29. March 2026 | Print article |

Privileged Access Management: Why Admin Accounts Are the Biggest Gateway for Attackers

8 min Reading Time

80 percent of all data breaches begin with stolen or compromised credentials. 40 percent of these involve privileged accounts: domain admins, service accounts, database superusers. A single compromised admin account is enough to jump from one workstation to the next, steal additional credentials, and move laterally across the entire network. Privileged Access Management isn’t an optional security measure – under NIS2, it’s a regulatory requirement.

TL;DR

  • 80 percent of all breaches start with compromised credentials (CrowdStrike). Admin and service accounts are prime targets because they offer the broadest access.
  • 40 percent of data breaches involve privileged accounts. Average cost: $4.5 million per breach (Verizon DBIR / IBM).
  • 30 percent of all security incidents are identity-based (IBM X-Force 2025). Attackers take over accounts and abuse their legitimate permissions.
  • 40 percent of breaches are caused by insiders: Not just external attackers. Employees, contractors, and former staff with lingering admin rights pose a massive risk (Verizon DBIR 2024).
  • NIS2 mandates access control: The directive explicitly requires access controls and identity management for critical and important entities across the EU.

Why privileged accounts are the holy grail for attackers

A standard user account has access to their own mailbox, a few network drives, and the applications needed for daily work. A domain admin account has access to every server, every system, and every database in the network. For an attacker, the difference is between a door key and a master key.

The attack sequence is almost always the same: A phishing email to a regular employee. Credential theft via the compromised workstation. Lateral movement to a system where an admin account is active. Privilege escalation. From there, the entire network is exposed. CrowdStrike documents that, on average, an attacker moves from the first compromised endpoint to the next in 62 minutes. If an admin account is compromised, it takes minutes – not hours – to gain full network access.

The problem is exacerbated by technical debt. Many companies have service accounts set up years ago with static passwords that are never rotated. These accounts often have excessive permissions because they’ve accumulated access over time that was never cleaned up. They’re the perfect target: broadly privileged, rarely monitored, and protected by passwords unchanged for three years.

80 %
of all data breaches begin with compromised credentials
Source: CrowdStrike, 2025

What Privileged Access Management actually means

PAM is a security concept and technology category that controls, monitors, and logs access to privileged accounts. At its core, it revolves around four capabilities:

1. Credential Vaulting: Privileged passwords are stored in an encrypted vault, not in Excel spreadsheets or on Post-it notes. No administrator knows the password of a service account. The PAM system automatically issues it when needed and rotates it after use.

2. Just-in-Time Access: Admin rights aren’t granted permanently but only for the period they’re required. A database administrator gets superuser access for two hours to resolve an issue. Afterward, access is automatically revoked. Zero standing privileges is the goal: No one has permanent admin rights.

3. Session Recording: Every admin session is recorded: commands, screen content, and database access. Not for employee surveillance, but for forensics. If a breach occurs, the recording shows exactly which commands were executed with which account.

4. Privilege Elevation: Instead of granting a user permanent admin rights, only the specific permissions needed for a task are elevated. A developer can install an application without being able to administer the entire server.

“Nearly 40 percent of data breaches involve privileged accounts. The average cost of these breaches is $4.5 million. PAM isn’t a convenience feature – it’s an existential protective measure.”
Anomalix, The Role of PAM in Preventing Data Breaches, 2025

NIS2 and PAM: Why it’s now a regulatory obligation

The NIS2 directive explicitly requires access management measures under Article 21. For critical and important entities in the EU (which affects thousands of companies in the DACH region), controlling privileged access is no longer a best practice – it’s a regulatory requirement.

Specifically, NIS2: demands access controls and identity management, security measures for the use of IT systems and networks, and the reporting of security incidents within 72 hours. A compromised admin account that wasn’t monitored because no PAM was implemented constitutes a NIS2 compliance violation.

For managing directors in Germany, the stakes are personal: NIS2 introduces personal liability for executives if cybersecurity measures aren’t adequately implemented. A lack of PAM protection during a ransomware attack that escalates via an admin account could lead to the managing director’s personal liability. NIS2 audits explicitly inquire about PAM measures.

PAM in the DACH SME sector: A reality check

The reality in many DACH companies: Admin passwords are shared in KeePass databases stored on network drives. Service accounts have passwords unchanged since their creation. And half of all IT administrators have permanent domain admin rights because it’s more convenient.

The barriers to PAM adoption in SMEs are real: Costs (enterprise PAM solutions range from €30,000 to €200,000 annually), complexity (integration into existing IT landscapes takes months), and cultural resistance (admins perceive PAM as a vote of no confidence in their work).

