TL;DR: Just-in-time access can reduce standing privilege and narrow attack windows, but it still depends on strong identity, approval, and revocation controls, according to StrongDM’s analysis. For NHI-heavy environments, the governance problem is not temporary access itself but whether ephemeral credentials, auditability, and offboarding actually work at machine speed.
At a glance
What this is: This is a StrongDM analysis of just-in-time access as a privileged access pattern, with the core finding that temporary access lowers risk but does not remove governance and operational gaps.
Why it matters: It matters to IAM and NHI practitioners because service accounts, workloads, and AI agents need time-bound access controls that are measurable, revocable, and auditable at scale.
By the numbers:
- 44% of employees can share their privileged access with others, which can compromise organizational security.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
👉 Read StrongDM's guide to just-in-time access for privileged and NHI workflows
Context
Just-in-time access is a privilege control pattern that grants access only for a specific task and time window. In practice, the question for IAM teams is whether that window is actually enforced across human users, service accounts, and AI agents, or whether standing privilege simply reappears in a different form. That is the governance gap behind many NHI programmes today.
StrongDM’s article frames JIT access as a way to reduce standing access in cloud and hybrid environments, but the broader problem is deeper than access duration. NHI governance has to cover request, approval, session control, credential rotation, and revocation together. When those pieces are disconnected, temporary access becomes a policy statement rather than an operational control.
Key questions
Q: How should security teams implement just-in-time access for non-human identities?
A: Treat non-human identities as a separate access class with their own policy, ownership, and expiration rules. Automate approvals where possible, bind access to a workload or agent context, and ensure the secret or token is invalidated when the task ends. If revocation is not reliable, JIT has not reduced risk.
Q: When does just-in-time access create more risk than it reduces?
A: JIT creates more risk when access is temporary in policy but persistent in practice. That happens when approvals are slow, revocation fails, secrets are not rotated, or exceptions accumulate until they become standing access. The control only helps when expiration is enforced and audited end to end.
Q: What is the difference between just-in-time access and standing privilege?
A: Standing privilege exists continuously, while just-in-time access grants access only for a defined task window. The operational difference is whether the identity can use the resource at any time or only after request, approval, and expiration controls are applied. For NHI governance, that difference determines blast radius.
Q: Should organisations prioritise JIT access before secrets rotation?
A: No, the two controls should be implemented together. JIT reduces the time a credential can be used, while rotation limits the value of any credential that is exposed. If one is present without the other, attackers still have too much room to act. The stronger programme combines both.
Technical breakdown
How just-in-time access works in privileged access flows
Just-in-time access typically brokers access through a request, approval, and time-bound grant workflow. The system can issue ephemeral access, temporary elevation, or one-time accounts, then revoke or disable access after the task window closes. That only works if the policy engine is tied to the identity source, the target resource, and the audit log. In NHI settings, the same pattern must account for non-interactive identities that cannot click a request button, which means automation has to replace manual approval where workloads or agents are involved.
Practical implication: Practitioners should verify that JIT policy enforcement is machine-readable end to end, not just designed for humans.
Ephemeral accounts, credential rotation, and audit trails
Ephemeral accounts reduce reuse by creating short-lived identities for a specific task. That lowers the value of stolen credentials, but only if the account is actually destroyed or invalidated and the underlying secrets are rotated. Audit trails matter because they connect the requestor, the justification, the action, and the expiration event. For NHIs, those audit records also need to show which workload or agent used the access, because otherwise delegation and accountability remain unclear.
Practical implication: Teams should make revocation and rotation part of the same workflow, not separate hygiene tasks.
Why JIT access is harder for NHIs than for humans
Non-human identities do not behave like employees. They run continuously, call APIs automatically, and often need access from code, pipelines, or orchestration layers. That means the real challenge is not whether access is temporary, but whether the system can bind short-lived privilege to a workload, token, certificate, or agent action without creating brittle exceptions. If the controls cannot scale across machine identities, administrators end up granting standing access in the name of uptime.
Practical implication: Security teams should model NHI JIT as an orchestration problem, not a helpdesk workflow.
Threat narrative
Attacker objective: The attacker aims to turn temporary or overextended privileged access into durable administrative control.
- Entry occurs when privileged credentials are shared, reused, or left standing long enough to be harvested.
- Escalation follows when the attacker uses that privilege to expand access or modify security posture before revocation occurs.
- Impact is the ability to perform unauthorized administrative actions while appearing to operate through legitimate access paths.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Temporary access is not the same as governed access. JIT lowers exposure only when privilege issuance, session control, and revocation are all enforced in the same control plane. If one part is manual or inconsistent, the risk shifts rather than disappears. Practitioners should treat JIT as a governance architecture, not a feature checkbox.
Ephemeral credential trust debt is the hidden problem in most JIT deployments. Temporary credentials still create trust assumptions about who requested them, what they can do, and whether they were fully removed afterward. That debt grows fastest where identity data, vaulting, and audit evidence are fragmented. Practitioners should measure how often temporary privilege survives beyond its intended task window.
NHI programmes cannot rely on human-centric approval models. Service accounts, workloads, and AI agents operate continuously and often need automation to obtain scoped access. A workflow built for employees will either block legitimate machine activity or encourage exceptions that reintroduce standing privilege. Practitioners should design NHI-specific access paths rather than stretching human JIT patterns past their limits.
Least privilege becomes meaningful only when expiration is reliable. JIT access is often discussed as a reduction in attack surface, but the real control is the certainty that access ends when the task ends. That requires synchronization between policy, credential lifecycle, and offboarding. Practitioners should test expiration under failure conditions, not just in the happy path.
JIT is a useful control for PAM, but it does not solve NHI sprawl. Organisations can still accumulate too many machine identities, weak ownership, and incomplete discovery even if every request is time bound. JIT is strongest as a containment pattern inside a broader NHI governance programme. Practitioners should pair it with inventory, ownership, and lifecycle controls.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which makes any time-bound access strategy harder to verify in practice.
- For the rotation angle, see Guide to NHI Rotation Challenges, which explains why expiration controls fail when lifecycle operations are not automated.
What this signals
Ephemeral access is becoming a baseline expectation, but it will not save programmes that cannot see their machine identities. With only 5.7% of organisations having full visibility into their service accounts, the control gap is often discovery, not policy. Teams should assume that JIT will be bypassed by exceptions unless ownership and lifecycle data are complete.
JIT should now be judged as part of a broader identity blast radius strategy. The practical question is not whether access is time bound, but whether the task window is short enough to contain misuse if the credential leaks. That pushes security teams toward tighter revocation, shorter TTLs, and stronger workload binding.
As AI agents and automation expand, the governance model needs to shift from approvals alone to continuous authorization signals. That means integrating access policy with lifecycle evidence, session telemetry, and offboarding workflows so temporary access does not become a durable exception.
For practitioners
- Map JIT to every identity class Document which access paths are for humans, which are for service accounts, and which are for AI agents. Separate approval logic, because one workflow will not fit every identity type.
- Automate revocation and rotation together When a temporary grant expires, the associated secret, token, or certificate should be rotated or invalidated immediately. Tie this to the same control that closes the session so access cannot outlive the approval window.
- Measure privilege duration, not just approval rate Track how long privileged access remains active, how often it is renewed, and whether it was actually used. A high approval rate with long-lived grants is a warning sign, not a success metric.
- Require workload-aware audit evidence Log the requesting identity, the delegated workload, the justification, the target resource, and the exact expiration timestamp. For NHI oversight, the audit trail must show who or what used the privilege and why.
- Test failure paths for temporary access Simulate approval delays, vault outages, and revocation failures to see whether access degrades safely. If the fallback is to leave privilege standing, the programme is not ready for production.
Key takeaways
- Just-in-time access reduces standing privilege, but it only improves security when expiration, revocation, and auditing are enforced together.
- NHI environments expose the weakest part of many JIT programmes: machine identities need automation, not human-centric approval flows.
- The practical goal is smaller identity blast radius, which requires JIT, rotation, ownership, and offboarding to operate as one control set.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | JIT depends on safe rotation and expiry of NHI credentials. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access and access management are central to JIT governance. |
| NIST Zero Trust (SP 800-207) | JIT supports continuous verification and reduced implicit trust. |
Map temporary access grants to PR.AC-4 and review exceptions for standing privilege.
Key terms
- Just-In-Time Access: A time-bound access pattern that grants privileges only when a specific task needs them. In identity programs, it is used to reduce standing privilege, shorten exposure windows, and improve auditability by tying access to a request, approval, and expiration lifecycle.
- Standing Privilege: Persistent access that remains available outside any immediate task requirement. It is risky because it expands the attack surface, weakens accountability, and makes credential misuse easier to exploit across human and non-human identities.
- Ephemeral Account: A short-lived account created for a specific task and removed or disabled after use. In NHI governance, ephemeral accounts are valuable only when their associated secrets, tokens, or certificates are also invalidated and their activity is fully logged.
- Zero Standing Privilege: An access model where no account retains permanent elevated rights. Access is issued on demand, scoped to a task, and removed immediately after use, which makes it a strong fit for high-risk infrastructure and machine identity governance.
Deepen your knowledge
Just-in-time access for NHI and privileged account governance is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building time-bound access controls for service accounts or AI agents, it is worth exploring.
This post draws on content published by StrongDM: What is Just-in-Time Access? Meaning, Benefits & Pains. Read the original.
Published by the NHIMG editorial team on 2025-08-14.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
