Use admin time authorization for baseline roles and groups, then apply runtime policy for context-sensitive decisions such as device trust, location, and sensitive resources. That hybrid model keeps access understandable for auditors while preventing static roles from over-granting access in high-risk moments. It is the practical way to preserve governance without turning every exception into a new role.
Why This Matters for Security Teams
Admin time authorization gives security teams a governable baseline, but it is not enough on its own when access is exercised by systems that can act quickly, chain tools, and change intent at runtime. That is why current guidance increasingly pairs pre-approved roles with runtime policy checks tied to device trust, data sensitivity, and request context. NIST’s NIST Cybersecurity Framework 2.0 reinforces that access decisions must be managed as an ongoing risk activity, not a one-time assignment.
For NHI programs, the risk is that role design looks clean on paper while real access paths remain too broad in production. The Top 10 NHI Issues research shows why this matters: 97% of NHIs carry excessive privileges, which means static authorization alone often leaves standing access far beyond what is needed for a specific task. Admin time policy sets the ceiling; runtime policy keeps the system honest when conditions change.
In practice, many security teams discover over-granting only after a service account or agent has already reached sensitive data, rather than through intentional least-privilege design.
How It Works in Practice
The practical model is layered. First, define admin time authorization for durable, auditable entitlements such as baseline roles, group membership, approved scopes, and allowed resource families. This is the part auditors can review and change control can manage. Then add runtime policy that evaluates the live request before access is granted or a token is minted. Runtime policy should consider device posture, source network, time, workload type, resource sensitivity, and whether the request matches the declared purpose.
This is especially important for non-human identities because access is often exercised through automation rather than a person clicking through a predictable workflow. NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs emphasizes lifecycle control, and the lifecycle is where the hybrid model becomes operational: provision narrowly at approval time, then continuously re-check at execution time. For the policy layer, organisations commonly use policy-as-code approaches such as OPA or Cedar, while identity proofs come from workload identity mechanisms like SPIFFE or OIDC-based service tokens.
- Use admin time authorization to define who or what may ever request access.
- Use runtime policy to decide whether the current request should succeed right now.
- Prefer short-lived credentials for sensitive paths so a granted permission does not become a long-lived standing exception.
- Log both the original approval and the runtime decision so auditors can reconstruct intent and enforcement.
NIST’s Cybersecurity Framework 2.0 aligns well with this split because it separates governance from enforcement without confusing the two. These controls tend to break down when legacy applications cannot evaluate context at request time because the application only understands static allowlists and long-lived credentials.
Common Variations and Edge Cases
Tighter runtime policy often increases operational overhead, requiring organisations to balance better risk reduction against slower approvals, more telemetry, and more policy tuning. That tradeoff becomes visible in high-change environments where teams need rapid deployment but still have to protect crown-jewel systems. There is no universal standard for how much context is enough, so current guidance suggests starting with a small set of high-signal attributes rather than trying to model every possible variable.
One common edge case is emergency access. Admin time authorization may pre-approve a break-glass path, but runtime policy should still verify who is using it, from where, and against what resource. Another is third-party automation, where the baseline role may be legitimate but the execution context is not trusted. NHIMG’s Ultimate Guide to NHIs — Regulatory and Audit Perspectives is useful here because auditors will usually accept layered controls if the organisation can show clear approval logic, runtime checks, and revocation evidence.
Best practice is evolving for agentic and autonomous workloads, but the direction is consistent: keep admin authorization simple, make runtime decisions context-aware, and avoid translating every exception into a permanent role. The main failure mode appears when policy owners try to enforce all nuance in the role model, because role explosion quickly turns governance into a maintenance problem instead of a control.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Addresses excessive standing privilege across non-human identities. |
| NIST CSF 2.0 | PR.AC-4 | Covers access control governance and least-privilege enforcement. |
| NIST AI RMF | Supports runtime risk decisions for autonomous or adaptive systems. |
Apply AI RMF governance to define when dynamic policy must override baseline authorization.
Related resources from NHI Mgmt Group
- How do organisations reduce the dwell time of exposed credentials at scale?
- Why do verified agent identities still need runtime policy checks?
- How can organisations tell whether runtime identity controls are actually working?
- When should organisations move from periodic review to runtime access control?
