Just-in-time privilege models expose the real limits of standing access

At a glance

What this is: This is an analysis of how just-in-time access and Zero Standing Privileges change identity governance, with a focus on identifying which privileged accounts should move first.

Why it matters: It matters because IAM, PAM, and IGA teams need a data-driven way to reduce persistent privilege without breaking operational access across human, service, and workload identities.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Hydden's analysis of just-in-time access and Zero Standing Privileges

Context

Just-in-time access is a privilege governance pattern, not a product switch. In practice, it replaces always-on elevation with time-bound access that is granted only when a task justifies it, then removed again after use. For identity programmes, the question is which accounts actually need persistent elevation and which are simply carrying inherited access.

The article frames this as a data problem as much as a control problem. IAM, PAM, and IGA teams cannot govern standing privilege intelligently without reliable signals on access frequency, session duration, entitlement usage, and anomaly patterns. That makes discovery and usage analysis the foundation for any credible Zero Standing Privileges programme.

Key questions

Q: What breaks when organisations keep standing privilege for accounts that are only used occasionally?

A: Standing privilege keeps dormant access alive far longer than the task that justified it. That creates a larger attack window, weaker accountability, and more lateral movement opportunity if credentials are stolen. Occasional-use accounts are often the easiest place to start JIT migration because their operational dependency is lower and the security gain is immediate.

Q: Why do just-in-time access models reduce risk in privileged identity programmes?

A: They reduce risk by shrinking the time an elevated credential exists and by forcing access to be tied to a specific task. That means stolen credentials are less useful, over-privilege becomes easier to spot, and access requests themselves become audit signals. The control works best when usage data, not role labels, drives selection.

Q: How do security teams know if zero standing privilege is actually working?

A: Look for three signals: fewer always-on privileged accounts, shorter average elevation periods, and a lower ratio of assigned entitlements to real usage. If users still hold broad access that is rarely exercised, the programme has only moved the problem around rather than removed standing privilege.

Q: Who should approve privileged access when JIT becomes the default model?

A: Approval should depend on task sensitivity, account risk, and operational urgency. Low-risk repeatable tasks can use pre-approved templates, while high-value or unusual requests need stronger review and a fresh authentication step. The governance goal is not universal delay; it is making privilege grants proportionate to the work being done.

Technical breakdown

Access frequency analysis for privileged identities

Access frequency is the clearest signal for deciding whether an account needs standing privilege. If an identity reaches privileged resources only sporadically, persistent elevation is usually convenience rather than necessity. The technical issue is that traditional entitlement reviews look at assigned rights, while just-in-time models depend on actual session behaviour, business cadence, and task recurrence. That is why weekly, monthly, and emergency-only access patterns matter more than role labels alone. In mature environments, this analysis must span directory data, PAM logs, and target-system activity so the privilege picture is not distorted by partial telemetry.

Practical implication: build migration candidates from usage evidence, not role assumptions.

Session duration and entitlement-to-usage ratio

Session duration shows how long privilege is truly needed, while entitlement-to-usage ratio shows how much access is never exercised. Together they reveal permission creep, where accounts are over-provisioned long after the original task pattern changed. A 24/7 privileged entitlement with only short business-hour sessions is a classic mismatch. The same is true when an account can reach dozens of systems but routinely touches only a small fraction of them. This is where just-in-time access becomes a governance control, not simply a convenience feature: it forces privilege to match actual work.

Practical implication: use session length and unused entitlement ratios to prioritise the first wave of JIT conversion.

Why visibility is the hard part of zero standing privilege

The mechanics of just-in-time access are straightforward once the candidate list is known. The difficult part is discovering every privileged account, understanding where it lives, and linking it to real usage patterns across PAM vaults, directories, cloud platforms, and target systems. Without that visibility, teams tend to automate a small, already-known slice of the estate and miss dormant or shadow privileges elsewhere. The result is a migration that looks complete on paper but leaves the highest-risk accounts untouched. Continuous discovery is what turns ZSP from a policy statement into an operating model.

Practical implication: do not start JIT enforcement until discovery coverage can support environment-wide privilege mapping.

Threat narrative

Attacker objective: The attacker aims to turn one compromised privileged account into sustained access across high-value systems with minimal detection friction.

1. Entry occurs when stolen or inherited privileged credentials are already active, giving an attacker immediate access to sensitive systems.
2. Escalation follows when standing privilege lets the attacker reuse the same account across multiple systems without needing a fresh approval or reauthentication step.
3. Impact is achieved through lateral movement, persistence, and abuse of always-on elevation that extends the blast radius of the compromise.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Just-in-time access works because standing privilege is a governance assumption, not a technical necessity. The article correctly treats access frequency, session duration, and usage patterns as the data that should decide privilege shape. That is the right inversion for mature identity programmes: entitlement should follow observed work, not inherited role drift. For practitioners, the implication is that JIT is best treated as a control model for privilege governance, not as a narrow PAM feature decision.

Ephemeral privilege creates a narrower attack window, but only after identity visibility is complete. Accounts that are discovered late, or only partially mapped, remain outside the model no matter how good the session controls look. This is why the visibility problem is central to any serious ZSP programme. The field should stop describing ephemeral access as the end state and start treating it as the second stage after complete privilege discovery.

Identity blast radius is the right concept for measuring the value of ZSP. The article’s 95% exposure reduction example shows that the meaningful outcome is not merely shorter sessions, but a smaller window in which credential theft and privilege abuse can succeed. That makes blast radius, not access frequency alone, the board-level metric. Practitioners should measure how much persistent privilege remains after each migration wave, because that is what determines compromise impact.

Standing privilege in non-human identities is the same structural problem that appears in human admin accounts. Whether the actor is a person, service account, or workload, persistence creates the same governance debt: access survives longer than the task that justified it. The article’s emphasis on maintenance schedules, periodic reviews, and dormant access fits that broader pattern. The implication is that lifecycle governance should be applied consistently across privileged humans and NHIs, not treated as separate disciplines.

Access request friction becomes acceptable only when it is justified by risk segmentation. The article is right that some accounts should stay persistent because their operational cadence is high and predictable, while others should not. That is a risk-based segmentation problem, not a blanket policy debate. Practitioners should expect to defend each privilege class with evidence, because that is what keeps JIT from becoming either too restrictive or too permissive.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which explains why privilege reduction programmes often start with incomplete inventories rather than control design.
• Start with 52 NHI Breaches Analysis to see how over-privilege and missing lifecycle controls translate into real compromise patterns.

What this signals

Identity blast radius is becoming the more useful planning metric than raw account counts. When 97% of NHIs carry excessive privileges, the real programme question is how much persistent access remains after each conversion wave, not how many accounts have been catalogued.

The next maturity step is not broader enforcement, but better candidate selection. Teams that can tie access frequency, session duration, and entitlement usage back to the same identity graph will move faster than teams trying to apply JIT uniformly across every account.

For governance teams, the practical shift is to treat access requests as data, not just workflow. That makes pre-approved templates, exception monitoring, and approval latency part of identity control design rather than administrative overhead.

For practitioners

• Map privileged accounts by real usage frequency Pull access data from PAM, directory services, cloud logs, and target systems to separate daily operational accounts from weekly, monthly, and sporadic ones. Prioritise accounts that touch high-value systems less than once per day for conversion to time-bound access.
• Use session duration to find persistent privilege drift Compare how long accounts are entitled to remain elevated with how long sessions actually last. Accounts with 24/7 privilege but only a few hours of real activity are strong candidates for JIT because the persistence is operational convenience, not need.
• Reduce broad entitlements that are never exercised Measure entitlement-to-usage ratios and flag accounts using less than 30% of their assigned access. Those accounts should be moved to request-based elevation with tighter task scoping and stronger review before access is granted.
• Create approval templates for repeatable privileged tasks Pre-approve common administration patterns for database maintenance, troubleshooting, and security investigations so JIT does not become a bottleneck. Keep SLAs visible and review rejection rates to confirm the workflow is controlling risk rather than slowing work.

Key takeaways

• Standing privilege is the core risk that just-in-time access is trying to remove, but only if identity data is complete enough to identify the right candidates.
• Usage frequency, session duration, and entitlement-to-usage ratios are the most practical signals for deciding which privileged accounts should move first.
• The biggest governance win is smaller blast radius, which matters more than the number of accounts converted in any single wave.

Key terms

• Just-in-time access: A privilege model that grants elevated access only when a specific task requires it, then removes that access after use. In identity programmes, it reduces standing exposure and makes privilege grants more auditable because access is tied to a bounded operational need.
• Zero Standing Privileges: A governance model in which no privileged access remains permanently active. Access is issued on demand, limited to the task at hand, and expected to expire automatically, which reduces the window in which stolen credentials or idle admin rights can be abused.
• Entitlement-to-usage ratio: A measure of how much assigned access is actually exercised by an identity. Low usage relative to broad entitlements usually indicates over-provisioning, permission creep, or inherited access that has outlived its original purpose.
• Identity blast radius: The amount of damage a compromised identity can cause before controls intervene. In practice, it is shaped by privilege persistence, access scope, and how quickly elevation can be removed or constrained after suspicious activity appears.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Hydden: just-in-time access and Zero Standing Privileges. Read the original.