Just-in-time access still leaves standing privilege in cloud

At a glance

What this is: This is an analysis of why just-in-time access still leaves cloud identities exposed when broad privileges stay active for the duration of a session.

Why it matters: It matters because IAM teams may mistake shorter access windows for real privilege reduction, even though NHI, autonomous, and human governance still depend on whether access can adapt when conditions change.

👉 Read SGNL's analysis of why just-in-time access still leaves standing privilege

Context

Just-in-time access is a timer-based way of granting elevated privileges, but timer-based controls do not remove the underlying access model. In cloud environments, the question is not whether access is shorter, but whether it still depends on a pre-approved entitlement that remains usable after conditions change. This is a cloud IAM and privileged access problem, and it also touches NHI governance whenever service accounts or workload identities inherit the same static assumptions.

The core weakness is that JIT often reduces duration without changing decision quality. If access is granted once and then left to run, the organisation is still trusting a static window in a dynamic environment. That matters across human accounts, service identities, and AI-driven workflows because the governing assumption is the same: that access remains justified long enough to be useful and safe.

Key questions

Q: What breaks when just-in-time access is used as a substitute for real privilege reduction?

A: What breaks is the assumption that a time limit equals a security boundary. If the elevated session still carries broad permissions, an attacker who compromises the account inside the window gets the same access a permanent admin would have had, just for a shorter period. The control lowers duration, but it does not lower the privilege profile.

Q: Why do time-boxed access grants still create risk in cloud environments?

A: They still create risk because cloud systems change faster than the timer does. Device posture, user intent, and threat context can all drift after approval, but the session often remains valid. That means access can outlive the conditions that justified it, which is a governance gap, not just an inconvenience.

Q: How do security teams know whether JIT is actually reducing risk?

A: Measure the privilege width of each grant, the frequency of repeated elevations, and how often sessions remain active after the task is complete. If users repeatedly request broad access for routine work, or if sessions continue after the business need ends, JIT is acting as a convenience layer rather than a control improvement.

Q: Who is accountable when a time-boxed privileged session is abused?

A: Accountability sits with the identity governance and privileged access owners who approved a model that allowed broad access to persist inside a supposedly temporary session. If the organisation relies on time limits alone, it has accepted a weaker control boundary and should treat that as a governance decision, not an operator mistake.

Technical breakdown

Why timer-based JIT still behaves like standing access

JIT access typically works by issuing a temporary privilege grant after a request passes policy checks. The grant is time-boxed, but during that window the entitlement is still broad and usually static. That means the system is reducing how long access lasts, not changing how access is evaluated once granted. If an account is compromised after elevation, the attacker inherits the same rights until expiry. In cloud environments, this is especially limiting because posture, location, task state, and threat context can change mid-session. Timer logic does not react to those changes, so the access model remains pre-authorised standing privilege with a shorter lease.

Practical implication: Treat JIT as exposure reduction, not as a complete privilege control.

Continuous context changes the authorisation model

Continuous Identity shifts the control point from time to live context. Instead of asking only whether a user was entitled at the moment of request, it keeps checking whether the current task, device posture, network signals, and behaviour still justify access. This matters because cloud work is not static. A patch may finish early, a device may fall out of compliance, or a session may drift away from its original purpose. In that model, access is not a block of time that simply expires. It is a decision that must remain valid as conditions evolve.

Practical implication: Use continuous signals when access decisions need to follow changing operational risk.

Why audit reports can hide JIT risk

JIT often looks cleaner in entitlement reviews because the access is temporary rather than permanent. But that neatness can be misleading. A session that lasts two hours may never appear as standing privilege in a snapshot report, even though the user had full elevation during that period. This creates a visibility gap between what auditors see and what actually happened. Repeated elevation requests can also disappear into routine workflow noise, making risky behavior harder to spot. The result is a governance illusion: fewer persistent entitlements on paper, but the same or similar exposure in practice.

Practical implication: Track elevation events and session context, not just current entitlement state.

Threat narrative

Attacker objective: The attacker wants short-lived but powerful access that is easier to exploit than a permanently protected entitlement.

1. Entry begins when an attacker compromises an account that can request elevated access, then waits for a legitimate JIT grant or triggers one through abuse of the approval workflow.
2. Escalation occurs inside the time-boxed session because the granted entitlements remain broad and static until expiry, even if the attacker’s context has changed.
3. Impact follows when the attacker uses the temporary elevation to reach cloud resources, move through the environment, or change data and controls before the timer ends.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

JIT access is not privilege elimination, it is privilege compression. The model shortens the exposure window without changing the fact that a broad entitlement still exists after the grant is made. That distinction matters because cloud attackers do not need persistent access if they can exploit a short but powerful one. Practitioners should stop describing timer-based elevation as the end state for privileged access governance.

