HomeIdentity Security Encyclopedia › Break Glass Account

Break Glass Account

A break glass account is a special emergency access account with high privileges, held in reserve for crisis situations where normal access methods are unavailable — named after the emergency fire alarm glass you break only in genuine emergencies.

PAM Emergency Access Privileged Account

❓ What is Break Glass Account?

A break glass account is a special emergency access account with high privileges, held in reserve for crisis situations where normal access methods are unavailable — named after the emergency fire alarm glass you break only in genuine emergencies.

⚙️ How Does It Work?

Break glass accounts are stored in PAM vaults with strict controls: dual-person integrity (two people required to access), full session recording, automatic alerts on use, time-limited checkout, and mandatory post-use review.

📍 Where Is It Used?

Every enterprise environment — required for scenarios like IdP outage (can't SSO in), ransomware recovery (AD is down), or locked-out admin accounts.

💡 Real-World Example

During a ransomware attack, a company's Active Directory goes down. The incident response team uses the break glass account — stored in CyberArk and requiring two-person access — to log into critical systems and begin recovery. Every action is recorded for the post-incident audit.

🔗 Related Terms

PAM Privileged Account CyberArk Vault Least Privilege JIT
← AWS IAMCertificate →

Stay Ahead in Identity Security

Get weekly IAM, PAM & IGA insights delivered to your inbox via Identity Pulse.

Subscribe to Identity Pulse →
Scroll to top