In order to place PAM protection in an administrative account, you should know that this account exists. While it’s relatively easy to locate the accounts of your official admin users, there are two types of accounts that introduce a severe challenge:

Service accounts that are used for machine-to-machine access are often created independently and without proper documentation. Additionally, there is no built-in utility that can filter out all service accounts within a given AD environment. As a result of the inability to locate and discover them, these accounts would typically not be onboarded to the PAM and wouldn’t get the protection that their privilege level requires.

Shadow admins that are standard users inadvertently assigned high access privileges are also exempt from PAM protection. As their name implies, the identity team is unaware of their existence and hence won’t onboard them to the PAM.

Invisible Service accounts and shadow admins

PAM Challenge #1: You Can’t Secure What You Can’t See