Standing privilege in cloud infrastructure: are your controls keeping up?

TL;DR: Many organisations still grant broad, permanent access through static SSH keys, API tokens, and shared admin accounts, creating access creep, weak auditability, and a larger blast radius when credentials are compromised, according to JumpCloud. The real problem is not access itself but the assumption that privilege can safely persist until someone remembers to revoke it.

NHIMG editorial — based on content published by JumpCloud: static credentials, least privilege, and just-in-time access for cloud infrastructure

By the numbers:

• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.

Questions worth separating out

Q: How should security teams replace standing administrative access in cloud environments?

A: Security teams should replace standing access with just-in-time elevation, verified identity, MFA, and device-aware conditions.

Q: Why do static SSH keys and API tokens create so much risk?

A: Static SSH keys and API tokens create risk because they are reusable, hard to track, and often survive long after the task or user changes.

Q: What breaks when cloud teams keep shared root accounts?

A: Shared root accounts break accountability, segregation of duties, and incident investigation.

Practitioner guidance

• Eliminate non-expiring administrative credentials Replace static SSH keys, shared root accounts, and long-lived API tokens with identities that have explicit expiry, ownership, and review.
• Move privileged access to task-scoped elevation Require users to request access for a specific administrative task and revoke that access automatically when the task ends.
• Tie every privileged session to a named identity Remove shared admin workflows wherever possible and log each privileged action against one accountable person or machine identity.

What's in the full article

JumpCloud's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step JIT access workflow for cloud administrators who need temporary server access.
• JumpCloud's specific PAM and conditional access workflow examples for identity-based login control.
• Operational guidance on replacing static SSH keys with identity-based authentication in mixed human and machine environments.
• The product-side description of how the platform combines identity, device management, and access control.

👉 Read JumpCloud's analysis of least privilege, JIT access, and static credential risk →

Standing privilege in cloud infrastructure: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →