Notifications
Clear all
Topic starter
07/06/2026 8:30 pm
TL;DR: Static department-based access works on day one, but it quickly creates over-provisioning as roles shift through on-call rotations, projects, training, and temporary duties, according to ConductorOne. Dynamic, context-aware access models tie entitlements to current signals so least privilege can be enforced continuously instead of only at onboarding or review time.
NHIMG editorial — based on content published by ConductorOne: How Dynamic Access Enables Least Privilege
Questions worth separating out
Q: How should security teams implement dynamic access for human users?
A: Security teams should start with the access conditions that change most often, such as on-call status, training completion, and temporary project membership.
Q: Why do static roles create least privilege problems in modern IAM programmes?
A: Static roles create least privilege problems because they assume access needs stay stable after onboarding.
Q: What should teams measure to know whether dynamic access is working?
A: Teams should measure how quickly access disappears after the condition that justified it ends.
Practitioner guidance
- Map temporary access triggers Identify roles where access depends on on-call duty, training completion, project membership, or other time-bound context.
- Pair every elevated entitlement with revocation logic Define the business event that should end access, then automate removal when that event is detected.
- Separate static roles from contextual conditions Keep base job access in the role model, but move temporary exceptions into policy layers that can evaluate live signals.
What's in the full article
ConductorOne's full blog covers the operational detail this post intentionally leaves for the source:
- The policy logic behind context-aware access decisions, including how multiple signals are combined before access is granted.
- The Zscaler example with operational specifics on how role, training, and on-call status were used in practice.
- The workflow implications for reducing ticket queues while keeping revocation tied to real business conditions.
- The way dynamic access changes audit preparation when access can expire automatically instead of waiting for review cycles.
👉 Read ConductorOne's analysis of dynamic access and least privilege →
Dynamic access and least privilege: are your controls keeping up?
Explore further
07/06/2026 10:26 pm
Static access models create privilege drift because they were designed for stable roles, not changing work states. Department-based provisioning assumes access needs can be inferred once and left untouched. That assumption fails when on-call rotations, training requirements, and project assignments alter need-to-know throughout the day. The implication is that entitlement design must be evaluated as a lifecycle problem, not a one-time joiner event.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- Another finding from the same research shows that 97% of NHIs carry excessive privileges, which is why access scope and lifecycle control matter so much.
A question worth separating out:
Q: When should organisations prefer contextual access over static provisioning?
A: Organisations should prefer contextual access when entitlement depends on live business state rather than a stable job function. That includes on-call coverage, temporary escalations, compliance training gates, and short-lived project work. Static provisioning is still useful for baseline access, but it should not be the only mechanism controlling temporary privilege.
👉 Read our full editorial: Dynamic access and least privilege: why static IAM models fail
