Start with measurable behaviour, not role names. Look for accounts that access privileged systems infrequently, stay active for short periods, and have broad entitlements they rarely use. Those patterns usually indicate convenience-based standing privilege rather than real operational need. The best candidates are easy to explain to auditors and low-risk to convert first.
Why This Matters for Security Teams
Just-in-time access works best when teams select the right privileged accounts to convert first. The real risk is not the access model itself, but choosing accounts that are heavily embedded in business-critical workflows, where downtime, manual approvals, or brittle integrations create more friction than security value. Current guidance suggests starting with accounts whose privilege is broad but rarely exercised, because those are often convenience-driven standing entitlements rather than true operational requirements.
This is especially important in NHI and service-account estates, where privilege often accumulates faster than ownership clarity. NHIMG’s Ultimate Guide to NHIs notes that 97% of NHIs carry excessive privileges, which makes selection discipline a practical control, not just an optimization. For teams aligning with OWASP Non-Human Identity Top 10, candidate selection is part of reducing over-privilege before enforcement.
In practice, many security teams discover the best JIT candidates only after an audit finds dormant privilege sitting in production for months.
How It Works in Practice
Good candidates are identified through behaviour, not job titles. Start by inventorying privileged accounts and reviewing how often each one authenticates, which systems it touches, how long sessions last, and whether the account’s broad entitlements are actually used. The accounts most suitable for JIT usually show infrequent use, short-lived activity bursts, and a narrow pattern of recurring tasks. That profile makes them easier to gate behind approval, policy checks, and automated expiry.
A practical screening process often looks like this:
- Flag accounts with long-lived standing access but low monthly activity.
- Prioritise accounts with repeatable tasks that can tolerate brief activation windows.
- Exclude break-glass, emergency recovery, and always-on automation paths until controls are mature.
- Validate that the business owner can describe when access is needed and why it must remain standing.
- Confirm that logging is sufficient to prove activation, use, and revocation.
That last point matters because the control is only as strong as the evidence trail. The NIST Cybersecurity Framework 2.0 emphasises access governance and continuous monitoring, while NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks highlights how excessive privilege and weak rotation combine to increase exposure. For the first wave, teams should prefer accounts with clear owners, low operational coupling, and low blast radius if the JIT workflow fails.
These controls tend to break down when the account is embedded in legacy batch jobs or shared admin tooling because activation and revocation are difficult to separate from normal operations.
Common Variations and Edge Cases
Tighter JIT selection often increases operational overhead, requiring organisations to balance reduction in standing privilege against the cost of workflow redesign. That tradeoff is real, especially where access is inherited through inherited admin groups, third-party support accounts, or scripts that assume always-on credentials. Current guidance suggests treating these as separate remediation tracks rather than forcing them into the first JIT wave.
There is no universal standard for candidate scoring yet, but best practice is evolving toward a simple triage model: convert low-frequency human-admin accounts first, then semi-automated operational accounts, and leave high-availability or emergency access paths for later. The 52 NHI Breaches Analysis shows how over-privilege and poor lifecycle control repeatedly appear in incidents, which is why low-risk candidates should be those with easy rollback, clear approval ownership, and minimal dependency on manual intervention.
One useful rule is to avoid accounts where the privilege is broad because the process is poorly designed rather than because the role truly requires it. Those cases usually need entitlement redesign, not just JIT wrapping. In practice, many teams learn that the safest JIT candidates are the least glamorous ones: accounts that are easy to explain, easy to revoke, and difficult for anyone to notice until they are gone.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Over-privileged accounts are prime JIT candidates and require tighter entitlement control. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions should be managed by least privilege and reviewed continuously. |
| NIST AI RMF | GOVERN | Candidate selection needs accountable policy, ownership, and documented decision criteria. |
Use activity data to identify standing privilege that can be replaced with time-bound approval.
Related resources from NHI Mgmt Group
- How should security teams handle privileged accounts they cannot fully inventory?
- How should security teams validate privileged accounts in a vault-based PAM programme?
- What do security teams get wrong about using chat for privileged access?
- How should security teams run access reviews for non-human identities?
