged access management system itself. Tier Zero requires its own administrative path, its own credentials, its own monitoring, and its own access reviews. The organizations that maintain a clean Tier Zero are rare. The organizations that have suffered the most damaging breaches in the past five years almost universally had Tier Zero contamination — a backup operator account that could become a domain admin, a SaaS administrator account that could pivot into the identity provider. The discipline of Tier Zero is unglamorous and expensive. It is also the single most important architectural choice in privileged access management.
Continue Reading: Week 4 Field Notes
Our Week 4 briefs extend the identity-and-architecture conversation: why most zero trust implementations quietly stall, why the most damaging insider cases are rarely malicious, and why most OT compromises begin in the IT environment.