JIT access is a timing pattern that grants access when needed. ZSP is a stricter privilege model that removes standing entitlement entirely until access is explicitly requested and approved. In practice, JIT can still leave broader roles in place, while ZSP aims to prevent dormant privilege from existing between tasks.
Why This Matters for Security Teams
The difference between zero standing privilege and just-in-time access is not academic when an environment includes service accounts, API keys, bots, or agentic workloads. JIT access reduces exposure by delaying access until a task is approved, but it can still leave broad roles and dormant permissions in place between uses. ZSP goes further by removing entitlement until a request is made, shrinking the window for misuse and lateral movement. That distinction matters because Ultimate Guide to NHIs reports that 97% of NHIs carry excessive privileges, which makes unused access a real attack surface, not a theoretical one.
Security teams often frame this as a scheduling problem, but it is really an entitlement design problem. OWASP’s OWASP Non-Human Identity Top 10 treats overprivileged non-human access as a recurring failure mode because secrets, roles, and machine identities are frequently treated like static assets instead of temporary capabilities. Current guidance suggests that the best control choice depends on whether the workload can tolerate pre-approved role scope or needs task-specific access with revocation on completion. In practice, many security teams encounter privilege sprawl only after a secret leak or service-account compromise has already exposed the gap between “temporarily enabled” and truly “non-standing” access.
How It Works in Practice
JIT and ZSP are both about reducing always-on access, but they operate at different points in the control plane. JIT usually means a user, workload, or administrator receives elevated access for a defined period, then the access expires. ZSP is stricter: the identity has no standing entitlement at rest, so privilege exists only when policy evaluates and grants it for a specific request. For non-human identities, that often means binding access to workload identity, short-lived credentials, and explicit approval paths rather than persistent roles.
A practical implementation usually combines policy-as-code, short TTLs, and strong identity proofing. The identity primitive should be the workload itself, not a reusable secret. If an agent or automation must act, the system should issue ephemeral credentials only for the approved task, then revoke or let them expire. That is why organisations often pair ZSP with PAM for human admin actions and with workload identity controls for services and agents. The NHI lifecycle guidance in 52 NHI Breaches Analysis and the rotation guidance in Guide to NHI Rotation Challenges both reinforce the same operational point: standing secrets and long-lived entitlements create avoidable exposure.
- Use JIT when access is broad but time-bound and approval-driven.
- Use ZSP when the default state must be no entitlement until runtime approval.
- Prefer short-lived workload tokens over reusable API keys or embedded secrets.
- Log approval context, task scope, and revocation time for auditability.
These controls tend to break down in legacy systems that cannot issue short-lived tokens or enforce request-time policy checks because the access model was built around persistent service accounts.
Common Variations and Edge Cases
Tighter privilege control often increases operational overhead, requiring organisations to balance reduced exposure against approval latency, tool compatibility, and support burden. That tradeoff is most visible in CI/CD pipelines, batch jobs, and legacy integrations, where teams may be tempted to keep standing access just to keep delivery moving. Best practice is evolving here: some environments can support true ZSP for production workloads, while others can only approximate it with aggressively short-lived JIT access and rapid revocation. There is no universal standard for this yet.
Another common edge case is autonomous software. An agent may chain tools, change its next action based on context, or escalate its own needs mid-task, which makes static RBAC brittle. In those environments, current guidance increasingly favors intent-based authorisation, real-time policy evaluation, and task-scoped credentials over role assignment alone. The Ultimate Guide to NHIs — Key Challenges and Risks and Ultimate Guide to NHIs — What are Non-Human Identities are useful reminders that machine identity risk is usually created by persistence, not by legitimate use. Where agents need bursty access, JIT can be sufficient; where dormant privilege must never exist, ZSP is the stronger model. In practice, the wrong choice usually shows up only after access review has already missed a stale entitlement.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses excessive standing privilege in non-human identities. |
| NIST CSF 2.0 | PR.AC-4 | Maps directly to managing access permissions for identities and workloads. |
| NIST AI RMF | Supports governance for autonomous AI decisions that need runtime access control. |
Apply least-privilege access reviews and remove dormant entitlements from machine identities.
Related resources from NHI Mgmt Group
- What is the difference between JIT access and true zero standing privilege?
- What is the difference between JIT access and Zero Trust for NHIs?
- What is the difference between zero standing privilege and just-in-time access?
- What is the difference between just-in-time access and zero standing privilege?
