JIT secrets and standing credentials: what IAM teams need now

TL;DR: Secrets remain a major attack surface because they are often unmanaged, static, and invisible across code, vaults, and cloud workflows, according to SSH Communications Security's analysis of KuppingerCole's Compass coverage. Ephemeral provisioning helps reduce exposure, but access review models still assume credentials persist long enough to be observed and revoked.

NHIMG editorial — based on content published by SSH Communications Security: secrets management, JIT provisioning, and CIEM integration in the PrivX portfolio

By the numbers:

• Only 44% of organisations are currently using a dedicated secrets management system.
• 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.

Questions worth separating out

Q: How should security teams reduce the risk of standing secrets in cloud and DevOps environments?

A: Start by inventorying where secrets are issued, stored, copied, and reused across pipelines, workloads, and admin access.

Q: Why do static secrets increase lateral movement risk?

A: Static secrets remain valid after they are exposed, which means one leak can be reused across multiple systems if the credential is accepted broadly.

Q: What breaks when secrets are vaulted but downstream privileges stay standing?

A: The vault protects storage, but it does not remove the access paths that a valid secret unlocks.

Practitioner guidance

• Inventory every standing secret path Map where passwords, API keys, certificates, and tokens live across code, CI/CD, vaults, and cloud services, then assign an owner to each secret class.
• Convert long-lived credentials to task-scoped issuance Prioritise the secrets that unlock privileged systems or automation first, then replace them with ephemeral certificates or short-lived tokens that expire automatically when the job completes.
• Tie secrets governance to PAM and CIEM Review whether each issued secret can reach more systems than the task requires, and remove downstream entitlements that make one credential useful across multiple cloud services.

What's in the full article

SSH Communications Security's full research covers the operational detail this post intentionally leaves for the source:

• The vendor's product-level secrets rotation model for hybrid environments, including where policy decisions are enforced.
• The integration details for CI/CD pipelines, identity systems, and microservices architecture that support the operational workflow.
• The KuppingerCole category context behind the leadership recognition and how the portfolio is positioned across multiple compasses.
• The specific compliance and governance features that sit inside the PrivX portfolio for implementation teams.

👉 Read SSH Communications Security's analysis of secrets management and JIT access →

JIT secrets and standing credentials: what IAM teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →