Skip to content

What is Privileged Access Management (PAM) and what problem does it solve?

Short answer

PAM controls and monitors the accounts that can do the most damage — domain admins, root, service accounts. It vaults and rotates their credentials so secrets aren't shared or hardcoded, brokers sessions so admins never see the raw password, records what privileged users do, and ideally grants elevation just-in-time rather than standing access. The goal is to shrink the blast radius of the accounts attackers most want.

Privileged accounts — domain admins, root, cloud org admins, service accounts — are the keys to the kingdom. Compromise one and an attacker often owns the environment. Privileged Access Management (PAM) is the discipline and tooling for keeping those accounts under tight control.

What PAM actually does

  • Credential vaulting and rotation. Privileged passwords and keys live in a vault, not in scripts, spreadsheets, or admins' heads. They're rotated automatically and after each use, so a leaked secret has a short life.
  • Session brokering. When an admin needs access, the PAM tool injects the credential into the session without revealing it. The human never knows the actual password, so it can't be reused or phished out of them.
  • Session recording and monitoring. Privileged sessions are logged and often video-recorded, giving an auditable trail of who did what — invaluable during incident response and for compliance.
  • Just-in-time elevation. Rather than standing admin rights, users request elevation for a window with approval, and the privilege expires automatically.

Why standing privilege is the core problem

The biggest risk isn't malicious admins — it's that every account with permanent high privilege is a permanent target. Phishing, token theft, or a compromised endpoint turns a trusted admin into an attacker's foothold. PAM attacks this by minimizing how many privileges exist, for how long, and how recoverable the underlying secrets are.

PAM vs secrets management

A secrets manager stores machine-to-machine secrets (API keys, DB passwords) for applications. PAM overlaps but centers on human privileged access — interactive sessions, approvals, and recording — though modern platforms blur the line.

What interviewers look for: you connect PAM to reducing blast radius and standing privilege, and you mention vaulting, session brokering/recording, and JIT — not just "it's a password vault for admins."

Likely follow-ups

  • Why are standing admin privileges dangerous even for trusted staff?
  • How does session recording help during incident response?
  • What's the difference between PAM and a secrets manager?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.