In office buildings around the world, the instruction is clear and universally understood: in case of fire, break glass.

The act is deliberate, visible and reserved for emergencies only. In cybersecurity, however, the equivalent mechanism, the so-called “break glass account”, is far more controversial.

Designed to provide emergency access when normal systems fail, break glass accounts sit at the intersection of resilience and risk. For chief information security officers, they represent a necessary safeguard in theory, yet a potential liability in practice.

As cyber threats grow more sophisticated and identity systems become more complex, organisations are being forced to confront an uncomfortable question: are break glass accounts a requirement, a security risk, or both?

What break glass accounts are, and why they exist

Break glass accounts are privileged credentials created specifically for rare, high-stakes scenarios when standard administrative access paths are unavailable.

These situations may include identity system outages, multi-factor authentication failures, or major cyber incidents such as ransomware attacks that disable automation and recovery tools. In effect, they are the last line of defence.

Their existence reflects a basic truth of modern IT environments: no system is immune to failure. Even the most robust cloud or on-premises identity platforms can experience outages, misconfigurations or cascading failures.

From an operational standpoint, eliminating break glass access entirely is unrealistic. When identity providers go offline or privileged administrators are locked out, the ability to regain control quickly can determine whether an outage lasts minutes or days.

The paradox at the heart of emergency access

Despite their purpose, break glass accounts are inherently paradoxical. They are built to bypass normal controls such as MFA, conditional access policies and automated approvals – the very protections organisations rely on to secure privileged access.

That exemption is precisely what makes them dangerous. A poorly secured break glass account is effectively a legitimate back door into an environment, offering attackers the “keys to the kingdom” without the need for lateral movement or privilege escalation.

In an era where the removal of standing privileges and the risks associated with them have become a priority, the risk is not theoretical. Threat actors actively seek high-privilege accounts with limited oversight. Insider threats are another concern, particularly where emergency credentials are poorly governed or shared informally.

The danger, therefore, lies not in the concept of break glass accounts, but in how they are implemented and managed.

Guardrails that separate resilience from exposure

To deliver value without amplifying risk, break glass accounts must be treated as critical assets, subject to the highest standards of governance. Leading organisations typically enforce several foundational controls.

First, access must be strictly limited. Only a small number of break glass accounts should exist, and only for the most essential platforms, such as directory services or cloud control planes. Proliferation undermines oversight and increases exposure.

Second, authentication hygiene is non-negotiable. Passwords should be long, complex and stored in encrypted, tamper-proof vaults. Where physical documentation is unavoidable, it must be secured with the same rigour as other sensitive corporate assets.

Third, true isolation is essential. Break glass accounts must not depend on the same identity provider they are intended to replace. If emergency access relies on a failing system, it ceases to be an effective failsafe.

Finally, usage must be exceptional, not habitual. These accounts should never be used for routine administrative tasks. Any use – successful or attempted – should trigger real-time alerts, be logged exhaustively, and prompt immediate credential rotation.

Testing, monitoring and the compliance lens

Like fire extinguishers, emergency accounts must be tested regularly. Credentials that go stale or access paths that no longer function defeat the purpose of having them in the first place. Yet testing itself must be controlled to avoid normalising their use.

Continuous monitoring is equally critical. Every access attempt should be treated as a potential incident until proven otherwise. This level of scrutiny not only reduces risk but also supports compliance with frameworks such as PCI DSS and ISO 27001, which demand demonstrable control over all privileged access.

Organisations that fail to apply these standards risk turning a resilience mechanism into a compliance liability.

A zero trust approach to emergency access

Ultimately, the debate over break glass accounts has a pragmatic conclusion. They are neither purely a risk nor purely a requirement – they are both.

In an era of distributed systems, cloud dependency and escalating cyber threats, organisations cannot afford to operate without an emergency override. At the same time, leaving such powerful accounts loosely governed is equivalent to propping open a back door and hoping no one notices.

The solution lies in applying a zero trust mindset to emergency access: least privilege, continuous monitoring and no implicit trust, even in a crisis. Break glass accounts should be treated as exceptions, not shortcuts, and governed accordingly.