Just-in-time privileged access: is your PAM model keeping up?

TL;DR: Standing privileged access and manual approval workflows no longer match the pace of cloud and SaaS administration, so just-in-time privileged access is increasingly used to reduce lingering rights, improve auditability, and limit exposure, according to SecurEnds. The deeper issue is that static PAM assumes privileged access will remain in place long enough to be governed, which modern access patterns no longer guarantee.

NHIMG editorial — based on content published by SecurEnds: just-in-time privileged access and the limits of traditional PAM

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

Questions worth separating out

Q: How should security teams implement just-in-time privileged access in cloud and SaaS environments?

A: Start with the privileged roles that create the largest blast radius, then require every request to expire automatically after the task is complete.

Q: Why do standing admin rights create so much risk in modern IT?

A: Standing admin rights increase risk because the privilege often outlives the business need.

Q: What breaks when just-in-time access is added on top of old PAM workflows?

A: JIT fails when the surrounding governance still depends on slow approvals, disconnected logs, and separate revocation steps.

Practitioner guidance

• Inventory standing privilege across all admin surfaces Map privileged roles in cloud consoles, SaaS admin panels, directory groups, and legacy PAM vaults so you can see where access persists after work ends.
• Set expiry as a mandatory control attribute Require every privileged request to include a time limit, an approval path, and an automatic revocation event so no elevation survives the task window.
• Connect JIT requests to access review evidence Make each elevation request generate a durable record that can be reused in recertification, audit, and offboarding workflows without manual reconstruction.

What's in the full article

SecurEnds' full blog post covers the operational detail this post intentionally leaves for the source:

• Step-by-step examples of how JIT requests are approved and expired in day-to-day admin workflows
• Comparative scenarios showing when traditional PAM still fits and when it leaves standing privilege behind
• Practical rollout steps for moving from vault-and-ticket controls to policy-driven elevation
• The platform workflow examples used by the vendor to show how access requests are routed and logged

👉 Read SecurEnds' analysis of just-in-time privileged access and standing rights →

Just-in-time privileged access: is your PAM model keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →