Start by defining the smallest set of request-time signals that can justify elevation, such as ticket state, environment sensitivity, and on-call status. Then issue short-lived access only for the target task, and make expiration automatic. The goal is to replace broad standing roles with decision-time authorisation that is easier to audit and harder to reuse outside the intended context.
Why This Matters for Security Teams
On-demand permissions are not just a tighter form of access control. They are a response to the way cloud incidents now unfold: fast, identity-driven, and often through over-scoped service accounts, automation, or agentic workflows. Static roles age badly in cloud environments because the same identity may be reused across deployments, environments, and tools. Current guidance from the OWASP Non-Human Identity Top 10 and NHI Management Group research shows that over-privilege and weak credential hygiene remain recurring failure points, not edge cases. In the Ultimate Guide to NHIs — Key Challenges and Risks, the pattern is clear: once access is standing, it is easy to reuse, hard to justify, and frequently wider than the task requires.
The practical risk is not only misuse by an attacker. It is also accidental excess, where pipelines, operators, and workloads keep privileges long after the request that justified them has ended. That is why modern cloud governance is moving toward request-time authorization, context-aware approvals, and automatic expiry. In practice, many security teams discover excessive standing access only after an audit, outage, or privilege escalation has already exposed the problem.
How It Works in Practice
Effective on-demand permissions start with a policy decision at the moment of need, not a broad role assigned months earlier. Security teams define the minimum signals that can justify elevation, then evaluate those signals at request time. Common signals include ticket approval state, environment sensitivity, workload ownership, on-call assignment, change window, and whether the requester is a human operator, service, or agent. The best practice is evolving, but the direction is consistent: use short-lived access, scope it to one target action or resource set, and revoke it automatically when the task ends.
In cloud environments, that usually means combining identity, policy, and session controls. A privileged request might be granted only after a workflow engine checks context, then issues an ephemeral token or temporary role session with a strict TTL. For non-human identities, that token should be bound to a workload identity such as SPIFFE or OIDC, so the system can verify what the workload is, not merely what secret it holds. This aligns well with CISA Zero Trust guidance and with the 230M AWS environment compromise, where excessive trust and weak control boundaries are exactly the sort of conditions that turn small misconfigurations into major exposure.
- Use policy-as-code so the approval logic is versioned, reviewed, and testable.
- Set TTLs by task risk, not by convenience, and make revocation automatic.
- Separate request approval from secret issuance so access is not granted until policy passes.
- Log the full context of each elevation, including who, what, why, and for how long.
For cloud-native teams, this is often implemented with PAM, identity brokers, CI/CD guardrails, or cloud-native session controls, but the control objective stays the same: minimize the time window in which elevated access exists. These controls tend to break down when legacy applications require persistent credentials because the application design assumes standing trust and cannot tolerate session turnover.
Common Variations and Edge Cases
Tighter on-demand permissions often increase operational overhead, so organisations have to balance faster response against approval friction and automation complexity. That tradeoff is especially visible in multi-account clouds, break-glass workflows, and production incident response. In those cases, security teams should predefine exception paths with stronger monitoring rather than silently falling back to standing privilege. There is no universal standard for this yet, but current guidance suggests treating exceptions as rare, time-boxed, and heavily logged.
One common edge case is machine-to-machine access in deployment pipelines. A human-style approval workflow does not always fit, so the control may need to be a combination of workload identity, environment attestation, and policy evaluation at runtime. Another is delegated admin access for cloud operations teams, where broad RBAC roles are still common. In those environments, on-demand permissions work best when the role only enables request initiation, while the actual privilege is minted as an ephemeral session. For teams dealing with recurring NHI risk, the Snowflake breach is a reminder that long-lived access paths are easy to abuse once they exist.
Where this guidance breaks down most often is in services that cannot be restarted or reauthenticated cleanly, because the business has coupled uptime to persistent secrets rather than short-lived identity.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses overlong or unrotated credentials used for elevated cloud access. |
| CSA MAESTRO | Relevant to runtime authorization and ephemeral access for autonomous cloud workloads. | |
| NIST AI RMF | Supports governance of context-aware decisioning for dynamic access requests. |
Replace standing secrets with short-lived credentials and rotate or revoke them automatically after use.
Related resources from NHI Mgmt Group
- How should security teams implement runtime identity controls across hybrid environments?
- How should security teams implement microsegmentation in industrial environments without disrupting production?
- How should security teams evaluate ITDR coverage across cloud and SaaS environments?
- How should security teams test DNS resilience in hybrid cloud environments?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
