The Privileged Path

The Framework Model

The five pillars of the Privileged Path Framework — Foundation, Control, Isolation, Operations, and Validation.

Five pillars

The Privileged Path Framework is structured around five pillars. Each builds on the last, and none is optional.

Organisations often focus heavily on Control (PIM, MFA, Conditional Access) while neglecting Isolation and Validation entirely. This creates a false sense of security.

1. Foundation

Identity, governance, and baseline hygiene.

Before any privileged access controls can be effective, the foundations must be solid. This means:

  • Clean identity lifecycle management
  • Consistent naming and account separation
  • Role definitions that reflect real administrative boundaries
  • Governance processes that actually function

Without a solid foundation, everything built on top is unstable.

2. Control

Just-in-time access, approval workflows, and policy enforcement.

Control is where most organisations focus. PIM, Conditional Access, MFA — these are essential, but they are not sufficient on their own.

  • Privileged Identity Management for just-in-time role activation
  • Conditional Access policies scoped to admin scenarios
  • Authentication strength requirements
  • Approval and justification workflows

Control reduces standing access. But it doesn’t prevent lateral movement from a compromised endpoint.

3. Isolation

PAWs, tiering, network segmentation, and boundary enforcement.

This is the most commonly missing pillar. Isolation ensures that privileged activity happens in a protected context — separate from day-to-day computing, browsing, email, and user workloads.

  • Privileged Access Workstations (physical, virtual, cloud-hosted)
  • Administrative tiering (Tier 0, Tier 1, Tier 2)
  • Network segmentation for management traffic
  • Conditional Access device filters for admin portals

If your admins access Entra ID from the same device they use for email, you have a gap.

4. Operations

Secure admin processes, break glass, and operational discipline.

Even with strong controls and isolation, poor operational processes create risk. This pillar covers:

  • Break glass account design, storage, and testing
  • Privileged account lifecycle and rotation
  • Secure onboarding and offboarding of admins
  • Incident response procedures for privileged access compromise
  • Change management for identity and access infrastructure

5. Validation

Continuous monitoring, audit, and evidence-based assurance.

You cannot trust what you do not verify. Validation closes the loop:

  • Continuous access reviews
  • Sign-in and audit log monitoring
  • Privileged session recording where appropriate
  • Compliance evidence generation
  • Regular maturity assessments against this framework

How the pillars relate

Each pillar is necessary. Organisations that invest heavily in Control but ignore Isolation are exposed. Those with strong Isolation but weak Operations will eventually fail. Validation ensures the whole system remains trustworthy over time.

The Privileged Path Framework treats these pillars as a connected system, not a checklist.