SOC 2 access control exposes the limits of least privilege

At a glance

What this is: This is a practitioner-focused overview of SOC 2 access control, with a strong emphasis on least privilege, JIT provisioning, access reviews, and remediation gaps.

Why it matters: It matters because the same access-governance weaknesses that undermine SOC 2 compliance also drive NHI sprawl, overprivilege, and weak lifecycle control across identity programmes.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

👉 Read Zluri's guide to SOC 2 access control challenges and implementation

Context

SOC 2 access control is the discipline of limiting who or what can reach systems and data, then proving that access is granted, monitored, and revoked correctly. For identity teams, the challenge is less about writing policy and more about keeping roles, permissions, and review cycles aligned with how access actually changes in production.

The article centres on least privilege, just-in-time provisioning, access control matrices, unused access removal, and periodic access reviews. That makes it relevant to human access governance and to non-human identities such as service accounts and API keys, where access often expands faster than review and remediation can keep up.

Key questions

Q: How should security teams implement least privilege in SOC 2 access control programmes?

A: Start with a live entitlement map that ties roles and attributes to actual business tasks, then remove broad defaults that are not strictly needed. Least privilege works only when approvals, provisioning, and revocation are aligned. If the operating model changes and the access model does not, the programme will drift into overprovisioning and weak audit evidence.

Q: When does just-in-time access create more governance value than static access grants?

A: Just-in-time access is most valuable when privileges are high-risk, infrequently used, or difficult to justify as standing access. It reduces the duration of exposure and makes review easier because the entitlement is temporary by design. The control fails when expiry, logging, or approval logic are inconsistent across systems.

Q: What do organisations get wrong about periodic access reviews?

A: They often treat the review itself as the control instead of the remediation that follows it. A certified entitlement that is never removed still represents risk. Reviews should be measured by how many unnecessary permissions are revoked, how quickly exceptions expire, and whether the evidence trail matches live access state.

Q: Who is accountable when access control failures lead to SOC 2 gaps?

A: Accountability usually sits with the system owner, identity governance team, and access approver chain, but each organisation should assign one clear owner for entitlement accuracy and one for remediation. Without named accountability, access reviews become reporting exercises rather than operational controls.

Technical breakdown

Least privilege in SOC 2 access control

Least privilege means granting only the access needed to perform a specific job, then removing everything else. In practice, that requires role design, attribute-based rules, and approval logic that can survive organisational drift. SOC 2 often treats this as a policy control, but the operational problem is entitlement creep, where access slowly exceeds business need across applications and environments. For non-human identities, the same logic applies to service accounts, API keys, and workload tokens, but the review cadence is usually weaker and the blast radius larger when those credentials are over-scoped.

Practical implication: define access at the narrowest workable scope and verify that role mappings are still valid after every material change.

Just-in-time provisioning and access review workflows

Just-in-time provisioning grants access only when a task, ticket, or workflow demands it, then removes it when the need ends. That model reduces standing privilege, but only if the approval path, logging, and revocation path are all reliable. Access reviews are the second half of the same control plane. Without complete entitlement inventories, review teams are certifying stale data. For SOC 2, the control is not just whether access was approved, but whether it remained justified long enough to matter and was actually removed when the justification disappeared.

Practical implication: automate time-bound access grants and tie review evidence to live entitlement data, not spreadsheets.

Unused access, blast radius, and auditability

Unused access is a governance failure because dormant permissions are still reachable permissions. If a user, service account, or integration is compromised, every unnecessary privilege expands the attack surface and weakens containment. Auditability matters because SOC 2 expects organisations to show who had access, who approved it, when it changed, and when it was removed. The article correctly connects access removal to blast radius reduction, which is the operational outcome practitioners should care about. For NHI governance, auditability is especially critical because machine identities are often created faster than they are retired.

Practical implication: treat unused access removal as a containment control and verify that audit trails support rapid revocation.

NHI Mgmt Group analysis

SOC 2 access control fails when entitlement governance is treated as a periodic review exercise rather than a living identity control. The article describes the right policy objectives, but the hard problem is that access changes continuously while review programmes usually do not. That gap matters across human access and NHI governance alike. Practitioners should treat access control as a lifecycle discipline, not a compliance checklist.

Least privilege is a useful principle, but it becomes ineffective when organisations cannot maintain an accurate access control matrix. Once role, team, project, and system mappings drift, approval logic is built on stale assumptions. The result is overprovisioning that looks compliant on paper and excessive in production. Practitioners need a current entitlement model before they can trust any SOC 2 access decision.

Standing access drift: this article exposes how persistent permissions survive long after the original business need has ended. That failure mode is familiar in NHI programmes, where service accounts and API keys often keep privileges long after the service or project changes. The implication is that access governance must be anchored to revocation, not just granting.

Auditability without timely remediation creates evidence of control, not control itself. The article highlights reviews, logs, and reports, but those only matter if they trigger removal of access that no longer has a justification. This is where many programmes overestimate their maturity. Practitioners should judge SOC 2 access control by how quickly they can shrink privilege after change, not by how much evidence they can export.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, and 77% of those incidents resulted in tangible damage, according to NHI Mgmt Group research.
• For the broader lifecycle angle, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for how provisioning, rotation, and offboarding should fit together.

What this signals

Standing privilege is the governance blind spot that SOC 2 programmes keep rediscovering. Once access is granted and left in place, the control objective shifts from approval to containment. That is why lifecycle-based access governance matters more than one-time certification, especially where service accounts and integrations outlive the teams that created them.

Access review maturity should now be judged by revocation speed, not by review completion. The organisations that can identify, justify, and remove unnecessary entitlements fastest will have the strongest audit posture and the lowest residual exposure. That same discipline is becoming essential across NHI governance, where the number of identities often exceeds human accounts by an order of magnitude.

Permission drift is easiest to hide in mixed human and machine estates. As identities proliferate, teams need a single control model that covers users, service accounts, and workload credentials without assuming they age or expire at the same pace. The practical shift is toward continuous entitlement accuracy, not periodic proof gathering.

For practitioners

• Map access to live business need Rebuild the access control matrix from current roles, systems, and data classifications so approvals are based on today’s operating model rather than legacy job titles.
• Convert high-risk grants to JIT workflows Use just-in-time provisioning for privileged and sensitive access, with automatic expiry and logged revocation so permissions do not become standing privilege.
• Remove unused access on a fixed cadence Run scheduled reviews to identify dormant entitlements, orphaned accounts, and permissions no longer tied to active projects or customers, then revoke them promptly.
• Tie certification to remediation Make every access review produce a measurable remediation outcome, such as revoked access, reduced scope, or a documented exception with an owner and expiry.

Key takeaways

• SOC 2 access control is only as strong as the programme’s ability to keep entitlements current after business change.
• The article’s core evidence is that least privilege, JIT access, and access reviews all fail when they are not tied to live revocation and audit-ready remediation.
• Practitioners should focus on reducing standing access, shrinking unused permissions, and proving that access changes are reflected in real time.

Key terms

• Least Privilege: A control principle that limits access to only what is necessary for a specific task or role. In identity programmes, it reduces the amount of standing privilege that can be misused, while creating a tighter baseline for reviews, approvals, and remediation.
• Just-in-Time Provisioning: A provisioning model that grants access only for the period needed to complete a defined activity, then removes it automatically or through a controlled expiry process. It is most effective when approvals, logging, and revocation are reliable and consistent across systems.
• Access Control Matrix: A structured mapping of who can access what, usually by role, department, system, or attribute. It gives identity teams a reference point for approvals and audits, but it must be maintained continuously or it becomes stale and misleading.
• Standing Privilege: Access that remains active after the original business justification has ended. Standing privilege is a common source of audit findings and breach exposure because it keeps attack paths open even when no one is actively using the entitlement.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: SOC 2 Access Control: Challenges & Implementation. Read the original.