Zero standing privileges and vaulting: are your controls keeping up?

TL;DR: Credential vaults still preserve stored, reusable secrets, which means they can reduce risk without eliminating standing privilege, according to Teleport’s analysis and cited CISA findings. That distinction matters because ZSP depends on ephemeral, identity-bound access, not rotated credentials hidden behind a vault.

NHIMG editorial — based on content published by Teleport: Zero Standing Privileges vs Credential Vaulting

By the numbers:

• Valid privileged accounts were responsible for 41% of successful attacks.
• Secrets management is a top five cybersecurity priority for only 33% of organisations, behind cloud security (45%), API security (42%), and endpoint security (36%).
• Only 44% of organisations are currently using a dedicated secrets management system.

Questions worth separating out

Q: What breaks when credential vaulting is used as a substitute for zero standing privilege?

A: Vaulting can protect a secret while it is stored, but it does not remove the secret or the privilege behind it.

Q: Why do vaulted secrets still create risk for service accounts and automation?

A: Service accounts and automation usually need repeatable access, which means the same secret can be reused until rotation or revocation.

Q: How do security teams know whether zero standing privilege is actually working?

A: Look for access that is issued only at task start, expires automatically, and leaves no reusable credential behind.

Practitioner guidance

• Classify vaulted credentials as persistent privileges Inventory every secret stored in a vault and treat it as standing access until you can prove the credential is task-scoped and automatically expires.
• Replace checkout workflows with task-bound issuance Move privileged access to short-lived certificates or tokens that are issued on demand and expire at session end.
• Test whether your PAM design survives without reusable secrets Run a design review that asks which applications, admin flows, and machine identities break if no password, key, or token can be stored persistently.

What's in the full article

Teleport's full blog post covers the operational detail this post intentionally leaves for the source:

• A side-by-side comparison of vault-based and vault-free privileged access patterns for teams deciding between them.
• Specific implementation notes for short-lived X.509 certificates and identity-bound access flows.
• Detailed discussion of how vault checkout, rotation, and revocation workflows affect operational friction.
• Examples of how identity-traceable audit logging changes accountability for human and non-human identities.

👉 Read Teleport's analysis of zero standing privileges vs credential vaulting →

Zero standing privileges and vaulting: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →