Just-in-time access and ZSP: what IAM teams need to change

TL;DR: Moving from standing privileges to just-in-time access can materially cut exposure, but the real challenge is deciding which accounts qualify and proving the change with identity data, according to Hydden. The transition is not a binary PAM toggle; it is a continuous governance problem that depends on usage signals, access patterns, and operational context.

NHIMG editorial — based on content published by Hydden: just-in-time access and Zero Standing Privileges

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: What breaks when organisations keep standing privilege for accounts that are only used occasionally?

A: Standing privilege keeps dormant access alive far longer than the task that justified it.

Q: Why do just-in-time access models reduce risk in privileged identity programmes?

A: They reduce risk by shrinking the time an elevated credential exists and by forcing access to be tied to a specific task.

Q: How do security teams know if zero standing privilege is actually working?

A: Look for three signals: fewer always-on privileged accounts, shorter average elevation periods, and a lower ratio of assigned entitlements to real usage.

Practitioner guidance

• Map privileged accounts by real usage frequency Pull access data from PAM, directory services, cloud logs, and target systems to separate daily operational accounts from weekly, monthly, and sporadic ones.
• Use session duration to find persistent privilege drift Compare how long accounts are entitled to remain elevated with how long sessions actually last.
• Reduce broad entitlements that are never exercised Measure entitlement-to-usage ratios and flag accounts using less than 30% of their assigned access.

What's in the full article

Hydden's full article covers the operational detail this post intentionally leaves for the source:

• A practical breakdown of the account signals used to identify JIT candidates, including access frequency, session length, and multi-group anomalies.
• Configuration guidance for session durations, approval workflows, and task-scoped privilege boundaries.
• A closer look at how continuous discovery feeds migration lists across PAM, directory services, and target systems.
• Operational metrics for measuring exposure reduction, audit scope, and request rejection rates during the transition.

👉 Read Hydden's analysis of just-in-time access and Zero Standing Privileges →

Just-in-time access and ZSP: what IAM teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →