secureToken
In macOS 10.13, Apple switch their filesystem from HFS+ to APFS. With this change, all users that are either FileVault enabled or have the ability to modify the disk in recovery are supplied with what is called a secureToken. This token is vital to the operation of the account having the ability to modify current, add and remove FileVault users or authorized users in the Recovery partition.
Because of this change, your administrator most likely has a secureToken. To account for this change with macOSLAPS, the FirstPass key was introduced. This key allows the Apple Administrator to specify the first password of the newly created administrator account. macOSLAPS will use this password one time and then store all new passwords in the System keychain for future password changes. When a user has a secureToken, the old password MUST be known to macOSLAPS or the password change will fail.
If you are managing your device with an MDM then you are most likely aware of the bootstrap token. What this token does is grants Active Directory users (10.15) or any users (11+) the ability to unlock the disk or Recovery via a secureToken. If you are running this binary on these newer OS versions it is HIGHLY encouraged to specify the FirstPass key to ensure proper rotation.
This rough chart shows how the first run works
Local Admin → Has secureToken → Yes → Use FirstPass Key → Use System Keychain to Store Password
↓ ↑
No → Change Password → ↑
This rough chart shows how routine runs of macOSLAPS work
Local Admin → Load Password from SystemKeychain → Change Password → Store new password in System Keychain