Subscribe to the Non-Human & AI Identity Journal

Forums
The Non-Human & AI ...
NHI, AI & IAM Suppo...
On-call access mana...
 
Notifications
Clear all

On-call access management and the standing privilege problem

 
    Last Post
  RSS

 NHI Mgmt Group
(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 7864
Topic starter 24/06/2026 10:24 pm  

TL;DR: On-call teams often trade permanent production access for speed, but that model expands blast radius and weakens least privilege, according to Opal Security. Automating access by schedule restores time-bound privilege and makes on-call governance workable for production systems.

NHIMG editorial — based on content published by Opal Security: How to Automate On-Call Access Management with Opal and PagerDuty

Questions worth separating out

Q: How should security teams implement on-call access without creating standing privilege?

A: Security teams should bind privileged access to an authoritative on-call signal, issue it only for the active duty window, and revoke it automatically when the duty ends.

Q: Why does birthright access create more risk in production environments?

A: Birthright access creates risk because it gives engineers elevated rights even when they are not performing production work.

Q: What breaks when on-call access is granted manually during incidents?

A: Manual incident access breaks speed, consistency, and revocation discipline.

Practitioner guidance

  • Remove permanent production memberships from on-call roles Map which engineering groups still carry birthright access to production systems and strip those entitlements from the default role.
  • Bind privileged access to an authoritative schedule signal Use the on-call system as the source of truth for access eligibility, and make the schedule state the trigger for grant and revoke decisions.
  • Automate revocation when the on-call window closes Ensure elevated rights disappear without manual cleanup at the end of a shift or incident handoff.

What's in the full article

Opal Security's full article covers the operational detail this post intentionally leaves for the source:

  • The exact integration pattern between Opal and PagerDuty for granting access based on schedule state.
  • The distinction between static production membership and dynamic on-call elevation in the product workflow.
  • The article's own explanation of how privilege is revoked when engineers move off call.
  • The vendor's framing of how teams can package fine-grained resources into on-call groups.

👉 Read Opal Security's article on automating on-call access management →

On-call access management and the standing privilege problem?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
Topic Tags
opal-security least-privilege on-call-access privileged-access access-revocation
Forum Jump:
  Previous Topic
Next Topic  
Related Topics
Topic Tags:  opal-security (29) , least-privilege (412) , on-call-access (1) , privileged-access (464) , access-revocation (22) ,
Share:

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.