More Accounts Than People

In an earlier post, we walked through what identity security covers and why orphaned accounts are such a reliable entry point for attackers. The advice there was process-focused: build an inventory, run access reviews, connect HR to IT. That advice holds. But at some point, the numbers outgrow the spreadsheet. A small company with 500 employees can easily have several thousand identities once you count SaaS accounts, cloud roles, service accounts, API keys, and the automation and AI agents that now act on the company's behalf. Let alone large companies. Nobody reviews that by hand on a quarterly basis and keeps it accurate. This is the problem IAM and PAM tools were built to solve.

Why the Math Broke

Start with the human side. A typical employee touches a dozen or more systems: email, the HR platform, the CRM, a project tool, a file sharing service, maybe a cloud console. Each of those is an account that needs to be created, adjusted when the person changes roles, and removed when they leave. Multiply that across the workforce and you have thousands of account events per year, each one a chance for something to be missed.

Now add the non-human side, which is growing faster. Service accounts run scheduled jobs and integrations. API keys connect applications to each other. Cloud workloads assume roles to reach databases and storage. AI agents increasingly hold their own credentials so they can read mailboxes, query systems, and take actions without a person in the loop. In many environments, these machine identities outnumber human ones several times over, and they rarely have an obvious owner or an offboarding date. When an integration gets decommissioned, the credential behind it tends to live on. The risk profile follows the sprawl. An attacker does not need to find your weakest firewall rule. They need one forgotten credential with more access than anyone remembers granting.

What IAM Tools Actually Do

Identity and access management platforms address the volume problem. The core capabilities look like this: Single sign-on puts one authentication layer in front of your applications. Instead of separate passwords for the CRM, the file share, and the HR system, users authenticate once through a central identity provider. The security benefit is concentration: one place to enforce MFA, one place to spot suspicious logins, and one switch to flip when someone leaves.

Disabling the SSO identity cuts access to connected applications in a single action. Lifecycle automation connects HR events to account actions. When HR marks a new hire in the system of record, the IAM platform creates the accounts that person's role requires. When they transfer departments, access adjusts. When they leave, deprovisioning kicks off automatically rather than depending on someone remembering a checklist. This is where the orphaned account problem gets solved structurally instead of heroically.

Access governance handles the review side. Instead of exporting user lists into spreadsheets, the platform presents managers with a periodic certification: here is what your team can access, confirm or revoke each item. The reviews still require human judgment, but the tooling makes them feasible at scale and produces audit evidence as a byproduct. The pattern across these features is the same. The tool does not make access decisions for you. It makes your decisions enforceable across hundreds of systems at once.

Where PAM Fits In

Privileged access management addresses a different problem: the small set of accounts where a compromise is catastrophic. Domain admins, cloud root accounts, database administrators, and the super-admin roles in your most sensitive SaaS tools. IAM manages the many; PAM protects the few that matter most. Credential vaulting moves privileged passwords out of spreadsheets, sticky notes, and shared documents into a controlled vault. Admins check credentials out when they need them, and the action gets logged.

The shared AWS console password from our last post, the one three people knew and nobody rotated, is exactly what vaulting eliminates. Automatic rotation changes privileged passwords on a schedule or after each use. A credential that changes daily is far less useful to an attacker than one that has been static for three years. Session monitoring records what happens during privileged sessions. If an admin account does something unexpected at 2 a.m., you have a recording, not a mystery.

Just-in-time access may be the most important shift. Instead of standing admin rights that exist around the clock, privileges get granted for a specific task and a limited window, then revoked. An account that holds admin rights for forty minutes a week presents a much smaller target than one that holds them permanently. PAM also extends naturally to machine identities. The same vaulting and rotation that protect a human admin's credentials can manage service account passwords and API keys, which solves the problem of secrets hardcoded into scripts and left untouched for years.

Tools Do Not Replace the Program

A caution before you start evaluating vendors: these platforms automate your processes, including the bad ones. If your role definitions are vague and over-permissioned, lifecycle automation will provision vague and over-permissioned access at high speed. If nobody owns the service account inventory, the PAM vault will protect credentials nobody can explain.

The process work from part one of this series is not a phase you skip once you buy tools. It is what makes the tools worth their license cost. Sequencing matters too. For most organizations, the practical order is SSO with MFA first, since it delivers the broadest risk reduction for the effort. Lifecycle automation comes next, because it stops the orphaned account problem from regenerating. PAM follows, starting with your most critical admin accounts rather than attempting to vault everything at once. Buying the full suite on day one usually means shelfware.

The Goal Is Boring Reliability

The point of this tooling is not sophistication. It is making the right thing happen by default, thousands of times a year, without depending on anyone's memory. When offboarding runs automatically, when admin credentials rotate themselves, and when access reviews take hours instead of weeks, identity risk stops being a standing item on the audit findings list.

Groman Cyber helps organizations assess their identity environment, sequence IAM and PAM investments, and build the processes that make those tools effective. If you are weighing where to start, or you have tools in place that are not delivering, we can help. Contact us to get started.