Continuous authorization and zero standing privilege for APT29 risk

At a glance

What this is: This analysis argues that APT29-style intrusions exploit standing access and one-time authorization, making continuous authorization the decisive control pattern.

Why it matters: It matters because the same access assumptions that fail under compromised accounts also break down for NHI, autonomous, and human identity programmes that still rely on static entitlements.

By the numbers:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• Only 5.7% of organisations have full visibility into their service accounts.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.

👉 Read StrongDM's analysis of APT29, continuous authorization, and zero trust

Context

APT29, also known as Cozy Bear, is a state-linked threat actor that has repeatedly used hijacked legitimate accounts, OAuth abuse, and lateral movement through cloud infrastructure to stay hidden inside target environments. In identity terms, the problem is not only intrusion, but the way standing access keeps a compromised identity looking normal after entry.

Continuous authorization is the answer to a specific governance failure: access is checked once and then assumed to remain safe. For modern IAM programmes, that assumption no longer holds for human sessions, service accounts, or any non-human identity that can carry privilege across tools and environments.

The source article frames this through zero standing privilege and just-in-time access, but the deeper lesson is about trust scope. Once an attacker inherits a valid account, the control question becomes whether the session can be continuously re-evaluated before privilege is used for escalation or exfiltration.

Key questions

Q: How should security teams handle trusted accounts after an intrusion starts?

A: They should assume the account can no longer be trusted just because it authenticated successfully. The right response is to narrow session scope, re-evaluate privileges continuously, and revoke any access that is not needed for the next approved action. That reduces the chance that a legitimate identity becomes a covert movement channel.

Q: Why do standing credentials increase the risk of lateral movement in cloud environments?

A: Standing credentials remain usable long after the original business need has changed, so an attacker who inherits them can move across systems without re-authenticating. In cloud environments, where one identity can touch many tools, that persistence turns a single compromise into a broad access path. Short-lived authority limits that effect.

Q: What do teams get wrong about continuous authorization?

A: Many teams think continuous authorization is just a stronger login check, but it is actually a runtime decision model. It evaluates whether the current session still deserves access before sensitive actions occur. If organisations only check at sign-in, they miss the point and leave the session open to abuse.

Q: Who is accountable when an attacker reuses valid access to move through systems?

A: Accountability sits with the organisation that allowed access to persist without effective monitoring, revocation, or contextual re-checks. The attacker is responsible for the abuse, but the governance failure is allowing an identity to keep broad authority after the trust conditions have changed.

Technical breakdown

Why standing access fails after legitimate account compromise

Standing access means a credential or session remains usable after the initial authentication event. In the Cozy Bear pattern, that matters because the attacker does not need to break authentication repeatedly. They inherit the normal-looking account state and can move within the environment as if they belong there. Legacy PAM often focuses on entry control, but once a session is approved it may stop watching the session itself. That leaves OAuth tokens, active logins, and overprivileged accounts available for abuse across cloud systems and internal services.

Practical implication: enforce session-scoped authorization checks, not just login-time approval.

Continuous authorization versus one-time access decisions

Continuous authorization is a real-time re-evaluation model. Instead of asking only whether the user or workload was valid at sign-in, it keeps checking whether the current session still matches device, location, role, and risk signals before each sensitive action. That matters in cloud environments where privileges are distributed and a single approved identity can touch many systems. The article’s point is that authorization must become dynamic because attacker behavior can change after the gate opens, while the environment still treats the session as trusted.

Practical implication: tie access decisions to ongoing context, not a single approval moment.

Zero standing privilege, JIT access, and ephemeral credentials

Zero standing privilege removes persistent access by provisioning permission only when needed and revoking it when the task ends. Just-in-time access and ephemeral credentials shrink the window in which a hijacked account can be reused. That is especially relevant when attackers exploit valid credentials, tokens, or OAuth proxies, because the strongest defense is not merely stronger authentication, but shorter-lived authority. In practice, the control objective is to ensure there is no durable privilege left for an attacker to inherit after initial compromise.

Practical implication: convert durable access paths into task-scoped access with automatic expiry.

Threat narrative

Attacker objective: The objective is prolonged, stealthy access to sensitive internal information while maintaining the appearance of legitimate activity.

1. Entry occurs through hijacked legitimate accounts and abused OAuth applications, which lets the attacker enter the environment with valid access instead of noisy brute force.
2. Credential access and scope expansion follow as tokens, sessions, and overprivileged accounts are reused to traverse cloud infrastructure and query internal systems.
3. Impact emerges when the attacker uses that trusted access to move laterally, escalate privilege, and collect sensitive information such as internal email content.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Continuous authorization exposes the failure of one-time trust decisions. The access model assumed by many IAM and PAM programmes was designed for sessions that could be trusted after login. That assumption fails when an attacker can hijack a valid account and continue operating inside the approved boundary. The implication is that security teams must stop treating authorization as a front-door event and start treating it as a runtime condition.

Standing access is the named failure mode this intrusion pattern keeps exploiting. The article shows that a legitimate account with persistent privilege can be reused for lateral movement, token abuse, and internal discovery. That is not a policy gap in the abstract, but a governance failure where privilege outlives intent. Practitioners should read this as evidence that durability of access is now a liability, not a convenience.

Zero standing privilege is no longer just an NHI control pattern, it is a general identity assumption reset. The same weakness that lets a compromised service account roam through infrastructure also affects human sessions that remain trusted after initial verification. When identity behavior becomes session-dynamic, the programme has to govern use, not just grant. That means the control boundary shifts from issuance to continuous enforcement.

OAuth abuse illustrates that identity sprawl and access sprawl are now inseparable. Attackers do not need a new identity when they can turn an existing one into a transport layer for movement across cloud services. This connects NHI governance, application authorization, and privileged access into one control problem. The practical conclusion is that access reviews must include the paths a credential can open, not only the owner of the credential.

Continuous authorization is the control logic behind modern zero trust, not a bolt-on feature. The article’s strongest lesson is that trust must be recalculated as conditions change. That matters for every programme that still assumes a session can be safely evaluated once and then left alone. The practitioner takeaway is to align access enforcement with runtime risk, especially where valid credentials can be repurposed without triggering authentication failure.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to The Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why hidden privilege paths keep reappearing in incident response.
• That visibility gap is why the 52 NHI breaches Report remains useful for tracing how standing access turns into persistence and lateral movement.

What this signals

Continuous authorization is becoming a baseline control expectation, not a specialist design choice. The next phase of identity governance will be judged by whether it can re-check trust after the login event, especially for sessions that can reach multiple systems. For teams managing human, NHI, and autonomous access, the hard part is no longer issuing privilege, but proving it should still exist at the moment of use.

Identity programmes should treat OAuth, tokens, and active sessions as first-class governance objects. That means inventorying where they live, what they can reach, and how quickly they can be revoked when risk changes. The practical shift is from static entitlement review to path-based control of how an identity can move through the environment.

Standing privilege creates the kind of access debt that teams only notice after an incident. With 79% of organisations reporting secrets leaks and 77% of those incidents causing tangible damage, the governance lesson is that durability of access is itself a risk signal. Teams should prioritise runtime enforcement where access can be inherited, reused, or silently expanded.

For practitioners

• Move from session approval to session re-evaluation Require continuous checks on device posture, location, role, and action sensitivity before privileged commands can proceed. A single successful login should never guarantee unrestricted movement across the environment.
• Eliminate standing access on high-value accounts Review accounts that can reach databases, clusters, cloud consoles, and internal applications, then convert durable access into just-in-time access with automatic expiry and logged approvals.
• Harden OAuth and token governance Treat OAuth apps, tokens, and sessions as active privilege carriers. Track where they are used, what they can reach, and whether they can be revoked quickly when behavior changes.
• Expand access reviews beyond ownership Check not only who owns an account, but what lateral movement paths it can open and whether the account can be used across systems without fresh authorization.

Key takeaways

• This intrusion pattern shows that authentication alone does not stop post-entry abuse when sessions remain trusted after login.
• The evidence points to standing access, OAuth reuse, and overprivileged identities as the conditions that let attackers move quietly inside cloud environments.
• Continuous authorization and zero standing privilege are the controls that meaningfully reduce the blast radius of valid-account compromise.

Key terms

• Continuous Authorization: Continuous authorization is a model in which access is re-evaluated during the session, not only at login. It uses live signals such as device posture, context, and action sensitivity to decide whether the identity should keep access at the moment of use.
• Zero Standing Privilege: Zero standing privilege means an identity has no persistent access by default. Privileges are granted only when needed, for a specific task, and then revoked, which limits how far a hijacked account or token can be reused.
• OAuth Application Abuse: OAuth application abuse is the use of delegated application trust to move through systems or access data without re-authenticating as a new user. In practice, it turns a legitimate integration into a credential carrier if governance and monitoring are weak.
• Session Trust Scope: Session trust scope is the set of actions, systems, and data paths an approved identity can reach before authorization is checked again. Narrowing that scope reduces the damage an attacker can do after taking over a valid account or token.

Deepen your knowledge

Continuous authorization, zero standing privilege, and just-in-time access are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building an identity programme around cloud sessions and privileged access, it is worth exploring.

This post draws on content published by StrongDM: Unmasking Cozy Bear (APT29) and the urgent need for continuous authorization. Read the original.