Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

JIT access in password managers: are your controls actually governing access?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9773
Topic starter  

TL;DR: Most enterprise password managers still solve storage better than access governance, but Securden argues the real gap is deciding, in the moment, who should get a specific credential, for what reason, and for how long. Standing access accumulates into privilege creep, and access that is not time-bound becomes hard to justify, review, or revoke.

NHIMG editorial — based on content published by Securden: Just-In-Time access and approval workflows in Securden Password Vault for Enterprises

Questions worth separating out

Q: How should security teams govern shared credentials in enterprise password managers?

A: Treat shared credentials as governed entitlements, not static vault contents.

Q: Why do standing credentials increase IAM risk even when they are encrypted?

A: Encryption protects the secret in storage, but it does not limit who can obtain it or how long they can keep using it.

Q: What do organisations get wrong about Just-in-Time access?

A: Many teams treat JIT as a convenience feature instead of a governance control.

Practitioner guidance

  • Map shared credentials to explicit owners and expiry conditions Assign a business owner, a technical owner, and a predefined end date or revocation trigger to every shared credential so access does not survive the original request.
  • Require approval before credential release Use a request-based workflow for sensitive accounts so users must state why they need access and approvers can decide whether the request matches the risk.
  • Differentiate approval depth by credential risk Apply stronger approval chains to administrative or high-impact accounts and lighter paths only where the business risk is demonstrably lower.

What's in the full article

Securden's full article covers the operational detail this post intentionally leaves for the source:

  • Step-by-step approval workflow configuration for shared credentials and privileged accounts
  • Per-account approval depth options, including multi-level approval paths for higher-risk access
  • Automatic password randomisation at access expiry and session-level controls for active use
  • Accountability logging for request, approval, window changes, session activity, and expiry events

👉 Read Securden's article on JIT approval workflows for enterprise password governance →

JIT access in password managers: are your controls actually governing access?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9257
 

Approval-driven access is now the real governance boundary, not secret storage. Encrypting a password and logging access are necessary controls, but they do not answer the harder question of whether the right person should receive that credential at that moment. This is why password vaults that stop at storage leave IAM teams with a false sense of control. The practical conclusion is that credential governance must be evaluated by authorisation, duration, and revocation, not by vault hygiene alone.

A few things that frame the scale:

  • 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
  • 23.7% of organisations share secrets through insecure methods such as email or messaging applications, which keeps the access problem tied to everyday behaviour rather than rare exceptions.

A question worth separating out:

Q: Who should be accountable for revoking shared credential access?

A: Accountability should sit with the business owner who requested or approved the access, supported by technical enforcement that expires it automatically. If revocation depends on memory or manual cleanup, access will outlive the project and the governance model will fail.

👉 Read our full editorial: JIT approval workflows are redefining enterprise password governance



   
ReplyQuote
Share: