It seems that for Privileged Identity Management (PIM) to be effective you would always need to "require approval" for each role. Is there any security benefit to PIM without using this feature? It would seem that if an account is compromised the bad actor could simply activate the role themself if no approval is required.
Two advantages IMO: - One access is JIT. Sure an attacker can activate the role, but it's an extra step to make the life of an attacker harder - Auditing. With PIM you have an audit trail when and why a role was activated
I agree with William Oettmeier. At least PIM should be complemented with a robust audit applied to the roles' activation and the activities privileges role are performing. A kind of Privileged Access Management.
