Least privilege is broken: why zero standing access wins now

At a glance

What this is: This is a governance analysis arguing that least privilege has become too static for modern identity environments and that zero standing access is the more workable security model.

Why it matters: It matters because IAM, PAM, NHI, and human access programmes all have to deal with access that changes faster than provisioning and review cycles can keep up.

👉 Read ConductorOne's analysis of why least privilege no longer scales

Context

Least privilege was designed for a simpler era, but modern identity environments now span SaaS, IaaS, PaaS, and on-prem systems at the same time. In that environment, the core problem is not an abstract ideal failing in theory. It is standing access persisting longer than business need, which creates unnecessary exposure for human users, service accounts, and other non-human identities.

The governance question is how to replace permanent entitlement thinking with access that exists only when the task requires it. That is where zero standing privilege, just-in-time provisioning, and moment-based approval become the practical controls that matter. For the broader NHI baseline, the Ultimate Guide to NHIs remains the cleanest reference point for lifecycle, visibility, and over-privilege patterns.

Key questions

Q: How should security teams replace least privilege with zero standing access?

A: Start by identifying where access persists after the task ends, then convert those paths to just-in-time grants with automatic expiry. The goal is not to make entitlements look more precise. It is to ensure no privilege remains usable without a current business reason. That approach works across humans, service accounts, and operational workflows.

Q: Why do standing permissions remain such a security problem?

A: Standing permissions create a long-lived window for misuse because access continues to exist after the original need has passed. That increases blast radius, slows offboarding, and makes recertification less meaningful. In practice, the risk is not only compromise. It is also legitimate access being reused in ways the original approval never intended.

Q: How do organisations know whether zero standing privilege is actually working?

A: Look for evidence that high-risk access is granted only for the task, expires automatically, and leaves a complete audit trail. If teams still rely on permanent admin rights, manual ticket cleanup, or broad exception lists, the programme is still operating on standing privilege, even if the policy language says otherwise.

Q: Who should own the shift from least privilege to zero standing access?

A: Ownership should sit with identity, security, and platform teams together because the change affects entitlement design, workflow approvals, and logging. IAM defines the access model, PAM governs high-risk elevation, and infrastructure teams enforce the operational boundaries. Without shared ownership, standing access tends to reappear in exception paths.

Technical breakdown

Standing permissions and the limits of least privilege

Least privilege assumes you can predict the minimum access an identity will need over time and then keep that model accurate as systems, roles, and applications change. That assumption breaks in distributed enterprises where permissions drift faster than governance can recertify them. Standing permissions become the real problem because they outlive the task, the role, and sometimes the business process that justified them. In practice, this is not just a policy failure. It is a lifecycle failure across access issuance, change, and retirement.

Practical implication: treat permanent entitlement as the exception, not the design goal, and review where access remains valid after the original task has ended.

Just-in-time access and zero standing privilege

Just-in-time access changes the control model from pre-provisioned privilege to task-scoped privilege. The identity requests access when a specific action is needed, receives it for a bounded period, and then loses it when the activity completes. Zero standing privilege is stronger than traditional least privilege because it removes the assumption that access should persist between uses. For NHI programmes, this matters for service accounts, API keys, and operational workflows where standing credentials create long-lived blast radius.

Practical implication: move high-risk actions to time-bounded access paths and eliminate credentials that remain usable outside the task window.

Auditability, approvals, and the control path for sensitive actions

A working zero standing access model depends on traceability, not just restriction. Sensitive actions need context-aware approval, execution logging, and post-action review so teams can see who approved access, what was done, and when the privilege expired. This is where many programmes fail: they either approve too broadly up front or cannot reconstruct the decision later. Without that evidence trail, security teams cannot prove that access was both justified and temporary.

Practical implication: require moment-based approval and durable logs for privileged actions, then verify that access actually expires after use.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Least privilege has become a governance assumption, not a control objective. The model was designed for environments where access could be predicted and maintained with relative stability. That assumption fails in modern enterprises because identities, apps, and permissions change continuously, so the problem is no longer ideal design but stale access persistence. Practitioner conclusion: stop treating least privilege as a static end state and start treating it as a moving target.

Zero standing privilege is the more useful security boundary for today’s identity estate. Standing permissions are where risk concentrates because they remain usable after business need has expired. That is true for humans, service accounts, and operational access alike, which makes access duration more important than theoretical minimality. Practitioner conclusion: measure how long access remains valid after the task, not how elegant the entitlement model looks on paper.

Standing access creates the same failure mode across IAM, PAM, and NHI programmes. The discipline changes by actor type, but the governance pattern is the same: access is granted too early, kept too long, and reviewed too late. OWASP NHI guidance and Zero Trust architecture both point toward shorter trust windows and tighter conditional access. Practitioner conclusion: align governance around expiry, review, and revocation rather than around permanent entitlement.

Zero standing access is a lifecycle problem before it is a tooling problem. Organisations often try to solve it with better approvals or more vaulting, but the deeper issue is whether access can be issued, constrained, and removed at the speed the business actually operates. That is why lifecycle governance matters as much as enforcement. Practitioner conclusion: redesign access lifecycle controls before adding more entitlement policy layers.

Standing privilege is the real identity blast radius. The longer an identity can act without revalidation, the larger the damage window becomes when misuse or compromise occurs. That is the core reason security teams should care less about theoretical least privilege and more about how much standing access is left in the environment. Practitioner conclusion: reduce the number of identities that can keep doing work without fresh justification.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which explains why standing access survives long after the business task is over.
• That visibility gap is why teams should pair entitlement review with the NHI Lifecycle Management Guide and the OWASP Non-Human Identity Top 10.

What this signals

Standing privilege is the operational tax on modern identity programmes. As environments become more dynamic, any control model that depends on permanent access and delayed review will keep producing exposure. Teams should expect more pressure to shorten privilege duration, not just reduce privilege scope.

Zero standing access forces IAM, PAM, and NHI teams onto the same timetable. The control question shifts from who should have access in general to who needs access right now, for what action, and for how long. That creates better alignment between governance intent and actual runtime behaviour.

The strongest programmes will treat expiry, approval, and revocation as a single control loop rather than separate tickets. When that loop is broken, standing access becomes the default again, regardless of how strict the policy language appears on paper.

For practitioners

• Inventory standing access paths Map every human, service account, and operational credential that can perform privileged actions without fresh approval. Focus first on production, data, and infrastructure access where standing permissions create the largest blast radius.
• Convert high-risk actions to just-in-time grants Replace persistent access with task-scoped access for admin, deployment, and data-change workflows. Require automatic expiry so the permission disappears when the task is complete, not when someone remembers to remove it.
• Bind approvals to specific actions and contexts Use step-up approval for sensitive changes, but tie the approval to the exact system, action, and time window. Do not let a single approval become a blanket entitlement for unrelated work.
• Verify revocation through audit evidence Check that privileged access is actually removed after use and that logs capture the approval, execution, and expiry events. If revocation cannot be demonstrated, the access model still has standing privilege.

Key takeaways

• Least privilege is no longer a reliable operating model for fast-changing identity estates because access often outlives the task that justified it.
• Standing permissions are the real risk driver, and they create a larger blast radius than a theoretically minimal entitlement model does.
• Zero standing access works best when just-in-time provisioning, step-up approval, and verifiable revocation operate as one lifecycle control.

Key terms

• Standing Permission: Access that remains active after the original task or justification has ended. In identity programmes, standing permission is the condition that turns a temporary need into an ongoing exposure window, especially when review and revocation lag behind operational change.
• Zero Standing Privilege: An access model where privilege exists only for the duration of a specific task and is removed immediately afterward. It is a stronger operational stance than least privilege because it removes durable access instead of trying to perfect permanent entitlement design.
• Just-in-time Access: A provisioning pattern that grants access only when it is needed and for a bounded time window. In NHI and human IAM programmes, it reduces the time credentials can be misused while preserving the ability to complete high-risk work safely.
• Step-up Approval: An additional validation step required before a sensitive action can proceed. It is typically used to confirm intent, scope, or context at the moment of execution, making it suitable for privileged operations where blanket approval would create excessive standing access.

Deepen your knowledge

Zero standing privilege, just-in-time access, and privileged access review are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is moving from static entitlement design to task-based access control, this is a useful next step.

This post draws on content published by ConductorOne: Moving Beyond Least Privilege. Read the original.