Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Just-in-time access and ZSP: what IAM teams need to change


(@lalit)
Member Admin
Joined: 1 year ago
Posts: 257
Topic starter  

TL;DR: Moving from standing privileges to just-in-time access can materially cut exposure, but the real challenge is deciding which accounts qualify and proving the change with identity data, according to Hydden. The transition is not a binary PAM toggle; it is a continuous governance problem that depends on usage signals, access patterns, and operational context.

NHIMG editorial — based on content published by Hydden: just-in-time access and Zero Standing Privileges

By the numbers:

Questions worth separating out

Q: What breaks when organisations keep standing privilege for accounts that are only used occasionally?

A: Standing privilege keeps dormant access alive far longer than the task that justified it.

Q: Why do just-in-time access models reduce risk in privileged identity programmes?

A: They reduce risk by shrinking the time an elevated credential exists and by forcing access to be tied to a specific task.

Q: How do security teams know if zero standing privilege is actually working?

A: Look for three signals: fewer always-on privileged accounts, shorter average elevation periods, and a lower ratio of assigned entitlements to real usage.

Practitioner guidance

  • Map privileged accounts by real usage frequency Pull access data from PAM, directory services, cloud logs, and target systems to separate daily operational accounts from weekly, monthly, and sporadic ones.
  • Use session duration to find persistent privilege drift Compare how long accounts are entitled to remain elevated with how long sessions actually last.
  • Reduce broad entitlements that are never exercised Measure entitlement-to-usage ratios and flag accounts using less than 30% of their assigned access.

What's in the full article

Hydden's full article covers the operational detail this post intentionally leaves for the source:

  • A practical breakdown of the account signals used to identify JIT candidates, including access frequency, session length, and multi-group anomalies.
  • Configuration guidance for session durations, approval workflows, and task-scoped privilege boundaries.
  • A closer look at how continuous discovery feeds migration lists across PAM, directory services, and target systems.
  • Operational metrics for measuring exposure reduction, audit scope, and request rejection rates during the transition.

👉 Read Hydden's analysis of just-in-time access and Zero Standing Privileges →

Just-in-time access and ZSP: what IAM teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Just-in-time access works because standing privilege is a governance assumption, not a technical necessity. The article correctly treats access frequency, session duration, and usage patterns as the data that should decide privilege shape. That is the right inversion for mature identity programmes: entitlement should follow observed work, not inherited role drift. For practitioners, the implication is that JIT is best treated as a control model for privilege governance, not as a narrow PAM feature decision.

A few things that frame the scale:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which explains why privilege reduction programmes often start with incomplete inventories rather than control design.

A question worth separating out:

Q: Who should approve privileged access when JIT becomes the default model?

A: Approval should depend on task sensitivity, account risk, and operational urgency. Low-risk repeatable tasks can use pre-approved templates, while high-value or unusual requests need stronger review and a fresh authentication step. The governance goal is not universal delay; it is making privilege grants proportionate to the work being done.

👉 Read our full editorial: Just-in-time privilege models expose the real limits of standing access



   
ReplyQuote
Share: