Three things get called "service account" in Microsoft Entra ID. Most incidents involve only one of them. This article gives security architects and CISOs a framework for picking the right control: PIM-eligible roles for human admins, managed identities and service principals for workloads. Two diagnostic questions, four patterns, and a 5-step checklist for converting a tenant from standing privilege to a controlled model.