Over the years, admin privileges had accumulated like barnacles. When someone needed to fix something fast, they got admin. When they changed roles, no one removed it.

An internal review found 23 accounts with domain admin, in a 60-person company. Shared service accounts were logging into production systems. Three former employees still had active credentials in AWS. No one was reviewing access, and nothing was logged.

There hadn't been an incident. But the exposure was obvious.

We started with an inventory. Pulled every admin account from Azure AD, AWS IAM, and the local domain. Created a spreadsheet and went person by person: "Do you actually need this?"

Most people didn't. Some had admin from three years ago when they helped with a migration. Others had it "just in case." We removed 14 accounts from domain admin in the first week.

The shared service accounts were trickier, two of them were baked into scripts that would break if we changed the password. We had to work with the dev team to refactor those before we could rotate credentials.

MFA got added to every elevated role. We set up quarterly access reviews with actual calendar reminders. IT logs privileged actions now, not perfect, but better than nothing.