Essential Eight · Control 5
5.Restrict Administrative Privileges
Last reviewed:
Limit administrative access to only what is necessary, with governance over privileged accounts.
Why this mattersPrivileged-account compromise enables lateral movement and data exfiltration. The Jan 2026 IRAP QA Framework makes privilege governance evidence a top scrutiny area.
Maturity-level breakdown
Maturity Level 1
Privileged users use separate privileged and unprivileged operating environments. Privileged accounts are prevented from accessing the internet, email, and web services. Privileged accounts explicitly authorised to access online services are strictly limited.
Maturity Level 2
Requests for privileged access to systems, applications, and data repositories are validated when first requested. Privileged access disabled after 12 months unless revalidated. Just-in-time administration with privileged access workstations (PAWs) for privileged users.
Maturity Level 3
Privileged access events are centrally logged and reviewed. Memory integrity functionality (Credential Guard, HVCI) is enabled. Local Security Authority protection is enabled. Privileged access is granted just-in-time and is broker-mediated.
Common gaps we see at ML2 assessments
- Service accounts running with excessive admin rights
- No formal validation process for data-repository access requests
- Privileged accounts not reviewed against the 12-month rule