Privileged Access Without Privilege Sprawl

A licensed PAM tool isn't a PAM program.

The organization had OneIdentity Safeguard and TPAM already licensed. What they didn't have was a working privilege model. Developers held standing admin rights from day one. Service accounts hadn't rotated credentials in years. 32,000+ users across U.S. and U.K. operations were operating in an environment where privileged access was effectively permanent — granted once, never reviewed.

The risk wasn't coming from outside. It was lateral movement opportunity accumulating silently inside the perimeter through every onboarding shortcut, missed offboarding, and role change that left access behind.

Architecture first. Tool configuration second.

The implementation began with a question most PAM deployments skip: what does least privilege actually look like for how this organization operates — not how policy says it should? That distinction matters because a JIT model that ignores how engineers escalate during real incidents creates friction that gets bypassed under pressure.

OneIdentity Safeguard was configured for session recording and privilege elevation, integrated with ServiceNow so approved change tickets automatically triggered time-bound elevated access — contextual, auditable, and automatic. Standing admin access was retired not through mandate, but by making the JIT path faster than the old one.

Containerized environments presented a separate problem: static credentials embedded in AKS applications. Workload identity federation was engineered to eliminate them — removing an entire class of exposure most PAM programs don't even scope for. MITRE ATT&CK mapping ran in parallel to validate controls against real adversary techniques, not just compliance checkboxes.

Privileged access became a designed behavior, not an inherited one.