An emergency credential used when normal access paths fail or become unavailable. These accounts are essential for recovery, but they are also high risk because they often bypass standard workflows, so they need tight vaulting, strong authentication, dual control, and continuous monitoring.
Expanded Definition
A break-glass account is an emergency NHI credential reserved for exceptional recovery scenarios such as identity provider outages, lockout events, or critical incident response. In mature IAM programs, it sits outside normal user workflows but still follows a defined governance chain: vaulting, strong authentication, dual control, and logging. Definitions vary across vendors on whether these accounts are purely human-admin fallback or also include machine recovery identities, so the operational scope should be documented explicitly.
In practice, the account is not meant to be “always available” in the everyday sense. It is deliberately hard to use, because its purpose is to restore access when standard paths fail. That makes it closely related to PAM, ZSP, and emergency access design, but it is not the same as a routine privileged admin account. NIST cybersecurity guidance on access control and recovery planning helps frame the discipline, while the NHI lifecycle issues described in the Ultimate Guide to NHIs show why emergency credentials need stronger scrutiny than ordinary service identities.
The most common misapplication is treating a break-glass account as a permanent backdoor, which occurs when teams fail to separate emergency access from day-to-day administration.
Examples and Use Cases
Implementing break-glass access rigorously often introduces response friction, requiring organisations to weigh rapid recovery against the operational cost of tighter approval, monitoring, and key management.
- An identity platform outage prevents standard sign-in, and a security operator uses a vault-held emergency account to restore federation services.
- A privileged tenant lockout blocks incident containment, so a dual-approved break-glass credential is used to disable a malicious integration and rotate exposed secrets.
- An automation platform loses access to a critical API after a certificate failure, and a recovery identity is used to reissue trust material under audit.
- A cloud control plane is misconfigured during a change window, and emergency access is invoked to reverse the change before service impact spreads.
- A post-compromise investigation requires isolated administrative access, and a break-glass path is used only after the event is logged and time-bound approval is recorded.
The NIST Cybersecurity Framework 2.0 is useful here because it reinforces recovery, governance, and auditability as operational outcomes, not just policy statements. The same logic appears in the Ultimate Guide to NHIs, where excessive privilege and poor visibility are recurring failure patterns.
Why It Matters in NHI Security
Break-glass accounts are high-value control points because they can override normal access boundaries, which makes them attractive targets for attackers and dangerous when left unmonitored. They should be protected as sensitive NHIs, with unique secrets, vault access controls, session recording, and immediate post-use review. This matters even more in environments with agents, service account, and API keys, because emergency access can become the fastest path from containment to compromise if it is not tightly governed.
NHIMG research shows that 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, which is exactly why emergency credentials cannot be managed casually. The NIST Cybersecurity Framework 2.0 supports this by emphasizing protective controls, monitoring, and recovery discipline, while the Ultimate Guide to NHIs highlights how privilege sprawl and weak visibility amplify real-world identity risk.
Organisations typically encounter the true cost of a break-glass account only after a lockout, breach, or failed recovery event, at which point emergency access becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Emergency credentials are high-risk secrets and fit controls for secret lifecycle and exposure. |
| NIST CSF 2.0 | PR.AC-1 | Break-glass access is an exception to normal access provisioning and must remain tightly governed. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous verification even for exceptional recovery access paths. |
Vault, rotate, and monitor break-glass secrets with strict approvals and post-use revocation.
