Continuous identity exposes the gap between policy and runtime access

At a glance

What this is: This article argues that continuous identity turns static IGA and PAM data into real-time access decisions, closing the gap between policy intent and runtime conditions.

Why it matters: It matters because IAM and NHI practitioners increasingly need task-scoped, context-aware control over access that can change after issuance, not just at review time.

👉 Read SGNL's analysis of continuous identity and runtime access control

Context

Continuous identity is a response to a familiar governance failure: access is approved once, then treated as trustworthy long after the business context changes. In IAM and NHI environments, that creates standing access, stale entitlements, and missed revocation points that traditional workflows do not catch in time. For background on the underlying identity model, see the Ultimate Guide to NHIs.

The core issue is not whether IGA or PAM are useful. It is that both are built primarily around administrative workflows, while modern access risk is runtime risk. That distinction matters for service accounts, API-driven workflows, and agentic systems alike, because the security question is increasingly whether access should exist right now under current conditions, not whether it was once approved.

Key questions

Q: How should security teams implement continuous identity without replacing IAM and PAM?

A: Start by treating continuous identity as an authorization layer that consumes data from existing IAM, PAM, IdP, and security tools. Focus first on the highest-risk paths where standing access creates the most exposure. The practical aim is to make access decisions change with context, not to rip out mature identity systems.

Q: When does JIT access create more risk than it reduces?

A: JIT access becomes risky when the approval flow is slow, manual, or disconnected from current security context. If access is granted but not continuously reevaluated, the environment can keep authorizing a session after the original need has passed. In that case, JIT shortens issuance time but does not meaningfully reduce blast radius.

Q: What is the difference between standing access and continuously evaluated access?

A: Standing access remains valid until someone manually removes it or a scheduled review catches it. Continuously evaluated access is rechecked against live signals such as risk, ticket status, device posture, and business need. The second model is better for high-risk workflows because it can react while the session is still active.

Q: Why do NHIs make runtime authorization harder to govern?

A: NHIs often run at machine speed, across many systems, with credentials that are easy to reuse and hard to monitor manually. That means entitlement drift and over-retention can become widespread before anyone notices. Runtime authorization gives defenders a way to narrow exposure windows for service accounts, tokens, and agents.

Technical breakdown

Design-time identity controls vs runtime access decisions

IGA and PAM generally establish policy, record entitlement, and broker privileged activity, but they do not continuously reevaluate access once the session begins. That leaves a gap between the entitlement state in one system and the real-world state of the user, device, ticket, or business condition. Continuous identity tries to close that gap by treating context as an input to authorization, not a side note. In practice, this means a policy can combine role, group membership, device posture, risk score, and business state before granting or revoking access. The architectural shift is from periodic certification to event-driven enforcement.

Practical implication: Map your highest-risk access paths to conditions that can be evaluated continuously, not just during review cycles.

Why Zero Standing Privilege depends on contextual signals

Zero Standing Privilege means no persistent access is left in place when it is not actively needed. That sounds simple, but it only works if the authorization layer can react to changing conditions quickly enough to revoke or constrain access in real time. Signals from IdP, ITSM, SIEM, EDR, MDM, and ticketing systems become part of the decision because they indicate whether the current session still meets policy. Without those signals, JIT access becomes a manual process with shorter leases, not a true control model. The mechanism is therefore policy evaluation plus continuous reassessment, not just credential issuance.

Practical implication: Use event-driven revocation for privileged sessions and service workflows that can tolerate only limited time-bound access.

Orchestration as the control plane for policy enforcement

A control plane for continuous identity sits between policy sources and enforcement points. It does not replace IGA, PAM, or the IdP. Instead, it translates identity context into runtime decisions and pushes those decisions into apps, APIs, infrastructure, and session controls. That matters because authorization logic scattered across many systems is hard to audit, hard to test, and easy to drift. A central orchestration layer reduces policy duplication, but it also increases the importance of clear inputs, deterministic policy logic, and logging that can explain why access was granted or removed.

Practical implication: Inventory where authorization is currently enforced and consolidate the highest-risk decisions into a smaller number of observable policy paths.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Continuous identity is a control model, not a product category. The important shift is not another identity dashboard. It is the move from static entitlement governance to policy decisions that can be re-evaluated as business and risk context changes. That aligns with the way both NHIs and human identities behave in real environments: access is temporary, contextual, and often over-retained unless something actively constrains it. Practitioners should treat continuous identity as an operating model for runtime authorization.

Zero Standing Privilege becomes practical only when revocation is event-driven. A lease that expires on paper is not enough if the environment can still use the credential or session after the risk changes. Real ZSP requires inputs from ticketing, device posture, and security telemetry so the system can close access when the reason for access disappears. The lesson for IAM teams is to replace trust in review cadence with trust in live signals.

Policy sprawl is a hidden operational debt in modern identity stacks. When entitlement logic lives in IGA, session control lives in PAM, and exception handling lives in tickets or scripts, no one owns the full authorization picture. That fragmentation makes it harder to prove who had access, why they had it, and when it should have ended. Practitioners should consolidate decision logic where they can audit it and measure its effect.

Identity blast radius is the right concept for prioritizing runtime controls. The issue is not only how many accounts exist, but how far one compromised identity can move before the environment notices. Continuous identity reduces the time window for misuse, which matters as much for service accounts and workloads as it does for human users. The practitioner takeaway is to target the access paths that can do the most damage in the shortest time.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• For a practical lifecycle lens: the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs shows how provisioning, rotation, and offboarding should be tied to business context.

What this signals

Continuous identity will push IAM teams toward event-driven governance. The operating model shifts when access is no longer treated as a one-time approval but as a condition that must keep proving itself. For practitioners, that means access policy, logging, and revocation logic need to be observable as a single control path, not scattered across tools.

With 97% of NHIs carrying excessive privileges, the case for runtime authorization is structural, not optional. Access review alone cannot keep pace with machine-speed entitlements, especially when sessions, tokens, and service accounts may outlive the business need that created them. Teams should prepare for tighter integration between policy engines, security telemetry, and lifecycle controls.

Identity programmes should expect greater pressure to prove why access existed at a specific moment. That requires better decision evidence, not just better entitlement inventories. Practitioners should think in terms of auditable access narratives that connect context, policy, and enforcement to a single moment in time.

For practitioners

• Identify access paths that require runtime decisions Start with production, admin, API, and third-party access paths where a one-time approval no longer reflects current risk. Prioritise systems where device posture, active ticket status, contract status, or incident state should change the authorization outcome.
• Bind policies to live context signals Pull in signals from IdP, SIEM, MDM, ITSM, and EDR so authorization can change when business or security state changes. The goal is to revoke or constrain access automatically when the original justification disappears.
• Reduce standing access before expanding JIT scope Remove persistent entitlements that do not need to exist between tasks, then use short-lived access only where the operational process can support it. This is the fastest way to reduce review burden and lower the cost of over-broad PAM use.
• Centralise policy logging and decision evidence Keep a clear record of which context inputs drove each access decision, especially for privileged workflows and exceptions. That evidence is what audit, incident response, and access reviews will depend on later.

Key takeaways

• Continuous identity addresses the gap between approved access and current access, which is where most runtime risk accumulates.
• The operational value comes from tying authorization to live signals, so revocation can happen when the business justification disappears.
• Identity teams should prioritise high-risk paths first, because standing privilege creates more exposure than many periodic reviews can see.

Key terms

• Continuous Identity: A governance model that turns identity data into live access decisions. Instead of relying on static approvals and periodic reviews, continuous identity reevaluates whether access should still exist based on current context such as risk, device state, ticket status, or business need.
• Zero Standing Privilege: A control approach in which access is not kept permanently available between tasks. Permissions are granted only when needed and withdrawn when the justification ends, reducing the time window in which compromised credentials or over-retained access can be abused.
• Runtime Authorization: Authorization performed at the moment a request is made, using current signals rather than historical entitlement alone. It is the practical bridge between policy intent and actual enforcement, especially in environments where access conditions can change quickly.
• Identity Blast Radius: The amount of damage a single identity can cause before controls detect and stop misuse. It reflects privilege scope, session duration, and revocation speed, and it is especially important for service accounts, tokens, and other non-human identities.

Deepen your knowledge

Continuous identity and Zero Standing Privilege are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are trying to govern runtime access with the identity stack you already have, it is worth exploring.

This post draws on content published by SGNL: Continuous identity, identity security guides, and Zero Standing Privilege. Read the original.