How administrative access is separated and controlled.
If everyday users hold admin rights, one phishing click becomes a full-network compromise.
What strong practice looks like
Separate admin accounts, a password vault / PAM, and no standing local-admin rights.
What this area covers
Do administrators use separate accounts for admin work vs. day-to-day use?
Privileged access is about your most powerful accounts — the “administrator” accounts that can install software, change settings, add or remove users, or reach sensitive systems. These are the IT / system-administrator accounts that run the computers and network, not everyday user logins.
A familiar cousin is a personal password manager (like the saved passwords in your browser or Google account), which stores and protects logins. PAM (Privileged Access Management) is the stronger, business version aimed specifically at those high-power admin accounts — it limits who can use them, tracks what they do, and keeps them from being a single easy target.
Carriers ask because admin accounts are what attackers hunt for — one compromised admin account can unlock everything.
Also covered in this area
- Is a password vault or PAM solution in use?
- Are standard users prevented from having local admin rights?
- Are local admin accounts unique and complex (not shared)?
This library is general education, not advice about your specific organization. It describes what each control is and what strong practice looks like; whether and how any of it applies to you is your decision, in consultation with your carrier, broker, or counsel.