The period for which a permission remains valid before it is reviewed, revoked, or renewed. Access duration is a critical governance control because long-lived access increases the chance that unnecessary privileges survive after the original business need has passed.
Expanded Definition
Access duration is the enforced lifetime of a permission, token, role grant, or service-account entitlement before review, renewal, or revocation. In Non-Human Identity governance, it is a control boundary, not just an administrative schedule, because every extra hour of validity extends the window for misuse, drift, and forgotten access. The concept is closely related to credential expiry, lease length, and JIT access, but it is broader because it also applies to standing entitlements that should exist only for a defined business interval. Guidance across vendors is still evolving on how tightly access duration should map to task completion, incident response windows, or machine-to-machine trust relationships. For a practical baseline, NHI programs often align duration with the shortest operational need and pair it with review and offboarding workflows described in the OWASP Non-Human Identity Top 10. The most common misapplication is treating access duration as a ticket expiry only, which occurs when the approval record closes but the underlying entitlement remains active.
Examples and Use Cases
Implementing access duration rigorously often introduces operational friction, requiring organisations to weigh tighter exposure windows against automation overhead and renewal failures.
- A CI/CD deployment token is issued for 15 minutes during a release job and expires immediately after the pipeline finishes.
- A break-glass API key is granted for a single incident window, then automatically revoked and audited once the incident closes.
- A vendor integration uses a short-lived service-account lease so third-party access ends when the contract or support task ends.
- A privileged maintenance role is time-boxed to a scheduled change window and re-approved before any extension, consistent with patterns discussed in the Ultimate Guide to NHIs.
- An ephemeral cloud credential is renewed only if telemetry confirms the workload still exists and still needs the permission, reducing residual access risk highlighted in the Ultimate Guide to NHIs.
These patterns fit the short-lived trust model recommended by the OWASP Non-Human Identity Top 10 and are most effective when duration is enforced by automation rather than manual reminders.
Why It Matters in NHI Security
Access duration matters because stale validity turns temporary trust into durable exposure. In NHI environments, long-lived permissions are especially dangerous: service accounts, API keys, and workload tokens often outlive the job, deployment, or business relationship they were created for. NHIMG research shows that only 20% of organisations have formal processes for offboarding and revoking API keys, and 71% of NHIs are not rotated within recommended time frames, which makes unmanaged duration a direct contributor to secret persistence and privilege creep. Shorter access windows also support Zero Trust by reducing the amount of time any single identity can be abused if compromised. The operational problem is not just security posture but recovery speed, because expired access is easier to contain than access that has been silently extended across systems. The same lifecycle discipline is reinforced in the broader NHI governance guidance from Ultimate Guide to NHIs and its risk discussion in 52 NHI Breaches Analysis. Organisations typically encounter the consequences only after a leaked token or forgotten service account is found still valid, at which point access duration becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Short-lived NHI permissions are central to limiting overexposure and stale access. |
| NIST Zero Trust (SP 800-207) | Zero Trust relies on continuously limiting trust duration and re-evaluating access. | |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access management depends on limiting how long permissions stay active. |
Time-box every non-human entitlement and revoke it automatically when the need ends.
