TL;DR: Real-time approval, denial, and locking of access requests can help reduce standing privilege and enforce resource limits, according to Teleport. The governance issue is bigger than speed: JIT policy only works when identity, approval, and audit controls are aligned to prevent access sprawl.
At a glance
What this is: Teleport describes a JIT watcher that continuously enforces access policies by auto-approving compliant requests, denying violations, and locking older access when users exceed limits.
Why it matters: This matters because IAM teams need controls that reduce standing privilege without relying on manual review loops that do not scale across NHI, autonomous, and human access programmes.
👉 Read Teleport's blog post on immediate, automated JIT access enforcement
Context
Just-in-time access is a governance pattern for granting access only when it is needed and revoking it when the task ends. In practice, many teams still accumulate standing access because approval workflows are too slow to keep pace with operational work, especially in SRE and DevOps environments.
The core IAM problem is not request volume alone. It is the drift between policy intent and actual privilege state, where access grows across environments and the organisation loses clean boundaries for review, escalation, and audit.
Key questions
Q: How should security teams automate JIT access without creating new governance blind spots?
A: Security teams should automate only the repeatable decision layer, then keep exception handling and policy ownership under human control. The key is to define clear approval, denial, and lock conditions, tie them to explicit role patterns, and maintain decision logs that show why access changed. That keeps JIT fast without turning it into unmanaged privilege.
Q: Why do standing privileges keep reappearing in environments that already use JIT access?
A: Standing privilege reappears when policy is not expressed as a state change. If teams only automate approvals but do not cap resource counts, separate incompatible environments, or close old requests, access naturally accumulates. JIT works best when the system can remove outdated privilege as well as grant new access.
Q: What breaks when access reviews are the main control for JIT governance?
A: Access reviews break down when access changes faster than review cycles can observe. Routine, low-risk requests pile up, reviewers miss drift, and the control becomes a retrospective checklist rather than an enforcement mechanism. Review still matters for exceptions and oversight, but it cannot be the only way privilege is constrained.
Q: How should organisations govern the service that enforces JIT policy?
A: Organisations should govern the watcher as a privileged non-human identity with its own scope, logging, and review requirements. If the enforcement service can approve, deny, and lock requests, then its identity and permissions matter as much as the identities it governs. That control should sit inside NHI lifecycle and audit processes.
Technical breakdown
How a JIT watcher enforces access policy in real time
Teleport’s watcher is a long-lived service that polls access requests on a schedule, evaluates them against policy, and then changes the request state by approving, denying, or locking it. The important design point is that enforcement is not left to human triage after the fact. Instead, the watcher acts as a policy-enforcement layer sitting beside the access request workflow, using Machine ID to authenticate to the API and make changes continuously. That makes the control deterministic, auditable, and operationally consistent, provided the policy rules accurately reflect the intended access boundary.
Practical implication: treat the watcher as an enforcement service with its own identity, access scope, and audit requirements.
Why standing access and environment overlap create governance drift
The article’s policy model is aimed at two common failure modes. First, users accumulate more approved resources than they should, which turns temporary access into de facto standing privilege. Second, access to production and research environments can coexist when role patterns are too broad or poorly separated. That is not simply an approval problem. It is a policy modelling problem, because the control has to understand resource counts, environment boundaries, and request lifecycle state at the same time. If those conditions are not encoded, least privilege becomes an intention rather than an enforceable rule.
Practical implication: validate policy logic against real role patterns and environment boundaries before automating enforcement.
Why auditability changes the value of automated JIT
Automated JIT is not just about speed. Its security value comes from turning access decisions into repeatable events with a clear reason attached to each approve, deny, or lock action. That matters because manual reviews are inconsistent and difficult to evidence at scale, while an always-on watcher can produce a stable trail of enforcement activity. In IAM terms, the control shifts from periodic oversight to continuous policy execution. That is useful only if the logged decision explains which rule fired and what state changed, so auditors can reconstruct why access was granted or removed.
Practical implication: require decision logs that explain the rule applied, the affected request, and the resulting state change.
Breaches seen in the wild
- ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.
- Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
JIT automation does not remove the access sprawl problem, it formalises the policy boundary around it. The article shows that organisations still struggle with standing access, environment overlap, and request hoarding even when they adopt JIT. The watcher reduces manual effort, but the underlying governance question remains whether policy can keep pace with how people actually work. Practitioners should treat automation as enforcement of a design choice, not as proof that the design is complete.
Environment separation is the real control objective, not request volume reduction. The most revealing policy in the post is the restriction that blocks simultaneous production and research access. That is a concrete identity governance boundary, because it defines where privilege should not coexist. This aligns with Zero Trust thinking and least privilege discipline, where segmentation matters more than user convenience. The practitioner takeaway is to model mutually exclusive access states explicitly instead of relying on manual memory or after-the-fact review.
Access review cadences are too slow for workflows that change by the hour. The watcher exists because human approval loops cannot consistently keep up with operational access churn. That does not make human oversight obsolete, but it does show that routine entitlement decisions belong in policy automation while exception handling stays human. Teams that still depend on review queues for predictable requests are paying an unnecessary compliance tax and still not preventing access drift.
Machine ID is doing governance work here, not just service authentication. The watcher needs its own non-human identity to reach the API and enforce policy, which means the control plane itself becomes an NHI governance problem. That is where many programmes stop too early: they secure the access request workflow but forget the identity of the thing enforcing the workflow. Practitioners should extend NHI governance to control services, not just the human users requesting access.
Least privilege becomes measurable only when the system can count, compare, and close access states. The article’s resource cap and locking logic turn an abstract principle into an operational rule. That is useful because it gives security teams something testable, auditable, and enforceable. The broader lesson is that identity governance improves when policy is expressed in state changes, not just in documentation. Practitioners should look for controls that can prove privilege reduction in action.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, according to Ultimate Guide to NHIs.
- For the broader NHI control model, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.
What this signals
Access sprawl becomes a control-plane problem once JIT decisions are automated. Teams that adopt policy watchers still need to prove that the watcher itself has a bounded identity, bounded permissions, and a reviewable decision trail. With only 5.7% of organisations claiming full visibility into their service accounts, per Ultimate Guide to NHIs, the control surface is often less visible than the access problem it is meant to solve.
Watcher-based JIT should trigger a broader lifecycle review of privileged non-human identities. Once a service can approve, deny, or lock access, it belongs in the same governance conversation as the identities it manages. That makes lifecycle controls, offboarding discipline, and audit evidence part of the same operating model rather than separate workstreams.
For practitioners
- Define explicit JIT state rules Map the access states that should auto-approve, auto-deny, or auto-lock, then test them against production, research, and other mutually exclusive role combinations before rollout.
- Treat the enforcement service as an NHI Assign the watcher its own machine identity, scope its API permissions tightly, and review its access as part of NHI lifecycle governance rather than as an application detail.
- Instrument decision logging for every policy action Record the request, rule matched, and state change for each approval, denial, or lock so auditors can reconstruct why access changed without relying on manual explanation.
- Replace routine manual reviews with exception handling Use automation for predictable requests and reserve human review for edge cases, policy conflicts, and access patterns that indicate role drift or misuse.
Key takeaways
- Automated JIT reduces manual friction, but it only works when policy logic is precise enough to enforce real privilege boundaries.
- The practical risk is access accumulation, especially when users can hold multiple approved resources across incompatible environments.
- The control that matters most is not approval speed, but whether the system can continuously close old access and prove why it did so.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | The post centers on access sprawl and standing privilege in JIT workflows. |
| NIST CSF 2.0 | PR.AC-4 | Policy-based access enforcement aligns with least-privilege access management. |
| NIST Zero Trust (SP 800-207) | AC-4 | The watcher implements dynamic enforcement of access boundaries under zero trust. |
Align automated JIT controls to AC-4 and ensure access boundaries are enforced continuously, not periodically.
Key terms
- Just-in-Time Access: Just-in-time access is a pattern for granting privilege only for the task at hand and only for as long as the task requires it. In practice, it depends on fast approval, clear scope, and reliable revocation so temporary access does not quietly become standing privilege.
- Access Sprawl: Access sprawl is the gradual accumulation of more privilege than an identity actually needs. It usually happens when approvals are easy to grant but harder to remove, leaving users with overlapping roles, old entitlements, and environment boundaries that are no longer cleanly enforced.
- Machine ID: Machine ID is a non-human identity used by a service to authenticate to another system and perform actions programmatically. In governance terms, it deserves the same attention as any privileged identity because it can approve, deny, lock, or otherwise alter access state.
- Standing Privilege: Standing privilege is access that remains available without requiring a fresh, task-specific decision each time it is used. It is convenient operationally, but it weakens least privilege because access persists beyond the moment when it was needed and becomes harder to justify or revoke.
What's in the full article
Teleport's full blog post covers the operational detail this post intentionally leaves for the source:
- Sample watcher implementation in Go, including the polling and request-handling flow
- Machine ID setup details for authenticating the watcher to Teleport's gRPC API
- The exact resource-count and environment-separation policies used in the proof of concept
- Systemd deployment example for running the watcher as a long-lived service
👉 Teleport's full post covers the watcher implementation, policy logic, and service deployment details
Deepen your knowledge
JIT access enforcement and privileged non-human identity governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are designing policy automation for access requests, it is worth exploring.
Published by the NHIMG editorial team on 2025-08-29.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
