Information Security 6 min read

IAM and PAM: Stopping Privilege Creep and Ensuring Secure Off-boarding

How to build a controlled identity lifecycle, implement regular access reviews, and eliminate "orphaned" access vulnerabilities to protect against cyber threats.

In the modern era of hybrid work and distributed cloud infrastructures, the concept of a traditional network perimeter has finally lost its effectiveness. User identity has become the only real line of defense. In the Zero Trust paradigm, every access request must be authenticated, authorized, and verified. It is important to understand that implementing Identity and Access Management (IAM) and Privileged Access Management (PAM) tools does not eliminate cyberattack risks by one hundred percent. However, it is a critical architectural layer of protection that limits the blast radius and complicates lateral movement for attackers in the event of a compromise.

Identity as the new security perimeter: why classic network protection no longer works

According to the ENISA Threat Landscape 2025 report, phishing remains the leading vector for initial access to corporate systems. The statistics highlight the criticality of the issue: 53.7% of all affected organizations belong to the category of essential entities. After gaining access through a compromised account of a regular employee, attackers attempt to escalate their privileges and establish a foothold in the system.

This is why controlling the identity lifecycle is a fundamental component of cyber resilience. The updated NIST CSF 2.0 framework introduces a separate Govern function, which emphasizes that managing cyber risks, including access risks, must be an integral part of overall corporate governance rather than a purely technical task for the IT department.

Anatomy of privilege creep: how "orphaned" access occurs

Most successful attacks exploit organizational gaps in access rights management rather than complex zero-day technical vulnerabilities. The most common problem is privilege creep—the gradual and unnoticed accumulation of excessive rights.

This happens due to the accumulation of redundant access rights by a user who has changed positions or departments. During each personnel transition, the IT department grants new rights necessary for the current role but forgets to revoke the old ones. Eventually, such an employee concentrates access to client databases, financial reports, and infrastructure settings simultaneously.

Another critical risk is orphaned accounts. These are profiles that remain active after an employee is dismissed. The lack of regular access rights audits leads to uncontrolled privilege expansion, and abandoned accounts become an ideal target, as their compromise can go unnoticed for a long time.

IAM vs. PAM: defining boundaries and interaction

To effectively manage access, two classes of systems are implemented: IAM (Identity and Access Management) and PAM (Privileged Access Management). They solve different tasks and cannot replace each other.

IAM manages identity and basic access for all employees. The task of IAM is to verify the user (e.g., via MFA) and provide access to standard business applications. PAM, in turn, isolates and protects highly privileged accounts (administrators, DevOps engineers) and controls access to critical infrastructure.

Security requires the integration of these systems. For example, if IAM detects a user account lockout or a status change, PAM must automatically terminate active sessions and revoke privileged access.

Access review as a regular process: methodology for access rights verification

Access Review is a systematic, documented process of verifying that actual user rights correspond to their job responsibilities, which is a prerequisite for compliance with ISO/IEC 27001 standards and the NIS2 directive. The process covers several stages:

  1. Defining resource criticality. Systems of different levels require different frequencies of checks. Access to development infrastructure via PAM is reviewed monthly or granted only for the duration of a task, while basic IAM access can be reviewed quarterly.
  2. Delegating responsibility to data owners. Access should be confirmed or revoked not by an IT administrator, but by the head of the relevant business unit, who clearly understands the employee's need for information.
  3. Automating the audit. Modern solutions independently consolidate data on user rights and generate approval tasks, eliminating manual work with spreadsheets.
  4. Recording results. Decisions to revoke access must be executed technically and recorded permanently in the audit trail.

Identity lifecycle per NIST SP 800-63: from onboarding to secure off-boarding

The NIST SP 800-63 Digital Identity Guidelines view identity as a process that includes provisioning, maintenance, and off-boarding phases.

Most incidents are related to errors at the final stage. Secure off-boarding of a privileged user necessarily involves:

  • Immediate account blocking in the Identity Provider (IdP).
  • Revoking active sessions in all systems.
  • Revoking access in PAM, rotating passwords, deleting personal SSH keys, and revoking API tokens.
  • Reassigning owners of critical data (transferring administrative rights to another engineer).

Architectural compliance: implementing access control without hindering business processes

To ensure access control rules do not block daily operations, security must be embedded at the architectural level (Security by Design). Designing and developing security solutions by Softengi based on the UnityBase platform allows for the creation of corporate systems with a controlled access lifecycle that meets regulatory requirements.

By using built-in platform mechanisms such as Row-Level Security (RLS), Access Control Lists (ACL), and detailed audit trails, the system automatically separates rights at the level of individual database records. For corporate clients with high security requirements, the platform's official page recommends Enterprise or Defence editions. These provide support for commercial authentication methods, hardware tokens, and certificates, making it easy to integrate a system developed on UnityBase into a corporate IAM/PAM landscape and automate the off-boarding process. Intecracy Group, an alliance of independent companies linked by partner agreements and share exchanges, ensures that these solutions are implemented with the highest standards of professional expertise.

Matrix of separation and control: IAM vs PAM in Access Review processes
ParameterIAM (Identity & Access Management)PAM (Privileged Access Management)
Target audienceAll employees, contractors, clientsAdministrators, DevOps, superusers
Access typeStandard access to business applications (Email, CRM, ERP)Access to critical infrastructure, databases, servers
Access Review frequencyQuarterly or upon role changeContinuous or monthly (Just-in-Time principle)
Off-boarding mechanismAutomatic account blocking in IdPImmediate revocation of API keys, password and certificate rotation

FAQ

How often should access reviews be conducted for standard and privileged users?

For standard users, basic access (IAM) reviews are typically conducted quarterly or during personnel changes (role transfers). For privileged accounts (PAM), the audit should be continuous or monthly, and rights are best granted using the Just-in-Time principle.

What is the difference between IAM and PAM systems, and can they replace each other?

IAM manages identity and basic access for all employees to the organization's business applications. PAM is designed to isolate and protect highly privileged accounts (administrators) and critical infrastructure. They do not replace, but rather complement each other.

What steps are critical for the off-boarding of a privileged administrator?

Critical steps include immediate profile blocking in the IdP, terminating active sessions in all systems, revoking access in PAM, rotating shared passwords, deleting SSH keys and API tokens, and reassigning ownership of critical processes.

Data sources

Sources & materials

Materials and sources used in this article.

  1. Microsoft: Zero Trust identity and access management — learn.microsoft.com
  2. NIST SP 800-63 Digital Identity Guidelines — pages.nist.gov
  3. NIST Cybersecurity Framework (CSF) 2.0 — nist.gov
  4. ENISA Threat Landscape 2025 — enisa.europa.eu