The basic premise of a Privileged Account Management system is to have different admin passwords on all resources that are rotated often and randomly.  Having access to the passwords by protecting them with two-factor authentication and storing those random passwords securely.

Data at rest is extremely important pertaining to PAM, SSH keys, API keys, FTP/SFTP/SCP account, shared vendor website credentials and any other information that needs to be securely stored.  We store information with AES-256 encryption, separate software password keys for each entry and a long salted hash.