Zero standing privileges and the new baseline for NHI access

At a glance

What this is: This is a CyberArk blog explaining zero standing privileges as a privilege-control model that removes persistent entitlements and grants access only when requested and approved.

Why it matters: It matters to IAM and NHI practitioners because ZSP changes how elevated access is governed, especially where service accounts, workloads, and operators accumulate long-lived privilege.

👉 Read CyberArk's explanation of zero standing privileges and privilege control

Context

Zero standing privileges is a privilege model, not a product feature. The core problem is persistent access: identities hold rights long after the task that justified them has ended, which expands blast radius and weakens review discipline. For NHI governance, the same pattern shows up in service accounts, automation, and operational access that rarely gets stripped down once granted.

CyberArk frames ZSP as a way to remove standing entitlements and rely on just-in-time access with policy or automation. That matters because many enterprises have treated PAM as enough once accounts are vaulted and rotated, but entitlement risk still remains. ZSP is a useful control pattern, yet it is not universal, and the exceptions are where governance needs to be explicit.

Key questions

Q: How should security teams decide where zero standing privileges fits best?

A: Use ZSP where access is high risk, task-based, and easy to reauthorize, especially for administrative and operational paths. Do not force it everywhere. The right test is whether the business can tolerate ephemeral privilege with clear approval, expiry, and revocation. Where it cannot, document the exception and add compensating controls such as stronger monitoring or narrower scope.

Q: What is the difference between zero standing privileges and just-in-time access?

A: JIT access is a timing pattern that grants access when needed. ZSP is a stricter privilege model that removes standing entitlement entirely until access is explicitly requested and approved. In practice, JIT can still leave broader roles in place, while ZSP aims to prevent dormant privilege from existing between tasks.

Q: When does zero standing privileges create more operational friction than value?

A: It can create friction when systems need continuous access, when approvals are slow, or when exception handling is poorly designed. In those cases, teams may end up with workarounds that reintroduce standing access. ZSP is most valuable when the workflow is bounded, the scope is clear, and automation can revoke access reliably.

Q: How can organisations govern exceptions to zero standing privileges?

A: Treat every exception as a named control decision. Record who owns it, why it exists, how long it lasts, and what compensating safeguards apply. Review exceptions on a fixed cadence so they do not become permanent by habit. The goal is to make exception risk visible enough to be managed like any other entitlement.

Technical breakdown

How zero standing privileges changes privilege architecture

Zero standing privileges means an identity has no persistent entitlements until a policy, workflow, or automation grants them for a bounded task. Architecturally, that shifts control from account ownership to entitlement state. Instead of assuming a privileged account is always enabled, the system treats privilege as ephemeral and session-scoped. That is different from simply storing credentials in a vault, because vaulting protects the secret while leaving the privilege model intact. ZSP is strongest when access requests can be evaluated in real time, with approvals, duration limits, and clear revocation. It becomes harder where workflows are long-lived, entitlements are inherited indirectly, or the environment cannot tolerate frequent reauthorization.

Practical implication: Practitioners should map which privileged paths can be made ephemeral without breaking operations, then enforce bounded sessions and explicit approval for those paths.

Zero standing privileges versus just-in-time access

JIT access grants privilege at the moment it is needed, but implementations vary widely in how they authenticate the requester, scope the entitlement, and expire access. ZSP is the stricter model because it aims for no persistent entitlement at all, not merely faster activation of an existing privileged path. In practice, JIT can still leave standing access behind if roles remain broad, if approvals are loosely applied, or if session duration is excessive. That is why the distinction matters for NHI governance. For human administrators and machine operators alike, the question is not whether access is temporary in theory, but whether any durable privilege survives between tasks.

Practical implication: Security teams should test whether their JIT process truly removes standing access or only masks it with shorter activation windows.

Where ZSP breaks down in real environments

ZSP is not a blanket answer because some identities are created for fixed administrative or platform functions, and some SaaS or tenant-level workflows need continuity that does not fit clean request-and-expire patterns. The control also depends on reliable policy enforcement, clean identity lifecycle handling, and change management that can tolerate frequent authorization events. If those foundations are weak, ZSP can produce exceptions that become the real control path. For NHI programs, this is the key point: the harder problem is not turning privilege off, but deciding which operational exceptions are acceptable and who owns them.

Practical implication: Teams should catalog exceptions up front, assign owners, and review whether each exception has a documented expiry or compensating control.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

ZSP is best understood as a privilege-state model, not a broad governance strategy. It narrows the window in which any identity can act, but it does not solve entitlement design, identity lifecycle governance, or exception handling by itself. The strongest programs treat ZSP as one control in a larger NHI operating model, not as the destination. Practitioners should use it to reduce standing access where the business can support bounded authorization.

Persistent entitlement is the real control failure in many NHI estates. The issue is often not that credentials exist, but that privilege survives long after the original use case has changed. That creates audit noise, hidden blast radius, and reliance on memory instead of policy. A useful ZSP program forces teams to confront where access should be created on demand and where it should never have been persistent in the first place.

Just-in-time controls become meaningful only when approval, scope, and expiry are all explicit. A temporary session with broad inherited rights is still overexposure, just delayed exposure. ZSP raises the governance bar because it makes those choices visible. The practical conclusion is simple: if a privilege cannot be justified, bounded, and revoked cleanly, it should not be standing.

Exception management is the real maturity test for ZSP. Every enterprise will have identities that do not fit a pure ephemeral model, especially in SaaS administration and platform operations. Mature programs document those exceptions, assign accountability, and review them as part of access governance rather than treating them as technical edge cases. Practitioners should measure ZSP adoption by the quality of its exceptions, not by the size of its promise.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to the 2026 Infrastructure Identity Survey.
• For a broader control baseline, review OWASP NHI Top 10 and map where standing access creates avoidable agent risk.

What this signals

Ephemeral privilege is becoming a governance requirement, not an optimisation. As more automation and agentic systems take on operational work, standing access becomes harder to defend. The practical shift for security teams is to treat privilege duration as a first-class control variable, alongside scope and approval.

With 19% of organisations giving AI systems dramatically more access than human employees, per the 2026 Infrastructure Identity Survey, entitlement discipline is already lagging adoption. That gap means many programs are scaling autonomy faster than they are shrinking privilege. Teams should expect more audit pressure on why machine access is broader than human access for equivalent tasks.

Standing access is becoming the identity blast radius problem. The next phase of NHI governance is not simply rotating secrets faster. It is proving that every privileged path can be created, bounded, and removed without leaving durable rights behind.

For practitioners

• Implement bounded approval workflows for privileged access Require task-scoped approval, time limits, and automatic revocation for any access that would otherwise remain enabled after the job is done.
• Inventory identities with standing entitlement Identify service accounts, admin roles, and operational accounts that keep rights between uses, then rank them by blast radius and business criticality.
• Document every ZSP exception Create a control register for identities that cannot use ephemeral access, including the owner, expiry condition, and compensating safeguard.
• Reconcile ZSP with PAM and IAM reviews Use regular access reviews to check whether vaulting, rotation, and role design are still leaving durable privilege in place despite temporary activation.

Key takeaways

• Zero standing privileges reduces dormant access, but it does not replace broader identity governance.
• The main risk it addresses is persistent entitlement, which increases blast radius and weakens control reviews.
• Practitioners should adopt ZSP selectively, with explicit exception handling and bounded approval workflows.

Key terms

• Zero Standing Privileges: Zero standing privileges is a privilege model in which identities hold no persistent access until a policy, approval, or automation grants it for a specific task. The control reduces dormant access and narrows exposure, but it still depends on clean identity lifecycle management and reliable revocation.
• Just-in-Time Access: Just-in-time access is a temporary authorization pattern that enables access only when it is needed and removes it after use. It is often paired with approvals or automation, but it can still leave broad roles in place if entitlement design is weak.
• Standing Entitlement: A standing entitlement is any persistent right that remains attached to an identity between uses. In NHI environments, standing entitlements create hidden blast radius because the identity can act later without a fresh access decision, even when the original need has passed.
• Privilege Scope: Privilege scope is the boundary of what an identity is allowed to do, where it can do it, and for how long. Narrow scope is a core governance goal because it limits the damage from misuse, misconfiguration, or credential compromise.

Deepen your knowledge

Zero standing privileges, just-in-time access, and entitlement scoping are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a privilege-control model from a similar starting point, it is worth exploring.

This post draws on content published by CyberArk: Zero Standing Privileges: The Essentials. Read the original.