A break glass account is a special emergency access account with high privileges, held in reserve for crisis situations where normal access methods are unavailable — named after the emergency fire alarm glass you break only in genuine emergencies.
⚙️ How Does It Work?
Break glass accounts are stored in PAM vaults with strict controls: dual-person integrity (two people required to access), full session recording, automatic alerts on use, time-limited checkout, and mandatory post-use review.
📍 Where Is It Used?
Every enterprise environment — required for scenarios like IdP outage (can't SSO in), ransomware recovery (AD is down), or locked-out admin accounts.
💡 Real-World Example
During a ransomware attack, a company's Active Directory goes down. The incident response team uses the break glass account — stored in CyberArk and requiring two-person access — to log into critical systems and begin recovery. Every action is recorded for the post-incident audit.
🔗 Related Terms
Stay Ahead in Identity Security
Get weekly IAM, PAM & IGA insights via Identity Pulse.
Subscribe to Identity Pulse →