PAM on a budget: what to lock down before you buy anything

Most advice about privileged access management assumes you've already signed a six-figure contract. For a startup or a small IT team, that's not where you are — and it's not where you need to be to get materially safer.

Here's the honest version: the accounts that can end your business are the same whether you have 12 employees or 12,000. The domain admin, the cloud global admin, the service account wired into everything. An attacker who lands one of those owns you regardless of company size. The good news is that most of the damage comes from a short list of fixable conditions — and you can close the worst of them with what you already own, before buying a single tool.

This is the list I'd work through with a small team first.

Start with the accounts that can't be undone

You can't protect what you haven't found. Before anything else, build a plain inventory of your most dangerous accounts:

• Global / domain admins — who actually has top-tier access, and do they all still need it?
• Service accounts — the non-human accounts running automation, often with high privilege and a password set once in 2019.
• Shared accounts — anything where multiple people know one password.
• Break-glass accounts — the emergency access nobody monitors.

Half the value of an enterprise engagement is just this: a clear, current picture. You can produce a rough version yourself in a spreadsheet. The exercise alone usually surfaces accounts people forgot existed.

Kill standing privilege you don't need

The single most common finding in any review, at any company size: permanent admin access that's used a few times a year. Every one of those is a standing target.

Two moves, both free:

• Remove admin rights that aren't justified. Most "admins" need elevated access occasionally, not permanently. Pull the rights you can't justify, and watch what breaks (usually nothing).
• Turn on just-in-time elevation where your platform already offers it. If you're on Microsoft Entra ID, PIM (Privileged Identity Management) lets admins request elevation when they need it instead of holding it 24/7. It's included in the licensing many small orgs already have — and it's one of the highest-impact controls you can switch on for free.

Fix the service accounts before an attacker finds them

Service accounts are where small environments quietly bleed risk. They're privileged, they rarely have MFA, their passwords almost never rotate, and nobody's watching them. That's the perfect target.

You don't need a vault to start:

• Inventory them, then disable the ones that turn out to be unused (there are always some).
• Rotate the passwords on the ones that matter, and set a calendar reminder to do it on a schedule until you have something automating it.
• Cut their privilege to what the job actually requires — most are over-permissioned because it was easier at setup.

Close the MFA gaps that make everything else pointless

A perfect password policy means nothing if there's a side door without MFA. The usual culprits in small environments:

• Legacy authentication protocols that bypass modern MFA entirely — disable them.
• Conditional Access gaps where some apps or users slip through without a second factor.
• Admin accounts without MFA — these should be the most protected, and surprisingly often aren't.

Most of this is configuration in tools you already pay for, not a new purchase.

When a tool actually makes sense

I'm not going to pretend the free path scales forever. Here's the honest line: buy a PAM platform when manual discipline stops being realistic — when you have too many privileged accounts to rotate by hand, when you need recorded sessions for compliance, when an auditor requires evidence you can't produce manually, or when the cost of a breach clearly outweighs the license.

For a growing company, that day comes. When it does, a platform like CyberArk (now Idira, part of Palo Alto Networks) earns its cost by automating exactly the work you've been doing by hand. But buying it before you've done the free groundwork above just means you're paying to automate a mess. Clean up first; the tool works better on a tidy environment, and you'll scope it correctly because you'll actually know what you have.

The short version

If you do nothing else this month:

1. Inventory your privileged, service, and shared accounts.

2. Remove standing admin rights you can't justify; turn on just-in-time elevation where it's free.

3. Rotate and right-size your service accounts.

4. Close every MFA gap, starting with legacy auth and admin accounts.

None of that requires a purchase. All of it closes real attack paths. And when you do reach the point of buying a platform, you'll do it from a position of knowing your environment — which is the difference between a tool that pays for itself and one that sits half-configured.

If you want an outside read on where your environment actually stands — at any size, on any budget — that's exactly what a health check is for.