Continuous authorisation is the real control boundary for cloud access. JIT assumes the access decision remains valid for the duration of the session, even though device posture, task state, and threat signals can change immediately. That assumption is built for a slower operational world. In cloud and NHI governance, the meaningful question is whether access can be withdrawn when context changes, not whether it was originally approved.

Standing privilege risk has shifted from duration to decision quality. The failure is no longer only long-lived credentials. It is the persistence of a static access decision inside a dynamic system. That is why timer-based access can satisfy a policy checklist while still leaving the organisation exposed. Teams should reframe privileged access discussions around continuous risk evaluation rather than session length.

Access review cadences do not solve mid-session abuse. Review processes can certify that a grant was justified at issuance, but they do not observe whether the same grant stayed justified ten minutes later. This is especially relevant for NHI-adjacent workflows, where service identities and automation often move faster than human governance cycles. Practitioners need to recognise that review-based governance and runtime governance are solving different problems.

Continuous Identity names the operational gap that JIT leaves open. The concept is useful because it captures the shift from time-boxed entitlement to live context evaluation. It is not a product category claim. It is a governance statement: if access must remain safe as conditions change, the control model must keep reassessing the session instead of trusting the clock.

From our research:

• Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to The 2024 Non-Human Identity Security Report.
• 35.6% of organisations cite managing consistent access across hybrid and multi-cloud environments as their top NHI security challenge.
• The broader control gap is also visible in Ultimate Guide to NHIs, which helps teams connect lifecycle, secrets, and privilege governance across machine identities.

What this signals

Continuous Identity is the useful concept here because it explains why timer-based elevation will keep underperforming in cloud programmes. If access decisions only exist at grant time, they will always lag behind posture changes, task completion, and threat activity. Teams should assume that any privilege model built only around expiry is already behind the operating environment.

With 35.6% of organisations citing consistent access across hybrid and multi-cloud environments as their top NHI security challenge, the problem is not confined to human admin workflows. The same design weakness shows up wherever access is pre-authorised and then left to run, including service identities and automation paths.

Programmes that still treat JIT as a primary control need to prepare for a shift toward runtime verification and session-level telemetry. That shift will affect IAM, PAM, and workload identity governance together, because the real question becomes whether access remains justified after the original request has already been approved.

For practitioners

• Audit JIT grants for static privilege width Review whether elevated sessions still expose broad production, database, or cloud permissions even when they are time-boxed. If the privilege set is unchanged from a permanent admin path, the control is only reducing duration, not reducing blast radius.
• Add live context checks to elevation workflows Require device posture, location, and task-state validation to remain current during the session, not only at approval time. If the context changes materially, revoke or narrow the grant before the session completes.
• Separate entitlement review from session monitoring Keep access certification for governance records, but pair it with telemetry that shows what happened after the grant was issued. Audit snapshots should not be treated as proof that the access stayed safe throughout its lifetime.
• Use continuous signals for high-risk cloud roles Prioritise runtime evaluation for production administrators, break-glass accounts, and service identities that can reach sensitive cloud resources. The higher the blast radius, the less acceptable a timer-only control becomes.

Key takeaways

• Just-in-time access reduces duration, but it does not automatically remove standing privilege or broad entitlement risk.
• The evidence points to a governance gap, not a timing gap, because attack opportunities can still appear inside a supposedly temporary session.
• Teams that need real privilege reduction should move from timer-only elevation to continuous, context-aware authorisation.

Key terms

• Just-in-Time Access: A privilege model that grants elevated access for a limited period after a request is approved. The access is temporary, but the entitlement can still be broad and static during the active session, which means risk is reduced in duration rather than eliminated in substance.
• Standing Privilege: Access that remains available without needing a fresh decision each time it is used. In identity governance, the term usually describes persistent rights, but the same risk pattern can appear in temporary grants if the privileges stay broad while the session is active.
• Continuous Identity: A governance approach that keeps re-evaluating access against live context instead of relying on a single approval event. It matters because device posture, task state, and threat conditions can change after access is granted, and the decision must be able to change with them.
• Exposure Window: The period in which a credential, session, or privilege grant can be exploited before it is revoked or expires. Shorter windows help, but they do not solve the deeper question of whether the access remains justified for the full time it is active.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.

This post draws on content published by SGNL: JIT access is still standing access to your cloud. Read the original.