TL;DR: Just-in-time access has shifted from a privileged-user control to a broader governance pattern for people, cloud services, pipelines, and agents, with Delinea arguing that standing privilege now creates unnecessary risk across both audiences. The deeper issue is that access review, offboarding, and audit models built around persistent credentials no longer fit ephemeral access patterns or autonomous execution loops.
At a glance
What this is: This is an analysis of how just-in-time privileged access now has to govern both humans and non-human identities, with the key finding that standing privilege is still the default risk across both.
Why it matters: It matters because IAM, PAM, and NHI programmes now have to treat ephemeral access as a lifecycle control, not just a human admin convenience.
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
👉 Read Delinea's analysis of just-in-time privileged access for humans and machines
Context
Just-in-time privileged access is the practice of granting elevated access only when it is needed, for a defined task, and then removing it again. In identity security terms, it is a response to standing privilege, the condition where credentials remain available long after the task that justified them has ended.
The governance problem is no longer limited to human administrators. Cloud services, CI/CD pipelines, workloads, and AI agents now hold privileged access too, which means JIT has become a control for NHI governance as much as for PAM. That changes how teams think about lifecycle, auditability, and blast radius across the full identity stack.
Key questions
Q: How should security teams implement just-in-time access for both people and NHIs?
A: Start by separating privileged humans, service accounts, workloads, and automations into different access paths, then make each path request-based, time-bound, and logged. The key is to preserve existing tools and workflows while removing standing privilege underneath them. That approach reduces friction and makes JIT viable beyond the admin use case.
Q: Why does just-in-time access matter more for NHIs than traditional admin accounts?
A: NHIs often run continuously, which means a long-lived credential can be reused long after the original task was complete. That increases blast radius and makes offboarding harder to verify. JIT matters because it turns persistent machine access into an on-demand control instead of a permanent entitlement.
Q: What do security teams get wrong about just-in-time privileged access?
A: They often treat JIT as a portal or approval workflow instead of a lifecycle control. The real issue is whether privilege exists only for the smallest necessary window. If the credential remains reusable, or the process is too disruptive for users to follow, the governance benefit collapses.
Q: Who is accountable when JIT access is used across cloud services, pipelines, and admins?
A: Accountability should sit with the identity governance and privileged access owners who control entitlement policy, logging, and expiry behavior across each actor type. For NHIs, that usually means PAM, cloud security, and platform teams sharing responsibility for lifecycle enforcement rather than treating machine access as a separate silo.
Technical breakdown
How ephemeral privilege changes the attack surface
JIT works by replacing persistent privilege with time-bound authorization. A user or workload requests access for a specific purpose, policy decides whether to grant it, and the credential expires after use. That changes the economics of compromise because a stolen credential has far less time to be reused. For humans, this maps cleanly to privileged access management. For NHIs, the same pattern applies to workloads, cloud consoles, database access, and orchestration tools that would otherwise keep long-lived secrets in circulation.
Practical implication: inventory every privileged identity that can still operate with standing access and determine where ephemeral credentials can replace it.
Why developer workflows make JIT succeed or fail
JIT is not just a security model, it is a workflow model. If the access request forces developers into a new portal, a new client, or a slow approval path, they will route around it. Delinea’s article correctly points out that the winning model preserves familiar protocols such as SSH, kubectl, and database clients while changing the credential underneath. In other words, the control should be invisible at the workflow layer and strict at the authorization layer.
Practical implication: design JIT around existing tools and session patterns, then enforce expiry and logging behind the scenes.
Why standing privilege remains the real governance problem
Standing privilege is the condition that makes JIT necessary in the first place. Whether the identity is a human admin, a CI/CD runner, or an AI agent, persistent access expands the window for misuse, lateral movement, and offboarding failure. In NHI terms, the problem is not just authentication. It is entitlement persistence, credential reuse, and the assumption that access can safely sit idle until needed again. JIT addresses those assumptions by making privilege disposable.
Practical implication: tie privileged access reviews to entitlement duration, not just to who owns the account.
NHI Mgmt Group analysis
JIT has become a governance model for both humans and NHIs, not a point control for admins. The article’s central shift is that privileged access now spans people, pipelines, workloads, and agents, all of which can inherit standing privilege by default. That means the old PAM boundary is too narrow for modern identity estates, because the same entitlement logic now governs multiple actor types. Practitioners should treat JIT as a lifecycle pattern across the whole privileged surface.
Standing privilege is the failure mode JIT is designed to remove, and it is still the default condition in cloud-first environments. Long-lived access turns every credential into future risk, whether the identity is a database admin or a build runner. The article’s example set shows how quickly human workflows and machine workflows converge on the same exposure problem. The implication is that entitlement duration, not account count, is now the more useful governance lens.
Ephemeral credential trust debt: JIT reduces exposure, but only when programmes stop assuming credentials can remain valid long enough to be reviewed, rotated, or manually corrected. That assumption held when access was tied to human request cycles; it breaks when cloud services and automations are always on. The implication is that identity governance has to measure how long privilege exists, not just who requested it.
JIT does not replace least privilege, it operationalises it under pressure from NHI sprawl. The article shows that compliance and productivity can align when privilege is short-lived and workflow-native. That is the important market signal for identity teams: access governance is moving from static assignment to runtime enforcement. Practitioners should reframe JIT as a baseline control for privileged NHI governance, not an advanced add-on.
Access review alone cannot solve the problem that JIT is trying to solve. Reviews are retrospective, while the risk here is immediate and continuous across sessions, pipelines, and cloud credentials. The practical gap is not awareness, it is timing. Teams need controls that make privilege disappear automatically before review cycles ever begin, or they will keep auditing yesterday’s exposure.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
- For a broader control baseline, see Ultimate Guide to NHIs for how lifecycle, rotation, and offboarding change when privilege is short-lived.
What this signals
With 72% of organisations already reporting or suspecting NHI breaches, just-in-time access should be treated as a core privilege-limitation control rather than a niche PAM enhancement. The practical question for identity teams is whether their current governance model can prove that privileged access existed only for the necessary session, not merely that it was approved once.
Ephemeral privilege boundary: the next wave of IAM programmes will be judged by how well they collapse the time between authorization and exposure. That matters because cloud services, pipelines, and AI agents are now part of the privileged estate, and the governance failure is usually persistence, not authentication.
If your programme still relies on periodic access reviews alone, it is already behind the operational tempo of modern NHI usage. JIT needs to be coupled with lifecycle controls, session evidence, and offboarding discipline so that entitlement duration becomes measurable rather than assumed.
For practitioners
- Map every privileged identity to an expiry model Separate human admin accounts, service accounts, CI/CD runners, and AI agents into distinct privilege lifecycles. For each class, define how access is requested, granted, used, and removed so standing privilege becomes the exception rather than the default.
- Preserve existing developer workflows while changing the credential layer Keep SSH, kubectl, database clients, and cloud tooling in place, then insert ephemeral credential issuance behind those tools. If users must change their work habits to get JIT, adoption will stall and shadow access will reappear.
- Tie privileged access reviews to session evidence Use session logs, request records, and expiry events to prove that elevated access was temporary and task-scoped. That gives auditors a clearer control story than static entitlement lists and exposes where privileges remain active too long.
- Retire long-lived secrets in high-value paths first Start with production databases, cloud consoles, orchestration platforms, and internal services that can cause the greatest blast radius. Replace reusable credentials with short-lived access before moving to lower-risk systems.
Key takeaways
- Just-in-time access now applies to both human administrators and non-human identities, which makes standing privilege a broader governance problem than PAM alone can solve.
- The control is most effective when it preserves existing workflows while replacing reusable credentials with short-lived access and session evidence.
- Identity teams should measure privilege duration and entitlement persistence, because those are the conditions JIT is designed to shrink.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | JIT directly addresses standing privilege and ephemeral credential use. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions management is central to privileged access expiry and review. |
| NIST Zero Trust (SP 800-207) | AC-4 | Zero Trust requires continuous authorization rather than persistent trust in credentials. |
Map privileged access to least-privilege enforcement and verify expiry in access reviews.
Key terms
- Just-in-time access: Just-in-time access is a model where elevated privileges are granted only when a task requires them and are removed as soon as the task ends. In identity programmes, it reduces exposure by replacing persistent access with temporary, policy-driven entitlement that can be logged, audited, and revoked automatically.
- Standing privilege: Standing privilege is access that remains permanently available, even when no active task justifies it. It creates unnecessary exposure because a stolen or misused credential can be reused at any time. For NHIs, standing privilege often hides inside service accounts, pipelines, cloud consoles, and automation workflows.
- Ephemeral credential: An ephemeral credential is a short-lived secret or token issued for a limited task or session. It is designed to expire before it can be reused broadly, which reduces blast radius and simplifies offboarding. In NHI governance, ephemeral credentials are most effective when paired with workload-aware logging and strict scope limits.
- Privilege blast radius: Privilege blast radius is the amount of access, systems, and data an attacker or misconfiguration can reach once a credential is compromised. It is shaped by scope, duration, and entitlement reuse. Short-lived access narrows the radius, while standing privilege expands it across sessions and systems.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Delinea: How to satisfy the two audiences of just-in-time privileged access. Read the original.
Published by the NHIMG editorial team on 2026-06-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
