By NHI Mgmt Group Editorial TeamPublished 2026-06-29Domain: Best PracticesSource: Securden

TL;DR: Most enterprise password managers still solve storage better than access governance, but Securden argues the real gap is deciding, in the moment, who should get a specific credential, for what reason, and for how long. Standing access accumulates into privilege creep, and access that is not time-bound becomes hard to justify, review, or revoke.


At a glance

What this is: This is an analysis of why enterprise password managers are moving from secure storage toward approval-driven access governance, with JIT access used to limit standing privilege and improve auditability.

Why it matters: It matters because IAM teams must govern who can use shared credentials, not just where they are stored, across human, NHI, and lifecycle controls.

👉 Read Securden's article on JIT approval workflows for enterprise password governance


Context

Enterprise password managers often secure credentials well but leave a larger governance problem untouched: access can stay open long after the original need has passed. In practice, that means a credential may be protected in storage while still being widely available to people who no longer need it.

That distinction is central to IAM and PAM programmes because approval, duration, and revocation are governance controls, not storage controls. For teams building tighter credential governance, the relevant question is whether access is still justified at the moment it is used, not whether the secret is encrypted.


Key questions

Q: How should security teams govern shared credentials in enterprise password managers?

A: Treat shared credentials as governed entitlements, not static vault contents. Require a request, approval, defined purpose, and an expiry condition before release. The key control is not encryption alone but whether access is time-bounded, reviewable, and automatically revoked when the approved use case ends.

Q: Why do standing credentials increase IAM risk even when they are encrypted?

A: Encryption protects the secret in storage, but it does not limit who can obtain it or how long they can keep using it. Standing access expands the effective blast radius, creates privilege creep, and makes accountability harder because the original business need is no longer visible at the point of use.

Q: What do organisations get wrong about Just-in-Time access?

A: Many teams treat JIT as a convenience feature instead of a governance control. The real value comes from approval logic, scoped duration, and automatic expiry. Without those pieces, JIT becomes a cosmetic wrapper around the same standing access problem.

Q: Who should be accountable for revoking shared credential access?

A: Accountability should sit with the business owner who requested or approved the access, supported by technical enforcement that expires it automatically. If revocation depends on memory or manual cleanup, access will outlive the project and the governance model will fail.


Technical breakdown

Password storage vs access governance

Password storage protects the secret itself through encryption, vaulting, and access logging. Access governance controls who may obtain the secret, why they may obtain it, how long they may use it, and whether that access is still valid when the request is made. Those are different control layers. A vault can be technically secure while still enabling broad standing access, which is why audit findings often focus on authorisation and lifecycle, not encryption strength alone.

Practical implication: separate vault security reviews from entitlement and approval reviews, because both must be working for credential governance to hold.

Why standing access turns into privilege creep

Privilege creep happens when access expands through project work, temporary exceptions, contractor support, and managerial convenience, then never contracts. In shared credential environments, the longer a password remains available, the less likely its original business reason still exists. The problem compounds because nobody owns the clean-up moment by default. Without explicit expiry and review, access becomes a historical accident that survives long after the operational need has ended.

Practical implication: attach every shared credential to a business owner and an expiry condition so access can be removed when the need disappears.

How JIT approval workflows change the control model

Just-in-time access adds a request, approval, and time-bounded release step before a credential is exposed. That changes the control model from persistent availability to conditional access with an audit trail. It also improves accountability because the request reason, approver, time window, and closure event are all preserved. In practice, JIT works best when approval depth reflects risk, so low-risk access does not get treated like high-risk administrative access.

Practical implication: design approval paths by credential sensitivity and keep revocation automatic when the approved window closes.


NHI Mgmt Group analysis

Approval-driven access is now the real governance boundary, not secret storage. Encrypting a password and logging access are necessary controls, but they do not answer the harder question of whether the right person should receive that credential at that moment. This is why password vaults that stop at storage leave IAM teams with a false sense of control. The practical conclusion is that credential governance must be evaluated by authorisation, duration, and revocation, not by vault hygiene alone.

Privilege creep is a lifecycle failure, not a user mistake. Access that began as temporary work support becomes a standing entitlement when nobody owns the offboarding moment. That makes the issue structural, because project endings, contractor exits, and managerial exceptions are all predictable lifecycle events. The implication is that organisations should treat shared credential access as a governed entitlement with a start condition and an end condition, not an informal convenience.

JIT access turns auditability into a by-product of the workflow. When requests, approvals, access windows, and expiry events are built into the same process, the audit trail exists before an incident or audit query arrives. That matters because many teams still reconstruct approval history after the fact. Practitioners should treat this as a shift from retrospective evidence collection to inherent control evidence.

Standing access creates identity blast radius even when the credential is protected. Once a shared password is broadly available, the effective blast radius is defined by who can reach it, not who can read the vault. That makes approval depth, release timing, and automatic revocation the controls that constrain downstream harm. The takeaway for identity programmes is to reduce exposure windows, not just secure storage locations.

Access governance in password managers is becoming a PAM-adjacent expectation. Enterprise buyers are no longer satisfied with vaults that only hide credentials. They expect workflows that decide access, scope duration, and revoke automatically when the need ends. The implication is that IAM and PAM teams should review whether their password platforms are acting as storage tools or as governance controls, because the market is moving toward the latter.

From our research:

  • 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
  • 23.7% of organisations share secrets through insecure methods such as email or messaging applications, which keeps the access problem tied to everyday behaviour rather than rare exceptions.
  • For a broader control lens, read NHI Lifecycle Management Guide for how provisioning, rotation, and offboarding work together across identity types.

What this signals

Standing access is increasingly the control failure that programmes will be judged on. Security teams that still focus mainly on password encryption will miss the more material question of whether access is justified at the moment it is used. The programme signal is clear: governance maturity now depends on release conditions, expiry, and ownership, not vault completeness alone.

Identity teams should expect JIT-style approval logic to spread beyond privileged admin workflows. Once organisations see access governance as a lifecycle problem, the same pattern will be applied to contractor access, shared operational accounts, and sensitive support credentials. The practical shift is toward access that is requested, approved, and automatically withdrawn rather than left open by default.

Identity blast radius becomes the right planning metric for shared credentials. The more people who can reach a credential and the longer they can keep it, the more likely one compromise becomes many. Teams should use that lens to prioritise which accounts need stricter approval paths, stronger expiry rules, and tighter ownership before the next review cycle.


For practitioners

  • Map shared credentials to explicit owners and expiry conditions Assign a business owner, a technical owner, and a predefined end date or revocation trigger to every shared credential so access does not survive the original request.
  • Require approval before credential release Use a request-based workflow for sensitive accounts so users must state why they need access and approvers can decide whether the request matches the risk.
  • Differentiate approval depth by credential risk Apply stronger approval chains to administrative or high-impact accounts and lighter paths only where the business risk is demonstrably lower.
  • Automate revocation when the window closes Configure the platform to randomize or reset the credential automatically at expiry so access cannot quietly extend beyond the approved period.
  • Review audit logs as governance evidence Treat request, approval, window changes, and expiry events as control evidence for auditors and internal reviewers, not as after-the-fact troubleshooting artifacts.

Key takeaways

  • The real problem is not secret storage, but access that remains available long after its business justification has expired.
  • Privilege creep turns shared credentials into standing exposure, which makes approval, duration, and revocation the controls that matter most.
  • JIT workflows improve both governance and auditability when they are tied to explicit ownership and automatic expiry.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Directly addresses standing credentials and rotation/expiry governance.
NIST CSF 2.0PR.AA-1Access approvals and lifecycle controls support identity and authorisation governance.
NIST Zero Trust (SP 800-207)PR.AC-4JIT access aligns with least-privilege and conditional access principles.

Document approval, expiry, and revocation for shared credentials under your access control process.


Key terms

  • Standing access: Standing access is credential availability that persists without a current business justification. It often begins as a temporary exception and then becomes invisible because nobody owns the removal moment. In identity governance, standing access increases blast radius and weakens accountability because the entitlement outlives the original need.
  • Just-in-time access: Just-in-time access is a release model where credentials are granted only after a request and approval, then removed automatically after a defined window. For shared credentials and privileged accounts, it shifts governance from permanent availability to conditional use, which makes access easier to justify and easier to revoke.
  • Privilege creep: Privilege creep is the gradual accumulation of access beyond what is currently required. It usually happens through project work, exceptions, or unmanaged offboarding, and it is a lifecycle problem rather than a single mistake. The result is more exposed access than the organisation can reasonably defend.
  • Access governance: Access governance is the discipline of deciding who may receive access, why access is justified, how long it should last, and when it must be removed. In practice, it links approvals, time limits, logging, and revocation so access is controlled as an entitlement rather than treated as a static vault item.

What's in the full article

Securden's full article covers the operational detail this post intentionally leaves for the source:

  • Step-by-step approval workflow configuration for shared credentials and privileged accounts
  • Per-account approval depth options, including multi-level approval paths for higher-risk access
  • Automatic password randomisation at access expiry and session-level controls for active use
  • Accountability logging for request, approval, window changes, session activity, and expiry events

👉 The full Securden article shows how approval timing, access expiry, and audit logging work in practice.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-29.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org