I'm an integrator and we identify and provide performance discovery, and we select the best product for our clients.
We have users that are administrators in the environment, and we convert them into a shared account model. Many of the organizations have two accounts. One is a regular user account and the other gives them administrative rights.
CyberArk allows for a higher degree of segregation of duties, although CyberArk itself doesn't do that. You have to have knowledge of role-based access control and least privilege principles. It supports it, but you have to implement it.
There is also service recording, service accounts on Windows Systems, and Linux systems, to rotate their passwords.
You will find service accounts with passwords that are 5,000 to 8,000 days old, but not with CyberArk. It creates a very strong service to prevent attacks.
When passwords don't change it makes them very vulnerable and allows attackers significant lateral mobility within an organization. It gives them the necessary time to scout the environment and choose what their attack will be, whether it's going to be a ransomware attack or a data exfiltration attack or if it's going to go in to cause defamation to the company like creating a denial of service to clients. Also, hacking their Facebook page or their Twitter page are common attacks.