Instacart’s JIT access model shows where identity governance is heading

At a glance

What this is: Instacart’s access programme replaces standing access with policy-driven just-in-time entitlements, micro-reviews, and automation across engineering and business apps.

Why it matters: This matters because IAM teams now need controls that work for humans and non-human identities in short-lived access windows, not just periodic review cycles.

By the numbers:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
• Only 5.7% of organisations have full visibility into their service accounts.

👉 Read ConductorOne's blog on Instacart’s just-in-time access playbook

Context

Just-in-time access is a governance model that grants entitlement only when a task requires it, then lets the access expire instead of lingering as standing privilege. In practice, it changes identity security from periodic certification to event-based approval, which is more aligned to how engineering, finance, and support teams actually work.

For IAM programmes, the central issue is not whether access can be provisioned faster. The question is whether the programme can prove who had access, why they had it, and when it should disappear, across human users today and non-human identities as those access patterns become shorter-lived and more automated.

The same shift is already visible in broader NHI governance, where visibility gaps, over-privilege, and offboarding failures remain common. For background, see the Ultimate Guide to NHIs and the OWASP Non-Human Identity Top 10.

Key questions

Q: How should security teams replace standing access without slowing down work?

A: Start by identifying which entitlements are truly task-bound and which are simply inherited habit. Then attach expiry, renewal, and policy ownership to the access itself so users must re-earn it when the task changes. The aim is to preserve operational speed while removing persistent privilege that no longer has a business justification.

Q: Why do short-lived access models matter more for NHIs than traditional reviews?

A: NHIs often act faster than human review cycles can observe. When credentials, tokens, or workload identities are short-lived, periodic recertification is too slow to be the main control. Expiry, automatic revocation, and clear ownership matter more because they reduce the period in which a leaked secret or stale entitlement can be abused.

Q: What breaks when access reviews are treated as a quarterly checkbox?

A: Quarterly reviews assume access remains stable long enough to be meaningfully assessed later. That assumption fails when users, service accounts, or agents only need access for a short task window. The result is stale entitlement approval, weak evidence quality, and a false sense of governance because the review happens after the risk has already moved on.

Q: Who is accountable when access is granted through policy-driven automation?

A: Accountability stays with the identity and governance team that owns the policy, not with the automation itself. If a workflow auto-approves or renews access, the team must still be able to explain the rule, the data inputs, and the exception path. That is what makes the control auditable rather than merely efficient.

Technical breakdown

Policy-driven just-in-time access and entitlement expiry

A JIT programme replaces persistent entitlements with time-bounded access requests tied to policy. The important mechanism is not the approval UI, but the enforcement layer: entitlement state changes automatically, and renewal becomes an explicit act rather than an assumption. This is why JIT can reduce privilege creep while preserving operability for engineers and business teams. The control becomes easier to audit because each request is a discrete event with its own owner, context, and expiry. In NHI terms, the same logic matters for service accounts and tokens that should not exist outside a narrow task window.

Practical implication: model every sensitive entitlement with an expiry condition, not just an approval path.

Micro-reviews turn access governance into code

Traditional quarterly access reviews assume access is stable long enough to review later. In a coded JIT model, each request becomes a micro-review, and policy logic can reference attributes such as team, geography, job role, and external signals. That changes the evidence model. Auditors no longer rely on a single certification snapshot; they can inspect change history, policy evolution, and approval logic directly in source control. The governance value comes from repeatability and traceability, not from manual effort reduction alone. This is especially relevant when access patterns are high-volume and the programme needs defensible consistency.

Practical implication: store entitlement logic in version control and treat each access request as an auditable control event.

AI-assisted entitlement scoring without surrendering decisions

The article’s AI component is a scoring and recommendation layer, not an autonomous access decider. That distinction matters. Risk scoring can cluster requests by peer adjacency, historical usage, and role similarity, but the final governance decision still needs a clear policy boundary. For practitioners, the architectural question is how much of the entitlement workflow can be automated without turning recommendation into hidden authorisation. As AI agents start requesting and using access in shorter windows, the same separation between advice and decision becomes more important, not less.

Practical implication: use AI to prioritise or score requests, but keep the policy decision boundary explicit and reviewable.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Standing access is now the governance debt that JIT is designed to retire. Instacart’s model shows that the real problem is not slow provisioning, but the accumulation of entitlements that remain active long after the task that justified them has ended. Once access is treated as an event rather than a condition, review cycles stop being the primary control and expiry logic takes over. For practitioners, that reframes least privilege as an operating model, not a periodic cleanup exercise.

