Users can be created in the wrong tenant, duplicate accounts can appear, and access can become detached from the customer’s real domain structure. JIT works only when the product also verifies domains, applies tenant policy at creation time, and prevents unmanaged account sprawl from forming across organisations.
Why This Matters for Security Teams
Just-in-time provisioning is often introduced as a way to reduce standing access, but without organisation controls it can create a cleaner path to chaos. The system may still issue an account instantly, yet fail to confirm whether the request belongs to the right tenant, whether the domain is trusted, or whether the identity should exist at all. That turns a lifecycle control into a sprawl engine. NHI Management Group’s Ultimate Guide to NHIs shows how weak lifecycle governance and poor offboarding are common failure points, and the NIST Cybersecurity Framework 2.0 reinforces that identity governance has to be tied to monitored, policy-driven operations rather than one-time provisioning. In practice, many security teams encounter cross-tenant account drift only after duplicate access and misrouted data already exist.
How It Works in Practice
JIT provisioning only works when creation is coupled to controls that validate who the request is for, where the account belongs, and what policy applies at the moment of creation. In a mature setup, the product checks the customer domain, maps the request to an approved tenant, enforces role or entitlement boundaries, and issues only the minimum access needed for a short window. That is the difference between ephemeral access and unmanaged account creation.
Operationally, the flow should include:
- Domain verification before account creation, so external or typo-squatted domains cannot seed orphaned identities.
- Tenant policy evaluation at creation time, not after the account exists.
- Deduplication logic to prevent the same person or workload from being provisioned multiple times across organisations.
- Expiry and revocation tied to task completion, session end, or contract status.
- Audit logging that records the tenant, requester, policy decision, and revocation event.
This is why NHI governance cannot stop at “create on demand.” The NHI Lifecycle Management Guide emphasises that provisioning, rotation, offboarding, and visibility are a single control plane, not separate chores. Current guidance from NIST CSF 2.0 also supports continuous identity governance rather than trust in a one-time onboarding event. JIT without those controls tends to break down in multi-tenant SaaS and partner-integrated environments because identity state becomes detached from real organisational ownership.
Common Variations and Edge Cases
Tighter JIT controls often increase setup complexity, requiring organisations to balance fast access with tenant integrity and auditability. That tradeoff is real, especially when legacy products were built for single-tenant assumptions or when customers expect self-service onboarding.
Best practice is evolving, but current guidance suggests treating these cases differently:
- Single-tenant deployments may accept simpler logic, but still need domain validation and revocation.
- Multi-tenant platforms need stronger policy gates because a single provisioning mistake can duplicate access across organisations.
- Partner and reseller ecosystems often need delegated administration, which increases the risk of accounts being created outside the intended customer domain.
- Human-facing JIT flows and workload JIT flows should not be treated the same way, because workload identities may need stricter automation and shorter TTLs.
The Top 10 NHI Issues and the Ultimate Guide to NHIs — Standards both point to the same practical issue: provisioning is only safe when it is governed end to end. Without that, JIT can accelerate access creation faster than security teams can detect that an account was placed in the wrong organisational boundary.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | JIT without controls creates unmanaged NHI sprawl and weak lifecycle governance. |
| NIST CSF 2.0 | PR.AA-01 | Identity proofing and access governance are central when provisioning on demand. |
| NIST AI RMF | AI RMF helps manage governance and accountability for dynamic automated provisioning decisions. |
Apply governance and monitoring so automated provisioning decisions remain attributable, auditable, and bounded.
