For the best web experience, please use IE11+, Chrome, Firefox, or Safari

What is Privileged Access Governance (PAG)

The term ‘privileged access’ or ‘privileged account’ is a hot topic lately. It seems that nearly every day there is news of another data breach that is inevitably tied to the misuse of poorly protected privileged account credentials. Exploiting privileged access makes it relatively easy for bad actors to gain access or steal sensitive data. Unfortunately, it often takes months, or even years to detect and investigate these incidents, by which time the thief and data are long gone.

The issue many organizations face when attempting to protect privileged accounts is that it’s challenging to determine which accounts have privileged access, and even trickier to track who has access to those accounts. The access control of these privileged accounts has long been fulfilled by Privilege Account Management (PAM) technologies. However, traditional PAM solutions are often standalone and lack integration with identity governance and administration (IGA) technologies. As a result, they significantly hinder the control, visibility and governance of users and their access to privileged resources.

The meaning of Privileged Access Governance (PAG)

Privileged Access Governance (PAG) extends the governance, risk and compliance capabilities of an Identity Governance and Administration (IGA) solution over the Privileged Access Management (PAM) system. While PAM systems excel at securing known privileges, they don’t provide the same governance capabilities as an IGA solution. Integrating PAM with the IGA platform allows you to leverage the capabilities (provisioning, workflows, roles, policies and risk) across the entire PAM environment.

Benefits of Privileged Access Governance

The following are the benefits from extending your cybersecurity capabilities with Privileged Access Governance (PAG):

  • Unifying identity lifecycle management and provisioning processes
  • Eliminating silos and increasing security
  • Centralizing and simplifying compliance and policy administration
  • Creating consistent access to governance processes for all identities
  • Correcting redundant, improper, and excessive access to privileged accounts
  • Enforcing SoD policies
  • Streamlining user experience

How Privileged Access Governance works and key functionalities

When deploying an IGA solution, you aim to address your identity lifecycle management and governance challenges for the entire organization, including certification, attestation and segregation of duties. IGA solutions excel at fulfilling these requirements, while privileged account governance extends the governance, risk, and compliance capabilities of an IGA solution to encompass the PAM system. While most IGA platforms primarily assess risk based on user accounts and their roles and group memberships, Privileged Access Governance also takes into account the "root" credential obtained from the PAM environment, taking this vital piece of information as part of implementing identity governance rules and determining risk across the entire organization.

Many organizations treat their IGA and PAM environments separately, thus managing access in silos in two different systems. The IGA system contains information about identity and its organizational context (such as department, role, position, location and cost center), along with the accounts held by that identity in various systems and applications throughout the organization (such as the AD domain account, email, SharePoint, SAP, Salesforce and other business applications).

The PAM system is different. Although the identity still exists in the PAM system, it lacks the level of organizational and contextual data possessed by the IGA systems. The PAM system grants access to systems or applications by providing the necessary keys or credentials for the target platform's account. The IGA and PAM systems differ in how they store identities, manage identity lifecycles, and facilitate access to systems and applications. However, both systems play a crucial role in combating cyber threats and risks, including insider threats. They contribute to enforcing least privileged access from an IGA perspective and securing credentials while recording sessions on systems and applications.

Privileged Access Governance key functionalities include:

  • Granting privileges to users
  • Managing one-off privileged access needed to complete a specific task
  • Controlling access to privileged passwords
  • Tracking all privileged activity for reporting and audits of privileged access


It’s essential to have a complete view of all your identities and their rights, from standard users to privileged users. Privileged Access Governance bridges the gap between security and management. Organizations that still operate privileged access management PAM and IGA technologies as separate silos miss out on several critical functions that significantly impact their security stance, including:

  • Applying identity provisioning process to privilege accounts
  • Enforcing cohesive access policies across target systems and platforms
  • Benefitting from modern governance practices

Operating these systems independently prevents organizations from obtaining a 360-degree view of all identities and their associated user accounts, entitlements and activity.

Privileged Access Governance with One Identity

Close the gap between privileged access and standard user identities across the enterprise.