Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Standing privilege in cloud infrastructure: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Many organisations still grant broad, permanent access through static SSH keys, API tokens, and shared admin accounts, creating access creep, weak auditability, and a larger blast radius when credentials are compromised, according to JumpCloud. The real problem is not access itself but the assumption that privilege can safely persist until someone remembers to revoke it.

NHIMG editorial — based on content published by JumpCloud: static credentials, least privilege, and just-in-time access for cloud infrastructure

By the numbers:

Questions worth separating out

Q: How should security teams replace standing administrative access in cloud environments?

A: Security teams should replace standing access with just-in-time elevation, verified identity, MFA, and device-aware conditions.

Q: Why do static SSH keys and API tokens create so much risk?

A: Static SSH keys and API tokens create risk because they are reusable, hard to track, and often survive long after the task or user changes.

Q: What breaks when cloud teams keep shared root accounts?

A: Shared root accounts break accountability, segregation of duties, and incident investigation.

Practitioner guidance

What's in the full article

JumpCloud's full article covers the operational detail this post intentionally leaves for the source:

  • Step-by-step JIT access workflow for cloud administrators who need temporary server access.
  • JumpCloud's specific PAM and conditional access workflow examples for identity-based login control.
  • Operational guidance on replacing static SSH keys with identity-based authentication in mixed human and machine environments.
  • The product-side description of how the platform combines identity, device management, and access control.

👉 Read JumpCloud's analysis of least privilege, JIT access, and static credential risk →

Standing privilege in cloud infrastructure: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Standing privilege is the broken premise, not the control gap. The article exposes a governance model that assumes administrative access can remain valid between requests without materially changing risk. That assumption was designed for slower, human-paced infrastructure operations. It fails when cloud environments scale faster than manual revocation, because access creeps forward while accountability lags behind. The implication is that privilege duration, not just privilege scope, must be treated as a first-order control variable.

A few things that frame the scale:

  • 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
  • Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.

A question worth separating out:

Q: Who should own just-in-time access governance for infrastructure identities?

A: Infrastructure identity governance should be owned jointly by IAM, PAM, cloud platform, and security teams, with clear accountability for approval, logging, and revocation. The same governance model should cover human admins, service accounts, and machine identities so privilege duration and review are controlled consistently.

👉 Read our full editorial: Static credentials and standing privilege are cloud security liabilities



   
ReplyQuote
Share: