PAM Academy › Module 3 — Discovery & Assessment

Module 3: Discovery & Assessment

You cannot protect what you cannot see. This module teaches you how to conduct a complete privileged account discovery across your estate, classify every account by risk tier, identify orphaned and over-privileged accounts, and produce a PAM maturity assessment that becomes your programme roadmap.

Self-study reference material
90–120 minutes
Security Engineers, IT Architects, PAM Leads
★★★★★ 4.9 · Security Engineers, IT Architects, PAM Leads
Account DiscoveryRisk ClassificationOrphaned AccountsPAM MaturityGap Analysis
Included
Part of the PAM Best Practice Academy curriculum
Start Module 3 → ← Back to Module 2
  • 5 in-depth content sections
  • Real-world case studies and industry statistics
  • Practical frameworks and templates
  • Compliance alignment guidance
  • 4-question knowledge check
Overview
Curriculum
Instructors
3
Module Number
5
Content Sections
90+
Minutes
4
Quiz Questions
Module 3 — Discovery & Assessment
90–120 min
COMING SOON
What you will learn
Master privileged account discovery and apply it to real-world PAM challenges
Master risk classification & tiering and apply it to real-world PAM challenges
Master orphaned & over-privileged accounts and apply it to real-world PAM challenges
Master pam maturity assessment and apply it to real-world PAM challenges
Master gap analysis & remediation roadmap and apply it to real-world PAM challenges
Module curriculum
1
Section 1: Privileged Account Discovery
Reading
2
Section 2: Risk Classification & Tiering
Reading
3
Section 3: Orphaned & Over-Privileged Accounts
Reading
4
Section 4: PAM Maturity Assessment
Reading
5
Section 5: Gap Analysis & Remediation Roadmap
Reading
6
Knowledge CheckTest your understanding
Quiz
Section: Privileged Account Discovery
You cannot protect what you cannot see

The first step in any PAM programme is a complete inventory of privileged accounts. Most organisations are shocked to discover they have 3–5x more privileged accounts than they thought. Discovery must cover: Active Directory (domain admins, service accounts, built-in admin accounts), local administrator accounts on every endpoint, database accounts (sa, sysdba, root), cloud IAM roles with admin permissions, application service accounts, and third-party vendor accounts.

Manual discovery is insufficient — it misses service accounts, shared accounts, and accounts created outside standard provisioning processes. Automated discovery tools scan Active Directory, LDAP, databases, and cloud environments to produce a complete privileged account inventory within hours.

Industry data: Industry benchmark: The average enterprise has 3–5 privileged accounts per employee. A 500-person company typically has 1,500–2,500 privileged accounts — most of which are unmanaged, unmonitored, and unknown to the security team.
Active Directory Scan
Enumerate all accounts in privileged groups: Domain Admins, Enterprise Admins, Schema Admins, Backup Operators, Account Operators. Export to CSV for risk classification.
Local Admin Discovery
Scan all endpoints for local administrator accounts. Identify shared local admin passwords (the #1 lateral movement vector). Flag accounts not in PAM scope.
Database Account Scan
Identify all database superuser accounts (sa, sysdba, postgres, root). Check for default passwords. Identify accounts with DBA role that are not in the vault.
Cloud IAM Audit
Export all IAM roles and policies from AWS, Azure, GCP. Identify roles with AdministratorAccess or Owner permissions. Flag service principals with excessive permissions.
Section: Risk Classification & Tiering
Not all privileged accounts are equal

Once discovered, every privileged account must be classified by risk tier. Tier 0 accounts can compromise the entire organisation if breached. Tier 1 accounts can compromise critical business systems. Tier 2 accounts have elevated but limited blast radius. Risk classification drives prioritisation — Tier 0 accounts must be vaulted first, with the strictest controls.

Industry data: Risk reality: 85% of breaches that result in regulatory fines involve Tier 0 or Tier 1 accounts. Yet in most organisations, Tier 0 accounts receive the same controls as standard user accounts.
Tier 0 — Critical
Domain controllers, credential vaults, backup systems, root CAs, HSMs
Immediate vaulting required. JIT access only. Two-person integrity for all changes. Session recording mandatory.
Tier 1 — High
Production databases, payment systems, email servers, web application servers
Vault within 30 days. Session recording required. Quarterly access reviews. MFA mandatory.
Tier 2 — Medium
Development servers, test environments, internal applications, monitoring tools
Vault within 90 days. Password rotation required. Annual access reviews. MFA recommended.
Tier 3 — Low
Read-only accounts, reporting tools, non-critical SaaS applications
Vault within 12 months. Standard password policy. Bi-annual access reviews.
Section: Orphaned & Over-Privileged Accounts
The silent insider threat

Orphaned accounts are privileged accounts that are no longer associated with an active employee or business function. They are created by departing employees, forgotten service accounts, test accounts never decommissioned, and vendor accounts left active after project completion. Over-privileged accounts have more access than their role requires — accumulated through role creep, emergency access never revoked, and 'just in case' permissions granted by well-meaning admins.

The Tesla insider threat (2023) involved a former employee who retained admin access for 40 days after termination. The Colonial Pipeline breach exploited a VPN account that had not been used in months but was never deprovisioned. Both were preventable with a formal orphaned account remediation process.
Orphaned Account Detection
Accounts with no login in 90+ days. Accounts associated with disabled AD users. Service accounts with no associated application. Vendor accounts past contract end date.
Over-Privilege Detection
Accounts with admin rights but no admin job function. Service accounts with interactive login enabled. Accounts in multiple high-privilege groups. Accounts with more permissions than their manager.
Remediation Workflow
Identify → Confirm with business owner → Disable (not delete) → Monitor for 30 days → Delete if no business objection. Never delete without confirmation.
Continuous Monitoring
Automated weekly scans for new orphaned accounts. Alerts when accounts go 30 days without login. Quarterly access certification reviews for all Tier 0/1 accounts.
Section: PAM Maturity Assessment
Where are you on the maturity curve?

A PAM maturity assessment measures your organisation's current PAM capabilities against a defined maturity model. It identifies gaps, prioritises remediation, and produces a roadmap that justifies investment. The PAM Best Practice maturity model has five levels: Ad Hoc (Level 1), Defined (Level 2), Managed (Level 3), Optimised (Level 4), and Adaptive (Level 5).

Industry data: Industry data: 73% of organisations self-assess at Level 1 or Level 2 PAM maturity. Only 8% have reached Level 4 or above. The gap between Level 2 and Level 3 is where most breaches occur.
Level 1 — Ad Hoc
No formal PAM programme. Shared passwords common. No session recording. No access reviews. Reactive only.
Level 2 — Defined
Basic vaulting in place. Some accounts discovered. Password rotation partially automated. Limited session recording.
Level 3 — Managed
Full account discovery. All Tier 0/1 accounts vaulted. JIT access for critical systems. Regular access reviews. Compliance reporting available.
Level 4 — Optimised
Zero standing privilege for all Tier 0/1. Automated JML process. Continuous monitoring. SIEM integration. Threat analytics active.
Level 5 — Adaptive
AI-driven anomaly detection. Predictive risk scoring. Automated response to suspicious sessions. Continuous compliance. PAM as a business enabler.
Section: Gap Analysis & Remediation Roadmap
Turning findings into a funded programme

The gap analysis translates maturity assessment findings into a prioritised remediation roadmap. Each gap is scored by risk (likelihood × impact), mapped to a compliance requirement, and assigned to a remediation phase with a cost estimate and timeline. This document becomes the business case for PAM investment.

The gap analysis is the most important deliverable in the discovery phase. It is the document that gets PAM funded. It speaks the language of risk, compliance, and ROI — not technology.
Gap: No Account Discovery
Risk: CRITICAL — Unknown accounts = unknown attack surface
Remediation: Automated discovery tool deployment. Timeline: 2 weeks. Cost: Low.
Gap: No Credential Vaulting
Risk: HIGH — Shared/static passwords enable lateral movement
Remediation: PAM tool deployment, Tier 0 vaulting first. Timeline: 8 weeks. Cost: Medium.
Gap: No Session Recording
Risk: HIGH — No forensic evidence for incident response
Remediation: Session recording enabled for all Tier 0/1 accounts. Timeline: 4 weeks. Cost: Low.
Gap: No Access Reviews
Risk: MEDIUM — Privilege creep accumulates over time
Remediation: Quarterly access certification process. Timeline: 6 weeks. Cost: Low.
Knowledge Check
Q1: What is the primary risk of orphaned privileged accounts?
They slow down the network
They provide an unmonitored entry point for attackers or disgruntled ex-employees ✓
They increase licensing costs
They cause compliance reports to fail
Q2: Which tier should be vaulted FIRST in a PAM programme?
Tier 3 — lowest risk, easiest to start
Tier 2 — development systems
Tier 0 — domain controllers, credential vaults, root CAs ✓
All tiers simultaneously
Q3: What does a PAM maturity assessment produce?
A list of vendors to evaluate
A gap analysis and prioritised remediation roadmap ✓
A complete list of all passwords
A penetration test report
Q4: True or False: Manual discovery is sufficient to find all privileged accounts in a large enterprise.
True
False — automated discovery is required to find service accounts, cloud IAM roles, and non-standard accounts ✓
Requirements
Completion of Module 2 (recommended)
Basic understanding of IT administration or security concepts
Target audience: Security Engineers, IT Architects, PAM Leads
No vendor-specific tool knowledge required — this is methodology-first
Your instructors
NK
Nabeel Khaliq
IAM & Privileged Access Management SME · Founder, PAM Best Practice Ltd
Practitioner with deep hands-on experience implementing PAM across enterprise environments. Founder of PAM Best Practice Academy, a UK-registered education and community hub for PAM professionals. Arsenal and Middlesbrough fan.
AR
Adrian Russo
IAM & Privileged Access Management Architect
Senior PAM architect with extensive experience designing and deploying large-scale CyberArk and BeyondTrust implementations across enterprise environments globally. Keen cyclist.
ID
Iftikar Din
Manufacturing-focused Cyber Security Engineer
Cyber security engineer specialising in industrial and manufacturing environments. Brings real-world operational technology (OT) security perspective to PAM implementation. Middlesbrough fan who loves gardening.
Your progress
Module 3 — Discovery & Assessment
Not started0%
Module breakdown
Section 1: Privileged Account DiscoveryReading
Section 2: Risk Classification & TieringReading
Section 3: Orphaned & Over-Privileged AccountsReading
Section 4: PAM Maturity AssessmentReading
Section 5: Gap Analysis & Remediation RoadmapReading
Knowledge Check5 questions
Up next
Module 4 — Protecting Digital Assets
Credential vaulting, session management, and endpoint privilege control
PAM Community
Join our network of PAM practitioners, mentors and industry partners across the UK.