Threat Domain / Category Index

Access and Privilege Use Cases

Access and privilege use cases involve legitimate access, excessive access, retained access, delegated access, or privileged access that creates exposure to sensitive systems, data, cloud resources, business applications, or operational processes.

Many insider incidents do not begin with account compromise. They begin with access that exists for a valid reason but is no longer appropriate, is too broad for the role, is retained after a change in status, or is used outside approved purpose.

A mature insider-risk program treats access and privilege as exposure conditions that require lifecycle governance, monitoring, review, escalation, and executive visibility.

Aligned ITM Objects Board

These core Insider Threat Matrix™ objects are frequently observed in connection with this threat domain. Aligning monitoring controls to these objects ensures targeted coverage of preparation and infringement pathways. For complete framework definitions, refer to the Insider Threat Matrix™.

ITM IDObject NameTactical Context
ME007Privileged AccessMisuse of administrator credentials to execute configuration modifications, bypass access controls, or disable audits.
ME021Unrevoked AccessRetention of active credentials from contractors, movers, or terminated staff, exploited to maintain silent ongoing access.
ME027Credential Access and ExposureHarvesting shared keys, accessing credential vaults, or using session-hijacking tools to compromise high-clearance accounts.
ME028Delegated Access via Managed Service ProvidersLeveraging trusted third-party service accounts or active VPN tunnels established for external MSP vendors to operate unnoticed.
ME026Ability to Modify Cloud ResourcesUsing administrative cloud roles to spin up shadow virtual instances, alter virtual networks, or delete backups.
PR030Authorization Token StagingStaging or harvesting JWTs, OAuth tokens, or long-lived cookies to establish persistent connection channels.
PR024Increase PrivilegesExploiting software vulnerabilities or executing privilege-escalation scripts to gain root or domain-level administrative access.
IF014Unauthorized Changes to IT SystemsDisabling endpoint detection tools, editing firewall rules, or creating rogue admin accounts to secure permanent backdoors.
IF011Providing Access to an Unauthorized Third PartyIntentionally sharing active VPN profiles, system credentials, or hardware access tokens with external threat actors.

Priority Use Cases in this Category (4)

Contractor Access Abuse

A contractor with time-bound or project-specific access uses that access outside scope, after contract transition, or for a third party.

/contractor-access-abuse/Explore use case detail

MSP Delegated-Access Risk

Delegated provider access is used to reach customer systems, change cloud resources, or perform actions whose accountability is unclear across organizational boundaries.

/msp-delegated-access-risk/Explore use case detail

Privileged User Misuse

A privileged user uses elevated rights to change systems, access sensitive environments, weaken controls, alter logs, or enable another person or process to act.

/privileged-user-misuse/Explore use case detail

Unrevoked Access

A former or transferred user retains account, API, MFA, physical, or device access and uses it after their legitimate need has ended.

/unrevoked-access/Explore use case detail
Educational Reference NoteThis category index page is part of the ITMG® Insider Risk Body of Knowledge™. The Insider Threat Matrix™ is an open framework maintained by Forscie Limited. All rights reserved. For program implementation frameworks, metrics baselines, or proprietary assessment algorithms, please consult the Insider Risk Capability Framework™ (IRCF™) or schedule a Guided Exposure Assessment with ITMG®.