But there are pragmatic entry points. Microsoft offers LAPS (Local Administrator Password Solution), a free tool for rotating local admin passwords. Azure AD Privileged Identity Management (PIM) is included in many M365 E5 licenses. CyberArk, BeyondTrust, and Delinea provide scalable PAM solutions for SMEs.

Five immediate actions for IT security teams

1. Create an inventory of all privileged accounts. How many domain admin accounts exist? How many service accounts? Which have access to what? Most companies don’t know the answer. An audit of privileged accounts is the first step. Tools like Bloodhound (open source) visualize Active Directory attack paths and uncover overprivileged accounts.

2. Implement password rotation for service accounts. Every service account password older than 90 days must be rotated. Use Microsoft LAPS for local admins and Azure PIM for cloud privileges. Static passwords for service accounts are low-hanging fruit for attackers.

3. Implement just-in-time access. No IT administrator needs 24/7 domain admin rights. Azure PIM or CyberArk Endpoint Privilege Manager enable time-limited privilege elevation. By default, every admin works with a standard user account. Admin rights are only activated when needed.

4. Enforce multi-factor authentication (MFA) for all admin access. MFA for privileged accounts isn’t optional. Every RDP connection, SSH session, and database access with admin rights must be protected by a second factor. Adaptive MFA additionally checks location, device, and risk level.

5. Set up monitoring and alerting for admin activities. Every admin login outside business hours, every access from an unknown device, and every bulk operation (e.g., mass database export) must trigger an alert. SIEM rules for privileged activities can be configured in most tools within an hour.

Conclusion

Privileged accounts are the master key to the corporate network. 80 percent of breaches start with compromised credentials, and 40 percent directly involve admin accounts. Under NIS2, PAM becomes a regulatory obligation with personal executive liability. The good news: Getting started doesn’t have to be expensive. LAPS, Azure PIM, and Bloodhound audits are free or included in existing licenses. Five immediate measures that don’t require a large budget can close the biggest gaps. The question isn’t if an admin account will be compromised – it’s whether the security team detects it in time and contains the damage.

Frequently Asked Questions

What’s the difference between IAM and PAM?

IAM (Identity and Access Management) manages access for all users to systems and applications. PAM (Privileged Access Management) is a subset of IAM that specifically focuses on privileged accounts: admin accounts, service accounts, and root access. PAM provides additional controls like credential vaulting, session recording, and just-in-time access, which aren’t necessary for standard user accounts.

How much does a PAM solution cost for SMEs?

Enterprise PAM solutions (CyberArk, BeyondTrust, Delinea) cost between €30,000 and €200,000 annually, depending on the number of managed accounts and desired features. For starters: Microsoft LAPS (free for local admin passwords), Azure PIM (included in M365 E5), and Bloodhound (open source for AD audits) offer substantial protection without additional licensing costs.

Can’t service accounts just be eliminated?

Not entirely. Many applications and automations require service accounts for communication between systems. However, their number can be drastically reduced: Group Managed Service Accounts (gMSA) in Active Directory automatically rotate passwords. API-based authentication replaces password-based service accounts. And any service account not actively in use should be disabled.

Isn’t MFA for admin accounts enough?

MFA is necessary but not sufficient. MFA protects the login moment. It doesn’t guard against session hijacking (an attacker taking over an already authenticated session), compromised service accounts (which can’t use MFA), or insider threats (an admin with legitimate MFA access abusing their rights). PAM complements MFA with credential rotation, session monitoring, and time-limited privileges.

How long does PAM implementation take?

Basic implementation (LAPS + Azure PIM + monitoring rules) can be completed in 2 to 4 weeks. A full enterprise PAM solution (CyberArk or BeyondTrust) with integration into all systems, service accounts, and legacy applications takes 3 to 6 months. The pragmatic approach: Quick wins first (LAPS, MFA, monitoring), then gradual expansion.

Further Reading

Identity Attacks 2026: Why Hackers No Longer Need to Break In

NIS2 in Germany: What Companies Need to Know Now

Shadow AI: When Employees Use ChatGPT and IT Doesn’t Know

More from the MBF Media Network

Digital Chiefs: Data Culture in the Boardroom

MyBusinessFuture: AI Act from August 2026

cloudmagazin: Container Supply Chain Security

Header Image Source: Pexels / Pixabay (px:279810)

Print article
Benedikt Langer

About the author: Benedikt Langer

More articles by

Also available in

FrançaisEspañolDeutsch
A magazine by Evernine Media GmbH