T-of-N quorum approval
A single privileged account that one person can unlock is a single point of compromise and a single point of audit failure. Auditors want separation of duties on the most dangerous credentials, not a shared password.
Break-glass secrets are split T-of-N, with T ≥ 2 enforced by a database CHECK constraint — not just application logic. An approver decrypts their share locally and re-encrypts it for the requester; the platform never holds a usable key. No individual, including a Glassbreak operator with full database access, can unlock content alone.