You cannot protect what you cannot see. This module teaches you how to conduct a complete privileged account discovery across your estate, classify every account by risk tier, identify orphaned and over-privileged accounts, and produce a PAM maturity assessment that becomes your programme roadmap.
The first step in any PAM programme is a complete inventory of privileged accounts. Most organisations are shocked to discover they have 3–5x more privileged accounts than they thought. Discovery must cover: Active Directory (domain admins, service accounts, built-in admin accounts), local administrator accounts on every endpoint, database accounts (sa, sysdba, root), cloud IAM roles with admin permissions, application service accounts, and third-party vendor accounts.
Manual discovery is insufficient — it misses service accounts, shared accounts, and accounts created outside standard provisioning processes. Automated discovery tools scan Active Directory, LDAP, databases, and cloud environments to produce a complete privileged account inventory within hours.
Once discovered, every privileged account must be classified by risk tier. Tier 0 accounts can compromise the entire organisation if breached. Tier 1 accounts can compromise critical business systems. Tier 2 accounts have elevated but limited blast radius. Risk classification drives prioritisation — Tier 0 accounts must be vaulted first, with the strictest controls.
Orphaned accounts are privileged accounts that are no longer associated with an active employee or business function. They are created by departing employees, forgotten service accounts, test accounts never decommissioned, and vendor accounts left active after project completion. Over-privileged accounts have more access than their role requires — accumulated through role creep, emergency access never revoked, and 'just in case' permissions granted by well-meaning admins.
A PAM maturity assessment measures your organisation's current PAM capabilities against a defined maturity model. It identifies gaps, prioritises remediation, and produces a roadmap that justifies investment. The PAM Best Practice maturity model has five levels: Ad Hoc (Level 1), Defined (Level 2), Managed (Level 3), Optimised (Level 4), and Adaptive (Level 5).
The gap analysis translates maturity assessment findings into a prioritised remediation roadmap. Each gap is scored by risk (likelihood × impact), mapped to a compliance requirement, and assigned to a remediation phase with a cost estimate and timeline. This document becomes the business case for PAM investment.