The Privileged Path

Maturity Model

A practical maturity model for assessing privileged access posture across the five pillars of the framework.

Why a maturity model

Privileged access is not a single project — it’s a continuous capability. Organisations need a way to assess where they are today and plan a realistic path forward.

The Privileged Path Maturity Model provides a structured way to evaluate posture across all five pillars and identify the gaps that matter most.

Maturity levels

Level 1 — Ad hoc

Privileged access exists but is not managed strategically. Admin accounts may have standing permissions. Shared credentials or undocumented break glass processes are common. No dedicated admin workstations.

Typical signs:

  • Global admins with permanent role assignments
  • Admin access from personal or shared devices
  • No formal break glass process
  • Minimal logging or review

Level 2 — Developing

Basic controls are in place. PIM may be deployed for some roles. MFA is enforced for admins. Some Conditional Access policies exist. But isolation is incomplete or absent, and operational processes are informal.

Typical signs:

  • PIM deployed for Entra ID roles
  • MFA required for admin accounts
  • No dedicated admin workstations
  • Break glass accounts exist but are untested

Level 3 — Defined

A coherent strategy is documented and partially implemented. Isolation mechanisms are being deployed — PAWs, device compliance, or network segmentation. Operational processes are formalised. Validation is periodic.

Typical signs:

  • Privileged access strategy documented
  • PAW deployment in progress
  • Admin tiering defined
  • Quarterly access reviews

Level 4 — Managed

Controls, isolation, and operations are consistently applied. Validation is regular and produces evidence. Gaps are tracked and remediated. The environment is resilient to most common attack paths.

Typical signs:

  • PAWs enforced for Tier 0 access
  • Automated access reviews
  • Break glass tested regularly
  • Compliance evidence generated on demand

Level 5 — Optimising

Privileged access is treated as a continuously improving capability. Advanced monitoring, automated response, and proactive threat hunting are in place. The organisation can demonstrate assurance to regulators and auditors with confidence.

Typical signs:

  • Full PAW coverage across tiers
  • Real-time alerting on privileged access anomalies
  • Automated compliance reporting
  • Regular red team or purple team validation

Using the maturity model

The maturity model is designed to be used alongside the framework pillars. Assess each pillar independently — most organisations will find they are at different levels across Foundation, Control, Isolation, Operations, and Validation.

This is expected. The goal is to identify the weakest areas and prioritise investment where the risk is greatest.

Most organisations are strong in Control (Level 3–4) but significantly weaker in Isolation (Level 1–2). This imbalance is where many breaches originate.