Access and Privilege Use Cases
Access and privilege use cases involve legitimate access, excessive access, retained access, delegated access, or privileged access that creates exposure to sensitive systems, data, cloud resources, business applications, or operational processes.
Many insider incidents do not begin with account compromise. They begin with access that exists for a valid reason but is no longer appropriate, is too broad for the role, is retained after a change in status, or is used outside approved purpose.
A mature insider-risk program treats access and privilege as exposure conditions that require lifecycle governance, monitoring, review, escalation, and executive visibility.
Aligned ITM Objects Board
These core Insider Threat Matrix™ objects are frequently observed in connection with this threat domain. Aligning monitoring controls to these objects ensures targeted coverage of preparation and infringement pathways. For complete framework definitions, refer to the Insider Threat Matrix™.
| ITM ID | Object Name | Tactical Context |
|---|---|---|
| ME007 | Privileged Access | Misuse of administrator credentials to execute configuration modifications, bypass access controls, or disable audits. |
| ME021 | Unrevoked Access | Retention of active credentials from contractors, movers, or terminated staff, exploited to maintain silent ongoing access. |
| ME027 | Credential Access and Exposure | Harvesting shared keys, accessing credential vaults, or using session-hijacking tools to compromise high-clearance accounts. |
| ME028 | Delegated Access via Managed Service Providers | Leveraging trusted third-party service accounts or active VPN tunnels established for external MSP vendors to operate unnoticed. |
| ME026 | Ability to Modify Cloud Resources | Using administrative cloud roles to spin up shadow virtual instances, alter virtual networks, or delete backups. |
| PR030 | Authorization Token Staging | Staging or harvesting JWTs, OAuth tokens, or long-lived cookies to establish persistent connection channels. |
| PR024 | Increase Privileges | Exploiting software vulnerabilities or executing privilege-escalation scripts to gain root or domain-level administrative access. |
| IF014 | Unauthorized Changes to IT Systems | Disabling endpoint detection tools, editing firewall rules, or creating rogue admin accounts to secure permanent backdoors. |
| IF011 | Providing Access to an Unauthorized Third Party | Intentionally sharing active VPN profiles, system credentials, or hardware access tokens with external threat actors. |
Priority Use Cases in this Category (4)
Contractor Access Abuse
A contractor with time-bound or project-specific access uses that access outside scope, after contract transition, or for a third party.
MSP Delegated-Access Risk
Delegated provider access is used to reach customer systems, change cloud resources, or perform actions whose accountability is unclear across organizational boundaries.
Privileged User Misuse
A privileged user uses elevated rights to change systems, access sensitive environments, weaken controls, alter logs, or enable another person or process to act.
Unrevoked Access
A former or transferred user retains account, API, MFA, physical, or device access and uses it after their legitimate need has ended.