Humans should approve them every time. Break-glass actions and admin role assignments carry outsized operational risk, so they should be excluded from autonomous policy shipment even if the underlying model is highly accurate.
Why This Matters for Security Teams
Break-glass and privileged access changes are the exact place where policy automation should slow down, not speed up. Even if policy engines evaluate requests correctly, the operational blast radius of a mistaken admin grant, emergency elevation, or emergency secret exposure is disproportionate. Current guidance suggests that autonomous approval is too risky here because it removes the human judgment needed to assess urgency, compensating controls, and whether the exception is truly justified.
This is especially important in NHI programs, where privileged service accounts and emergency access paths often outlive the incident they were created for. The Ultimate Guide to NHIs notes that 97% of NHIs carry excessive privileges, which helps explain why exception handling becomes a recurring control gap rather than a one-time event. OWASP’s Non-Human Identity Top 10 also treats over-privilege and credential misuse as systemic risks, not edge cases.
In practice, many security teams encounter privilege sprawl only after a break-glass account has already been used outside its intended window.
How It Works in Practice
The workable model is human approval plus automated enforcement. Policy automation can prepare the decision record, validate prerequisites, and apply the approved change, but a person should still authorise the elevation. That means the system can check whether the request has a ticket, incident number, business justification, expiry time, and compensating control plan before presenting it for approval. The human then decides whether the exception is acceptable, and the platform enforces that decision with tight scope and short duration.
For privileged access, the approval chain should be separated from execution. A responder, manager, or security approver confirms the need, while the automation handles grant time, TTL, logging, and revocation. This is consistent with the control logic described in the Lifecycle Processes for Managing NHIs, where approval, provisioning, rotation, and offboarding are treated as distinct governance steps rather than one combined action. The NIST Cybersecurity Framework 2.0 supports this separation by reinforcing governance, access control, and monitoring as linked but different functions.
- Require named human approval for every break-glass or admin role change.
- Use policy automation to pre-check justification, time limits, and scope.
- Issue the smallest possible privilege set for the shortest possible window.
- Revoke automatically when the incident closes or the TTL expires.
- Log the approver, requester, reason, and exact permissions granted.
This guidance tends to break down in highly distributed environments where local teams bypass central workflow controls because the approval path is slower than the operational pressure they face.
Common Variations and Edge Cases
Tighter approval requirements often increase response time, so organisations have to balance incident speed against the risk of unauthorised elevation. That tradeoff is real, and current guidance suggests it should be managed with pre-authorised emergency paths rather than autonomous approval. In other words, the answer is not to remove humans, but to make human approval faster, better evidenced, and harder to misuse.
One common exception is a true outage where the normal approver is unavailable. Best practice is evolving, but the safer pattern is delegated human approval with a recorded fallback chain, not machine-only sign-off. Another edge case is where policy automation triggers from a trusted workflow system; even then, the workflow should only prepare the change and enforce guardrails, not authorise it. The Top 10 NHI Issues and the Regulatory and Audit Perspectives section both reinforce that exceptions need traceable accountability, especially when auditors later ask why an elevated path existed at all.
For organisations that use just-in-time access, the safest design is still the same: humans approve the exception, automation limits the duration, and monitoring verifies that the privilege was actually needed. There is no universal standard for fully automated break-glass approval yet, and for high-risk admin changes, that lack of consensus is itself a signal to keep a human in the loop.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers overprivilege and credential misuse in privileged NHI paths. |
| NIST CSF 2.0 | PR.AC-4 | Access management controls fit approval and enforcement for privilege changes. |
| NIST AI RMF | Governance and accountability are essential when automation influences security decisions. |
Require human sign-off for admin elevation and enforce least privilege with automatic revocation.
