Microsoft's PAM deployment considerations are well documented and can be found at http://bit.ly/PAMDeploymentConsiderations. We will highlight the key points.

As already mentioned, PAM helps mitigate attacks on accounts that have permanent membership in elevated groups. PAM is not an all-inclusive component that will mitigate every security-related issue. Consider one security situation in which end users have administrative access to their own workstations. It may seem harmless enough, but security software such as antivirus, antimalware, and firewall can be turned off or removed, and new (potentially malicious) software can be installed. Once malicious software is installed on a workstation, an attacker only needs to find a way ...