ITP-PCCE Checks

General Checks (across multiple apps)

Limit Number of Administrators

Limit the number of administrative accounts to reduce the potential impact of credential compromise and ease audit efforts.

You can set a threshold to define the expected number of admins so the check won't fail.

Remove Disabled Users with Admin privileges

Detects disabled users who still have administrative rights. Such accounts are vulnerable to reactivation or abuse.

Remove Suspended Accounts with Admin Privileges

Detects accounts that are suspended. A suspended user is a potential risk to the organization because attackers can take advantage of unmonitored accounts, and Delinea recommends removing these accounts.

Remove Empty Groups with Entitlements

Tracks empty groups that still have entitlements, meaning any member that joins those groups will be able to gain those privileges. Empty groups with entitlements can lead to undesired access to assets the group is entitled to.

Remove Inactive Admin Users

Flags admin users who haven’t logged in for more than 30 days. These inactive accounts should be reviewed and potentially removed to reduce risk.

You can configure the number of allowable inactivity days under Alerts Settings.

Remove Inactive Users

Detects user accounts that haven’t logged in for more than 90 days. These inactive accounts should be reviewed and potentially removed to reduce risk.

You can configure the number of allowable inactivity days under Alerts Settings.

Remove Partially Off‑Boarded Accounts

Detects user identities that were terminated in Workday but are still enabled in the application.

Need to connect Workday to see results.

Remove Partially Suspended/Disabled Users

Flags user accounts that are suspended or disabled in one identity provider (e.g., Okta) but still enabled in the application.

Need to connect IdP to see results.

Disable Weak MFA Authentication Factors for All Users

Make sure weak MFA authentication factors are disabled for each user account. By ensuring that only robust MFA authentication mechanisms are enabled, you can significantly reduce the risk of unauthorized access and enhance overall security.

Enable MFA for All Admins

Detects admin user accounts that do not have multi-factor authentication enabled. Accounts without multi-factor authentication are vulnerable to credential and token theft.

Delinea searches for any user account with the MFA property set to false. To ensure that the user has a chance to set up MFA before being detected, Delinea ignores any account that was never activated (staged) and any account that never performed an initial login (with a login date that is empty or set to 1970).

Enable MFA for All Users

Detects user accounts that do not have multi-factor authentication enabled. Accounts without multi-factor authentication are vulnerable to credential and token theft.

Limit Number of Administrators [Federated Access]

Detects federated admin accounts, as a new administrative account might be an indication of persistence or later movement achieved by an attacker. Validate that the user should be an admin; otherwise remove admin privileges.

Supported for apps that are not IdPs.

You can set a threshold to define the expected number of admins so the check won't fail.

Limit Number of External Administrators

Detects external admin accounts, as a new administrative account might be an indication of persistence or later movement achieved by an attacker. Validate that the user should be an admin; otherwise remove admin privileges.

You can configure external accounts on the Collections page.

Remove Shadow Admins

Detects accounts with shadow admin entitlements. A shadow admin is a user that does not have full administrative privileges but has sensitive privileges that grant them control over other users or sensitive administrative tasks. The policy logic tracks both local and federated accounts. The full list of shadow admin permissions that are evaluated and their combinations can be found here.

Supported for Active Directory, AWS, Azure, GCP.

Remove Unused Custom Roles

Identify external entities with access to the application. External entity definitions are based on the system collection for external accounts. Delinea highly recommends reviewing every external entity and manually approving them.

Inactivity days is set by default to 90 days.

Remove Active Users without Login Activity

Detect active users who haven't logged in for 180 days. To increase security posture and prevent stolen credentials from being used, enforce that users must re-log in to their accounts.

Avoid NHI with Super Admin Permissions

Flag and investigate service accounts (non-human identities) with excessive or unnecessary super admin permissions. These accounts often operate without sufficient oversight, making them high-risk if compromised.

Supported for Active Directory, AWS, Azure, GCP.

