Birthright access, JIT, and usage review: what IAM teams need

TL;DR: Over-provisioning, infrequent access checks, and procedural drift continue to drive privilege-related exposure, with Opal Security citing 84% of organisations facing a privileged access-related breach in the past 18 months and Gartner finding IaaS accounts use less than 3% of granted entitlements. The governance problem is not access reduction alone, but access precision.

NHIMG editorial — based on content published by Opal Security: 3 Practical Changes to Refine Access Controls Without Being Overly Restrictive

By the numbers:

• Within the past 18 months, 84% of organizations faced a privileged access-related breach.
• More than 95% of infrastructure as a service (IaaS) accounts use less than 3% of the entitlements they are granted.

Questions worth separating out

Q: How should security teams reduce over-provisioning without slowing the business down?

A: Use a precision model rather than a blanket deny model.

Q: Why does birthright access create ongoing identity risk?

A: Birthright access assigns permissions before need is proven, so it tends to overestimate what a role requires.

Q: How do organisations know whether just-in-time access is working?

A: Look for short-lived elevation, automatic revocation, and a declining amount of standing privilege across high-risk systems.

Practitioner guidance

• Restrict birthright access for sensitive systems Replace automatic broad assignment with explicit request paths for production systems, sensitive datasets, and privileged collaboration spaces.
• Make elevation time-bound by default Grant privileged permissions only for the duration of a specific task, then revoke them automatically when the task ends or the ticket closes.
• Base recertification on actual usage Review recent access logs before approving renewals, and downgrade or remove entitlements that have not been used in the past 30 to 60 days.

What's in the full article

Opal Security's full blog post covers the operational detail this post intentionally leaves for the source:

• Specific examples of how to limit birthright access in production environments.
• Step-by-step guidance on implementing just-in-time and time-bound access controls.
• A practical usage-review method based on 30 and 60 day access logs.
• Operational detail on automatically revoking access after ticket completion.

👉 Read Opal Security's guidance on refining access controls without over-restricting users →

Birthright access, JIT, and usage review: what IAM teams need?

Explore further

View Full Forum →  |  NHI Foundation Course →