Most organisations believe their privileged access is under control. Auditors often disagree. This guide sets out the eleven capabilities that define audit-ready PAM, the gaps regulators are now testing for, and how to benchmark your own programme against them.
Intragen | Practical PAM Guide | Whitepaper
What Audit-Ready PAM Looks Like
The Target State: What Organisations Should Actually Be Aiming For
A look inside
What you’ll find in the guide
A diagnostic, a benchmark, and what regulators are now testing for - in three substantive sections, written to be used as a working reference for your next PAM review.
PREVIEW
Where most PAM programmes fall short
An eight-point self-assessment of the findings auditors flag most frequently. Strong foundation, targeted exposure, or significant exposure - the guide tells you which band you’re in and what it means.
Over-privileged accounts: privilege creep unchecked across role changes and project completions.
Orphaned accounts: credentials tied to former employees, decommissioned services, or completed projects still active.
Manual or absent credential rotation: service account passwords unchanged for months or years.
PREVIEW
The eleven capabilities benchmark
Each capability area has a clear operational benchmark reflecting what auditors actually expect to see - not aspirational targets. Use it as a framework to score your current programme.
01Credential Vaulting
02Session Isolation & Monitoring
03Just-in-Time Access
04Least Privilege Enforcement
05Automated Credential Rotation
06Complete Audit Trails
07SIEM/SOAR Integration
08Privileged Access Governance
09Non-Human Identity Management
10Cloud & Hybrid Coverage
11Auditor-Facing Reporting
PREVIEW
Why this is urgent: NIS2 & DORA in 2026
Two European regulations are elevating these capabilities from best practice to regulatory expectation. The guide unpacks the specific articles your privileged access programme is now being tested against.
NIS2
Article 21 risk-management measures - access control, MFA, credential management, incident detection. Fines up to €10m or 2% of global turnover.
DORA
Enforceable since January 2025. Periodic access reviews and robust identity controls for ICT systems, with financial penalties at organisational level.
+
Inside the guide: how DORA supersedes NIS2 on overlapping requirements, and which capabilities answer to which articles.
Not sure how you'd actually operate this?
Getting PAM right isn't just a technology question, it's an operating model question. Many organisations have the tools in place but struggle to sustain coverage as environments grow, people leave, and audit expectations increase. This page walks through what day-to-day PAM operations actually involve, where internal models typically run into difficulty, and what changes when you bring in dedicated support.
If you identified three or more gaps, your privileged access programme is unlikely to meet audit expectations today. That is not a criticism, it is the reality for most organisations we assess. But it does mean the distance between where you are and where you need to be is measurable, and closeable.
Download our guide for more
What comes next
A 3-part execution roadmap delivered to your inbox
Download the guide and you’ll receive a phased roadmap aligned with the Palo Alto Blueprint maturity framework, sent directly to your inbox in three parts.
Part 1
Reduce Risk Fast
Define scope, set control standards, and reduce immediate exposure across your highest-risk privileged access paths from Tier-0 credential vaulting to session recording and break-glass procedures.
Part 2
Expand and Embed
Onboard non-human identities, automate credential rotation, and embed governance into operations, integrating PAM with SIEM, ITSM, and identity lifecycle processes.
Part 3
Operationalise
Move from managed compliance to continuous security operations: just-in-time access, cloud and hybrid coverage, secrets management in CI/CD, and behavioural analytics for privileged misuse.
The organisations that achieve audit readiness prioritise risk, embed governance into daily operations, and treat PAM as a continuously maturing discipline, not a one-off deployment.
Who it’s for
Built for the people who get the audit findings
Written for security and compliance leadership at mid-to-large enterprises across Europe. Practical, operational, and grounded in hands-on implementation experience.
CISOs & IT Security Directors
Building or replacing a PAM programme, defending the strategy at board level, and benchmarking against what regulators now expect.
IT Operations Leads
Owning PAM implementation work, integrating with SIEM and identity systems, and translating policy into day-to-day controls.
Compliance Officers
Preparing for NIS2 and DORA examinations, mapping privileged access controls to regulatory articles, and producing audit-grade evidence.
200+
Organisations across Europe trust Intragen to protect their most critical privileged access infrastructure.
20+ years
Experience in identity security, and now a part of the Nomios Group.
Get The Rest Of The Guide
The full eleven-capability benchmark and gaps regulators test for, all in one PDF.