Notifications
Clear all
Topic starter
25/06/2026 5:03 pm
TL;DR: Static permissions and standing privileges leave non-human identities overexposed, while just-in-time access narrows privilege to the task window and improves auditability, according to Entro Security. For identity teams, the real shift is not speed of issuance but whether governance can keep pace with ephemeral access, RBAC, ABAC, and monitored revocation.
NHIMG editorial — based on content published by Entro Security: The role of Just In Time (JIT) Access in Non-human identity access management
By the numbers:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
- Only 5.7% of organisations have full visibility into their service accounts.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
Questions worth separating out
Q: How should security teams implement just-in-time access for non-human identities?
A: Start with accurate discovery of service accounts, API keys, tokens, and certificates, then classify which identities truly need elevated access.
Q: Why do standing privileges make machine identities harder to secure?
A: Standing privileges extend the period in which a compromised secret can be abused, which enlarges the blast radius of a single exposure.
Q: What breaks when JIT access is implemented without secrets visibility?
A: JIT breaks down when teams cannot see every active secret and service account, because they cannot verify whether temporary access was actually temporary.
Practitioner guidance
- Inventory all standing NHI privileges Map service accounts, API keys, tokens, and certificates that retain access beyond a single task or pipeline run.
- Define JIT policy by workload context Use RBAC and ABAC together so access is granted only when the workload, environment, and task context match approved conditions.
- Automate secret issuance and revocation Tie JIT requests to secrets discovery, identity providers, ITSM, and CI/CD so the system can issue temporary credentials and remove them without manual follow-up.
What's in the full article
Entro Security's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step examples of JIT access for human and machine identities across cloud and automation workflows
- The article’s own breakdown of ephemeral access, justification-based access control, and temporary access elevation
- Implementation guidance for tying JIT to RBAC, ABAC, ITSM, CI/CD, and secrets management workflows
- Practical monitoring and auditing advice for privileged activity inside a JIT model
👉 Read Entro Security's analysis of just-in-time access for non-human identities →
Just-in-time access for NHIs: are static privileges still defensible?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
25/06/2026 5:31 pm
Standing privilege is the control failure JIT is designed to expose. The article is right to frame unused permissions as a security loophole, because the real issue is not access volume alone but persistence beyond need. In NHI programmes, persistent credentials are what turn a single compromise into an extended exposure window. The implication is that identity teams should stop treating static entitlements as the normal state for machine access.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, which is why temporary access controls fail when lifecycle governance is weak.
A question worth separating out:
Q: Who is accountable when a temporary NHI credential is overused or not revoked?
A: Accountability should sit with the owning platform or application team, but governance should be shared across IAM, PAM, and security operations. If the credential outlives the task, the failure is usually in ownership, policy enforcement, or revocation automation rather than in the request itself.
👉 Read our full editorial: Just-in-time access is reshaping NHI governance and privilege control
