TL;DR: Many organisations still grant broad, permanent access through static SSH keys, API tokens, and shared admin accounts, creating access creep, weak auditability, and a larger blast radius when credentials are compromised, according to JumpCloud. The real problem is not access itself but the assumption that privilege can safely persist until someone remembers to revoke it.
NHIMG editorial — based on content published by JumpCloud: static credentials, least privilege, and just-in-time access for cloud infrastructure
By the numbers:
- Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.
Questions worth separating out
Q: How should security teams replace standing administrative access in cloud environments?
A: Security teams should replace standing access with just-in-time elevation, verified identity, MFA, and device-aware conditions.
Q: Why do static SSH keys and API tokens create so much risk?
A: Static SSH keys and API tokens create risk because they are reusable, hard to track, and often survive long after the task or user changes.
Q: What breaks when cloud teams keep shared root accounts?
A: Shared root accounts break accountability, segregation of duties, and incident investigation.
Practitioner guidance
- Eliminate non-expiring administrative credentials Replace static SSH keys, shared root accounts, and long-lived API tokens with identities that have explicit expiry, ownership, and review.
- Move privileged access to task-scoped elevation Require users to request access for a specific administrative task and revoke that access automatically when the task ends.
- Tie every privileged session to a named identity Remove shared admin workflows wherever possible and log each privileged action against one accountable person or machine identity.
What's in the full article
JumpCloud's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step JIT access workflow for cloud administrators who need temporary server access.
- JumpCloud's specific PAM and conditional access workflow examples for identity-based login control.
- Operational guidance on replacing static SSH keys with identity-based authentication in mixed human and machine environments.
- The product-side description of how the platform combines identity, device management, and access control.
👉 Read JumpCloud's analysis of least privilege, JIT access, and static credential risk →
Standing privilege in cloud infrastructure: are your controls keeping up?
Explore further
Standing privilege is the broken premise, not the control gap. The article exposes a governance model that assumes administrative access can remain valid between requests without materially changing risk. That assumption was designed for slower, human-paced infrastructure operations. It fails when cloud environments scale faster than manual revocation, because access creeps forward while accountability lags behind. The implication is that privilege duration, not just privilege scope, must be treated as a first-order control variable.
A few things that frame the scale:
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
A question worth separating out:
Q: Who should own just-in-time access governance for infrastructure identities?
A: Infrastructure identity governance should be owned jointly by IAM, PAM, cloud platform, and security teams, with clear accountability for approval, logging, and revocation. The same governance model should cover human admins, service accounts, and machine identities so privilege duration and review are controlled consistently.
👉 Read our full editorial: Static credentials and standing privilege are cloud security liabilities