Notifications
Clear all
Topic starter
22/06/2026 10:16 am
TL;DR: Just-in-time access has shifted from a privileged-user control to a broader governance pattern for people, cloud services, pipelines, and agents, with Delinea arguing that standing privilege now creates unnecessary risk across both audiences. The deeper issue is that access review, offboarding, and audit models built around persistent credentials no longer fit ephemeral access patterns or autonomous execution loops.
NHIMG editorial — based on content published by Delinea: How to satisfy the two audiences of just-in-time privileged access
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
Questions worth separating out
Q: How should security teams implement just-in-time access for both people and NHIs?
A: Start by separating privileged humans, service accounts, workloads, and automations into different access paths, then make each path request-based, time-bound, and logged.
Q: Why does just-in-time access matter more for NHIs than traditional admin accounts?
A: NHIs often run continuously, which means a long-lived credential can be reused long after the original task was complete.
Q: What do security teams get wrong about just-in-time privileged access?
A: They often treat JIT as a portal or approval workflow instead of a lifecycle control.
Practitioner guidance
- Map every privileged identity to an expiry model Separate human admin accounts, service accounts, CI/CD runners, and AI agents into distinct privilege lifecycles.
- Preserve existing developer workflows while changing the credential layer Keep SSH, kubectl, database clients, and cloud tooling in place, then insert ephemeral credential issuance behind those tools.
- Tie privileged access reviews to session evidence Use session logs, request records, and expiry events to prove that elevated access was temporary and task-scoped.
What's in the full article
Delinea's full blog covers the operational detail this post intentionally leaves for the source:
- How Delinea frames JIT for human privileged users versus cloud and developer identities
- Why preserving existing tools like SSH, kubectl, and database clients matters for adoption
- The article's workflow examples for databases, Kubernetes, cloud consoles, and internal services
- The platform narrative around StrongDM integration and how Delinea describes the access model
👉 Read Delinea's analysis of just-in-time privileged access for humans and machines →
Just-in-time privileged access for humans and machines: are controls keeping up?
Explore further
22/06/2026 11:05 am
JIT has become a governance model for both humans and NHIs, not a point control for admins. The article’s central shift is that privileged access now spans people, pipelines, workloads, and agents, all of which can inherit standing privilege by default. That means the old PAM boundary is too narrow for modern identity estates, because the same entitlement logic now governs multiple actor types. Practitioners should treat JIT as a lifecycle pattern across the whole privileged surface.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable when JIT access is used across cloud services, pipelines, and admins?
A: Accountability should sit with the identity governance and privileged access owners who control entitlement policy, logging, and expiry behavior across each actor type. For NHIs, that usually means PAM, cloud security, and platform teams sharing responsibility for lifecycle enforcement rather than treating machine access as a separate silo.
👉 Read our full editorial: Just-in-time privileged access is now a control for two audiences