Remove Inactive Access Key

This check identifies service accounts access keys that have not been active so that inactive keys can be revoked, which helps to meet compliance standards.

Active Directory (unique checks for Active Directory)

Limit Number of Domain Admins

The Domain Admins group should contain only the minimum number of necessary users. Domain admin is the most privileged role in Active Directory. Excessive membership increases risk and management complexity.

You can set a threshold to define the expected number of admins so the check won't fail.

Ensure Domain Admin Redundancy

Ensure that at least one additional trusted domain administrator exists. Lack of redundancy may prevent necessary administrative operations during emergencies. Domain admin is the most privileged role in Active Directory.

Built‑In Administrator Account Usage

Detects any recent usage of the default built-in Administrator account, which bypasses typical auditing mechanisms.

Built‑In Administrator account with password older than 90 days

The password for the built-in administrator account must be changed at least every 90 days.

Built‑In Guest Account is Enabled

Detects whether the guest account is enabled in Active Directory. This account is commonly targeted by attackers.

Disable Non‑Expiring Password for AD accounts

Detects AD user accounts with passwords that never expire, which could lead to credential compromise.

Disable Users' Right to Add Computers to the Domain

Finds where the default permission “Add workstations to domain” is enabled for Authenticated Users. This permission can be exploited by attackers.

Do Not Require Kerberos Pre‑Authentication

Detects accounts that do not require Kerberos pre-authentication, exposing them to AS-REP roasting attacks.

Privileged Account with Unprivileged Owner

Flags privileged Active Directory accounts whose owner does not have equivalent or appropriate permissions.

Remove adminCount Flag from Non‑Privileged Accounts

Detects accounts with an unnecessary adminCount=1 value that could inherit elevated permissions unintentially.

Remove Delegation Trust from Privileged Accounts

Detects accounts configured for delegation (especially unconstrained) that also have privileged roles. These accounts pose high impersonation risks.

Users with Password Not Required

Detects user accounts that have the “Password Not Required” flag set.

Users with Unconstrained Delegation

Flags users with unconstrained delegation rights in Active Directory. These accounts can impersonate others and should be carefully reviewed.

Rotate Entra Connect Password

Detects whether the password used for Entra Connect sync has not been rotated in 180 days.

Service accounts with stale password

Detects AD service accounts that haven't rotated their password in 90 days.

Azure (unique checks for Azure)

Refactor Azure Role

Detects Azure Roles that can be refactored with a narrower scope, based on activity during the last specified number of days.

Reducing excessive privileges on a role helps mitigate the blast radius of a breach, and keeps the organization secure by ensuring least privileges.

To calculate this check, Delinea looks at the role permissions, analyzes the associated account and group permissions, and suggests keeping only those that are in use.

You can configure the number of allowable inactivity days under Alerts Settings.

Reduce User Privileges to Read-Only

Identifies users with control plane privileges who have NOT used those privileges for a specified period of time. Once found, Delinea recommends reducing the privileges to read-only. This policy will generate a new, JSON-formatted role to help reduce the permissions to read-only. By understanding which users are not using this access, you can remove the more privileged permissions.

Remove Azure Privileged Roles

Tracks the creation of new sensitive Azure roles granting privileged or administrative permissions.

Privileged roles grant your identities (either users or service accounts) sensitive access to your IaaS environment. Delinea recommends managing privileges based on the default roles in Azure.

For custom roles only.

AI Agents with Potential Access to Sensitive Assets

Limiting AI agent access to sensitive or production assets reduces the risk of data leakage, abuse, or unintended actions. Granting only necessary access ensures better control, auditability, and compliance with security best practices.

Delinea performs this calculation by leveraging our own LLM to read and analyze AI agent metadata, to understand what it can potentially access.

Avoid Using AI models with High Liability Risks

Based on publicly available information (e.g., system cards or model cards), Delinea identifies AI models with high liability risks. Liability risk refers to the potential for a large language model (LLM) to produce inaccurate, harmful, or misleading outputs that could result in legal or regulatory consequences. LLMs with high liability risk can expose organizations to claims of negligence, failure to comply with data protection laws, or violation of industry standards. These risks include Hallucinations (factually incorrect responses), Bias or unfair treatment in outputs, Unsafe or non-compliant behavior (e.g., generating toxic, discriminatory, or confidential content) Unauthorized actions or recommendations, Model bad reputation, and Lack of transparency or traceability in decision-making.

Avoid using AI models with High Security Risks

Based on publicly available information (e.g., system cards or model cards), Delinea identifies AI models with high security risks such as prompt injection, jailbreaks, data leakage, and adversarial manipulation. Using these models can lead to unauthorized access, harmful outputs, or exposure of sensitive data.

Avoid Using AI Models with Privacy Risks

Based on publicly available information (e.g., system cards or model cards), Delinea identifies AI models with privacy risks, including unintended data memorization, leakage of sensitive information, and lack of control over how user data is stored or processed. Using such models can expose confidential assets, violate data protection regulations, and lead to compliance breaches.

Enable Audit for all AI Services and Agents

Without audit logs, you lose visibility into who accessed, modified, or invoked the AI agent or service, which creates blind spots in incident response, accountability, and in detecting misuse or data ex filtration.

Remove AI Agents/Services exposed to the Public Internet

Public network access allows access to a resource through the internet using a public IP address. Enabling public network access exposes the resource to the internet, increasing the attack surface and raising the risk of unauthorized access, data ex filtration, and abuse by compromised identities.

Remove AI Agents/Services Owned/Created by External Accounts

Allowing external users to create or control AI services/agents can introduce data leakage, shadow AI usage, and model abuse risks, which undermines governance, exposes sensitive data, and increases the likelihood of unmonitored or malicious model behavior.

Ping (unique checks for Ping)

Ensure Organization Admin Redundancy

In the event of a system failure, personnel unavailability, or unexpected circumstances, having redundant super admins ensures continuous access and management capabilities. In Ping, Organization Admin is the most privileged type of role.

Limit Number of Organization Admins

Application-level admin roles grant users the highest scope of permission in the application, and increase the blast radius in the organization. Delinea recommends keeping their number as low as possible. In Ping, Organization Admin is the most privileged type of role.

You can set a threshold to define the expected number of admins so the check won't fail.

Okta (unique checks for Okta)

Deactivate SCIM Applications

Tracks SCIM applications with enabled provisioning settings, meaning apps that sync users and groups to another system.

Enforce Password Policy

Establish strong defense against unauthorized access by reducing the risk of brute force attacks, credential-based exploits, and unauthorized entry. This significantly enhances the overall security posture of the identity and access management system.

Ensure Super Admin Redundancy

In the event of a system failure, personnel unavailability, or unexpected circumstances, having redundant super admins ensures continuous access and management capabilities.

Limit Number of Super Admins

Application-level admin roles grant users the highest scope of permissions in the application, and increase the blast radius in the organization. Delinea recommends keeping their number as low as possible. In Okta, Super admin is the most privileged type of role.

You can set a threshold to define the expected number of admins so the check won't fail.

Remove Risky Application Configuration

An application with a username template configuration that enables user impersonation could enable a malicious actor to escalate their privileges in your environment or to obfuscate their actions.

Require MFA on Every Sign-in for All Users

Requiring MFA for every sign in makes it significantly more challenging for attackers to compromise user accounts.

Set Idle Time for All Users

Automatically log out users who have been inactive for an extended period. This reduces the risk of unauthorized access when a user forgets to log out or leaves their session unattended.

Set session lifetime for all users

Shorter session durations mitigate the impact of potential security threats such as session hijacking or unauthorized use of active sessions. Minimizing the risk of prolonged access to sensitive information enhances security.

Entra (unique checks for Entra)

Limit Number of Global Admins

You can set a threshold to define the expected number of admins so the check won't fail.

Remove Public Groups that Allow Privilege Escalation

Detects public groups. Anyone in the organization can join any public group, which grants them access to all of the assets in the group.

GCP (unique checks for GCP)

Refactor GCP Role

Detects roles that can be refactored with a narrower scope, based on activity during the last 90 days. Reducing excessive privileges on a role helps mitigate the blast radius of a breach, and keeps the organization secure by ensuring least privileges.

You can configure the number of allowable inactivity days under Alerts Settings.

To calculate this check, Delinea looks at role permissions, analyzes the associated account and group permissions, and recommends keeping only those that are in use.

Rotate Access Keys Every 90 Days

This check verifies that all external (user-managed) Service Account keys in Google Cloud Platform (GCP) are rotated every 90 days or fewer to ensure compliance with best security practices

You can configure the number of allowable inactivity days under Alerts Settings.

AWS (unique checks for AWS)

Avoid AWS Role Chaining

Helps to detect chaining of AWS roles, which can facilitate lateral movement and privilege escalation. You can configure which destination roles should be included. For example, you can configure it to track any role that can assume an administrative role.

To calculate this check, Delinea analyzes the trust policies and checks whether one role can assume another.

Avoid AWS Privileged/Shadow/Admin Role Chaining

To calculate this check, Delinea analyzes the trust policies and checks whether one role can assume another.

Refactor AWS Permissions

Detects IAM policies that can be refactored with a narrower scope, based on activity during the last specified number of days. Reducing excessive privileges on a policy helps mitigate the blast radius of a breach, and keeps the organization secure by ensuring least privileges. Use the policy definition to define the number of days this detection should look back to identify unused permissions.

You can configure the number of allowable inactivity days under Alerts Settings.

To calculate this check, Delinea analyzes the associated role/group/user assignments and their activities.

Remove AWS Roles with Cross-Account Access

Detects IAM roles that can be assumed from another account, either inside your organization or by external identities, based on the trust policy of each role. Monitoring AWS roles with cross-account access is crucial to detect potential misuse or unauthorized actions, ensure security and compliance, prevent data breaches, and promptly mitigate risks.

Remove Policies Not Attached to Any Identity

Detects AWS policies that are not attached to any identities, meaning they can be deleted. Policies define the permissions for IaaS identities or resources, and removing unused policies can reduce the scope of available permissions and help reduce risk.

Remove Stale IAAS Policy Attachments to Role

Detects 'AWS policies' attached to IAM users or roles that have not used it during the last specified number of days. Delinea recommends removing unused policies from identities to reduce insider and attack risk.

Remove Unmanaged AWS IAM Users

Detects native users in IaaS environments (IAM) in line with IaaS best practices to avoid using IAM accounts. IAM users should be used only for cases where federated access is not available and there is no option to grant access by utilizing the assume role method.

Remove Unused AWS Policy Attachments

Detects 'AWS policies' attached to IAM users or roles that have not used them during the last specified number of days. Delinea recommends removing unused policies from identities to reduce insider and attack risk.

Remove Unused AWS Roles

Detects IaaS roles that have not been used in the last specified number of days, which can be deleted due to inactivity. Best practice calls for IaaS environments to adhere to Least Privilege. Removing unused roles can mitigate an attacker's impact on your production environments.

Custom roles only.

Remove Unused Policies

Detects 'IaaS policies' that no one in the account has been using during the last specified number of days. These policies define permissions for IaaS identities or resources, and removing unused policies can reduce the scope of available permissions and help to reduce risk.

Rotate Access Keys

Identifies AWS users with non-rotated access keys, which are static credentials that pose a compliance and security risk. Use the policy definition step to define the number of days before a key must be rotated according to your organizational key rotation policy.

You can configure the number of allowable inactivity days under Alerts Settings.