Micro-review governance is a stronger evidence model than quarterly recertification for short-lived access. When each entitlement request is its own control point, the programme produces finer-grained evidence, clearer accountability, and less reviewer fatigue. That matters for auditors, but it also changes how IAM teams design policy ownership, because entitlement logic becomes code that can be versioned, tested, and inspected. The practitioner takeaway is that governance quality depends on the durability of the evidence trail, not on the size of the review batch.

Just-in-time access is becoming the bridge between human IAM and NHI governance. The same patterns that reduce standing access for engineers also describe how service accounts, API tokens, and future AI agent identities should be constrained. A named concept here is the ephemeral entitlement window: the narrower the access window, the more the programme depends on automatic expiry, traceability, and policy precision. Teams that still separate human and machine access programmes too early will miss the common control pattern.

AI-assisted access decisions expose a familiar governance boundary: recommendation is not authorisation. Instacart’s scoring bot can accelerate low-risk requests, but it does not remove the need for accountable policy. That distinction will matter even more as autonomous systems begin to request access at machine speed. For identity leaders, the field signal is clear: governance must keep the decision boundary visible even when the workflow is partially automated.

This model validates code-driven access governance, but it also raises the bar for operational discipline. A policy engine is only as defensible as the attributes, exceptions, and renewal paths it encodes. The implication for IAM and IGA teams is not to copy the tool shape, but to adopt the discipline of treating access as ephemeral, testable, and continuously reviewable across identity types.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• For a broader control baseline, see Top 10 NHI Issues for the issues that repeatedly show up in unmanaged identity programmes.

What this signals

Ephemeral entitlement windows are becoming the practical bridge between identity governance and zero standing privilege. As organisations move from periodic certification to event-based access, the programme has to prove expiry, ownership, and traceability in the same control path.

The signal for IAM leaders is that JIT will increasingly be the common pattern across humans, service accounts, and AI-assisted workflows. The organisations that treat access as a revocable event, not a permanent state, will be better positioned for audit, incident response, and autonomous access requests.

The next governance question is no longer whether automation can approve access faster. It is whether the policy model still makes sense when the access window is short enough that the identity may no longer exist by the time a human reviewer looks at it.

For practitioners

• Replace standing access with expiry-backed entitlements Inventory privileged AWS and application access, then attach explicit expiration to every sensitive entitlement so renewal becomes the exception rather than the default. Use the same model for service accounts where persistent access is unnecessary.
• Move access review evidence into source control Version policy logic, approval rules, and entitlement changes in Git so auditors can inspect the control history instead of reconstructing it from tickets. Treat each access request as a micro-review with a clear policy owner.
• Use usage data to define personas and renewals Analyse request patterns by team, role, and entitlement reuse, then adjust policies so frequent, low-risk requests can be handled consistently while unused access naturally falls away. The goal is to remove access nobody truly needs.
• Separate scoring from decision authority If you use analytics or AI to rank access requests, keep the final approval rule explicit and reviewable. Do not let recommendation logic become an implicit authorisation layer for high-risk entitlements or machine identities.

Key takeaways

• Instacart’s model shows that standing access is increasingly an operational liability, not a convenience.
• The strongest evidence of control maturity is not a larger review queue, but a smaller set of access events with clear expiry and traceability.
• IAM teams should design for ephemeral access windows now, because the same governance pattern is moving from humans to non-human identities and AI-assisted workflows.

Key terms

• Just-in-time access: Just-in-time access is a control model that grants privilege only when a task needs it and removes it when the task ends. In practice, it shifts identity governance away from permanent entitlements and toward time-bounded, auditable access decisions with explicit expiry and renewal.
• Standing access: Standing access is persistent privilege that remains available whether or not it is actively needed. It creates governance debt because the programme must continuously prove that the access is still justified, rather than letting the entitlement disappear automatically when the task is complete.
• Micro-review: A micro-review is a small, event-based access control checkpoint attached to a single request or renewal. It replaces large periodic recertifications with narrower, better-scoped evidence points, which makes governance easier to audit and often more accurate for short-lived access.
• Ephemeral entitlement window: An ephemeral entitlement window is the short period during which an identity is permitted to use a specific privilege. The narrower the window, the more the programme depends on automatic expiry, tight policy logic, and clear accountability across human, NHI, and agentic access patterns.

Deepen your knowledge

JIT access, policy automation, and identity evidence trails are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are moving from standing privilege to expiry-backed access, it is worth exploring.

This post draws on content published by ConductorOne: So Long, Standing Access: Inside Instacart’s Just-In-Time Access Playbook. Read the original.