Privileged Access as Regulated Infrastructure
Privileged access accounts represent the most consequential risk vector in enterprise computing, yet they are typically governed as IT operational tools rather than the critical infrastructure they represent. This paper argues for a fundamental reframing: privileged access must be treated as regulated infrastructure subject to the same governance rigour as power grids, telecommunications networks, and financial market systems. Under emerging regulatory frameworks — NIS2's essential entity requirements, DORA's ICT risk management provisions, and sector-specific guidance from financial regulators — organisations that fail to govern privileged access as infrastructure face enforcement action, personal liability for directors, and potential designation as systemically non-resilient.
The paper provides a comprehensive governance framework that elevates PAM from a technical control to a board-level governance responsibility.
- 01The Case for Infrastructure-Grade PAM
- 02Privileged Access as Attack Vector
- 03Regulatory Requirements Mapping
- 04Infrastructure Governance Model for PAM
- 05Just-in-Time and Zero Standing Privileges
- 06Session Recording and Audit Requirements
- 07Board-Level PAM Governance
- 08Implementation and Maturity Assessment