Notifications
Clear all
Topic starter
07/06/2026 8:03 pm
TL;DR: Zero standing privilege replaces always-on access with just-in-time credentials that expire after the task, reducing standing privilege and limiting lateral movement risk, according to StrongDM. The governance issue is that access review, audit, and accountability all weaken when privileged access persists by default instead of existing only for a task-bound window.
NHIMG editorial — based on content published by StrongDM: What is Zero Standing Privilege (ZSP)? (And How They Work)
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
Questions worth separating out
Q: What breaks when standing privileged access is left in place?
A: Standing privilege breaks the assumption that privileged access can be safely reused without creating extra exposure.
Q: Why do zero standing privilege and zero trust fit together?
A: Zero trust depends on verifying access at the moment it is needed, while zero standing privilege removes access when the need ends.
Q: How do security teams know if just-in-time access is actually working?
A: Look for short-lived sessions, automatic revocation, and complete request-to-access logs.
Practitioner guidance
- Inventory standing privileged access Map every admin, service, and shared credential that remains valid outside a specific task window.
- Move privileged workflows to time-bound issuance Require approval, policy evaluation, and automatic teardown for sensitive access requests.
- Replace shared accounts with individually attributable sessions Use individual identity plus session logging wherever possible so access can be traced to a named request and a bounded time period.
What's in the full article
StrongDM's full blog post covers the operational detail this post intentionally leaves for the source:
- How the request, approval, and teardown flow is presented inside the StrongDM PAM workflow
- Examples of how JIT access is tied to role-based and attribute-based controls in practice
- Details on logging, session recording, and compliance reporting for privileged requests
- How StrongDM positions SSO and MFA integration in the access workflow
👉 Read StrongDM's article on zero standing privilege and just-in-time access →
Zero standing privilege and JIT access: are your controls keeping up?
Explore further
07/06/2026 9:48 pm
Zero standing privilege is really an access-lifecycle policy, not just a PAM feature. The article describes ZSP as a way to remove permanent permissions and issue access only for the work being performed. That makes the central issue lifecycle control: if privilege is not time-bound, it becomes standing risk by default. Practitioners should read ZSP as a governance model for the entire access window, not as a narrower password-handling technique.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: What is the difference between least privilege and zero standing privilege?
A: Least privilege limits how much access an identity gets, while zero standing privilege limits how long access exists. Least privilege can still leave baseline permissions in place. ZSP removes that baseline and forces access to be created only for a specific request, which is a stricter operational model.
👉 Read our full editorial: Zero standing privilege is redefining privileged access control
