top of page
Search

From Firefighting to Frameworks: Why I Built Smart Access PAM

  • Pravin Raghvani MSc
  • Jul 29
  • 4 min read

Updated: Jul 30

🗨️ Interview Format

This article is based on a candid conversation with ChatGPT, where I shared the real story behind the Smart Access PAM Framework—complete with hard-learned lessons, strategic pivots, and a few superhero metaphors. What follows is an adapted narrative of that journey. A personal journey of Pravin Raghvani Msc - PAM Strategy and PAM Transformation Leader from breach response to building a modern PAM strategy rooted in Zero Trust and NIST CSF 2.0.


ChatGPT conducts an engaging interview with the creator of the Smart Access PAM Framework, depicted heroically as "Zero Trust PAM."
ChatGPT conducts an engaging interview with the creator of the Smart Access PAM Framework, depicted heroically as "Zero Trust PAM."

⚠️ A Monday Morning That Changed Everything

Many years ago, I was a seasoned Project Manager working on high-profile digital transformation programmes at a large, mature organisation. I was known for turning around failing projects, so being called into an urgent Monday morning meeting wasn’t new.

But this time, it was different.


The organisation had suffered a major cyber breach. As I joined the Cyber Incident Response Team, I quickly realised how serious it was. A web admin account had been compromised.


From there, the attacker launched a sophisticated lateral movement campaign, harvesting credentials and setting up long-term exfiltration paths.


It was an Advanced Persistent Threat (APT)—the kind of scenario that keeps CISOs up at night. And it had gone undetected for longer than anyone was comfortable admitting.


My primary role was to resurrect a stalled Privileged Access Management (PAM) project, but I stayed close to the forensics and response process. What struck me wasn’t just the technical complexity of the attack, but how human, procedural, and organisational the weaknesses were.

And that’s when something clicked.


🧠 From Project Recovery to Strategic Realisation

I’d worked with identity systems before. I knew Active Directory well. But this was different.

I had to immerse myself in:

  • PAM discovery and inventory

  • Service account mapping

  • Business impact and access dependencies

  • Process and tooling design

  • Risk analysis (Cyber and Operational Risk)

  • Stakeholder engagement

That’s when I saw the bigger picture: PAM wasn’t just a tooling problem—it was a risk, behaviour, and business alignment problem.

I formalised my learning by starting the CISSP, and soon after, I was leading multi-year PAM transformations. Some succeeded. Others stalled. And a pattern emerged.


⚙️ Vault and Stall: The PAM Pattern No One Talks About

Fast forward to 2022-2024. I was leading a robust PAM programme:

✅ Good stakeholder support

✅ Skilled team

✅ Solid technology foundation

But still, we hit resistance.


Business teams simply couldn’t work under rigid "Vault and Manage" models. It was slowing them down, affecting application performance, and disrupting workflows. And in an era of digital pressure, resource shortages, and "do more with less", the response was predictable:

Risk Exceptions. Lots of them.

That’s when it hit me:

Risk exceptions aren’t just a compliance issue—they’re a signal. The strategy wasn’t fit for the modern business.

📚 The Zero Trust Awakening

While authoring a PAM Technical Standard (well outside my comfort zone at the time), I dove deep into authorisation models. That’s when I stumbled across the Cloud Security Alliance’s work on Zero Trust.

And then I read Project Zero Trust by George Finney.


That book changed my entire approach (actually, it is a very good read as well, someone should create a Netflix series)


I consumed everything I could on:

  • Zero Trust from an identity perspective

  • Access control models beyond the vault

  • Continuous authorisation

  • Real-time contextual risk

  • Cloud-native identity and session design


I revisited all those resistance conversations from earlier, and suddenly they made sense. The issue wasn’t laziness or noncompliance—it was that the model was too rigid for dynamic environments.

The realisation?

Vault and Manage is an access control, not a PAM strategy.

✋ Midlife Break. Strategic Rebuild.

In late 2024, I hit a milestone—I turned 50. I was wrapping up a major programme, and I had worked back-to-back for many years on complex programmes. I promised myself a long break.


I focused on:

  • Fitness (Push-Pull-Legs-Arms (Progressive Overload), Cardio Day, then Push-Pull-Legs (intensity), if you are wondering) and personal health

  • Tackling neglected projects at home (three bedroom refreshed, two living rooms....80% done)

  • Travelling (First time in Cambodia, an amazing country) and reflecting

  • Reading, researching, and… rebuilding PAM from scratch


Through virtual conferences—particularly from the US Government's Zero Trust mandates—I started to piece together a new structure.


I went back to first principles, grounding everything in:

  • NIST CSF 2.0

  • Real-world PAM delivery experience

  • Change management and organisational design

  • Business-aligned risk prioritisation

  • Modern access models


🧱 Introducing the Smart Access PAM Framework

What emerged was a modular, open framework that aligns strategy, control design, maturity, and transformation.

It isn’t a vault configuration playbook. It isn’t another identity matrix.

It’s a practical, structured approach for:

  • CISOs who don’t have time to rethink PAM while firefighting

  • Programme Managers looking to build credibility and momentum

  • Architects seeking to map Zero Trust principles into real-world access control

  • Security teams tired of fragmented or tool-led PAM implementations

Key design pillars include:

✅ Alignment to NIST CSF 2.0

✅ Modular maturity model

✅ Risk-based prioritisation

✅ Visibility-first thinking

✅ Behavioural and business change as core elements

✅ Technology-agnostic execution


💡 Why This Matters Now

Today, many organisations are realising that their PAM strategies are lagging. They’re still optimising around static vaults, approval workflows, and break-glass processes. Meanwhile:

  • Cloud and SaaS adoption continues

  • Developer velocity increases

  • Third-party risk is growing

  • Cyber threats are adapting faster than ever


In this world, smart, adaptive, and strategic PAM is no longer optional—it's foundational.


And that’s why I wrote the eBook and released the Smart Access PAM Framework. To give the industry the field manual I wish I had years ago.


🚀 What’s Next?

I’ve made the framework open and accessible. Take what works. Modify what you need.

Whether you're an enterprise CISO, a programme lead, or an independent architect, this is for you.

Because PAM doesn't need to stall.

Risk exceptions don’t need to win.

And security doesn’t need to be the enemy of agility.


Let’s build something better. Thank you for accompanying me on my journey up to now, a journey that is now evolving to tackle modern challenges.


PAM Strategy and PAM Transformation Leader

bottom of page