JIT breaks down when teams cannot see every active secret and service account, because they cannot verify whether temporary access was actually temporary. Without visibility, revocation becomes partial, audit trails become incomplete, and dormant credentials can continue to function outside the approved workflow.
Why This Matters for Security Teams
Just-in-time access only works when security can see the full population of secrets, service accounts, and machine credentials that might still authenticate outside the approved workflow. Without that inventory, temporary elevation becomes an assumption rather than a control, and teams cannot prove that access was revoked everywhere it existed. The result is a gap between policy and reality that undermines auditability and response.
This is a recurring theme in the Guide to the Secret Sprawl Challenge, where fragmentation and duplication make it difficult to track which credentials are active, copied, or embedded in systems. It also aligns with the OWASP Non-Human Identity Top 10, which treats unmanaged machine identities and secrets exposure as a core control failure.
NHIMG research shows the scale of the problem: the average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities. In practice, many security teams discover lingering access only after a secret has already been reused, copied, or committed elsewhere, rather than through intentional visibility.
How It Works in Practice
Operationally, JIT access depends on three things working together: a trusted source of identity, a runtime approval decision, and complete secrets visibility. The workflow may issue a short-lived credential for a specific task, but that credential is only safe if defenders can confirm there are no parallel secrets granting the same access. That means inventorying service accounts, API keys, certificates, and tokens across vaults, CI/CD systems, code repositories, and deployment platforms.
Best practice is evolving toward pairing JIT with continuous discovery and policy enforcement. A team might use The 2025 State of NHIs and Secrets in Cybersecurity to understand how often secrets are duplicated or left active, then enforce runtime controls that revoke issued access while also searching for dormant copies. This is where the OWASP Non-Human Identity Top 10 and current guidance from CISA Zero Trust Maturity Model both point in the same direction: visibility, revocation, and verification must be continuous, not event-based.
- Discover every secret store, embedded credential, and service account before enabling JIT.
- Correlate approvals with actual credential issuance and revocation events.
- Rotate or invalidate overlapping long-lived secrets when temporary access is granted.
- Monitor where the same secret is reused across applications or environments.
Without that visibility, revoked JIT access can coexist with untouched static credentials, which means the control proves process compliance but not actual loss of access. These controls tend to break down when secrets are duplicated across multiple vaults and CI/CD pipelines because revocation cannot reach every active copy.
Common Variations and Edge Cases
Tighter JIT controls often increase operational overhead, requiring organisations to balance reduced exposure against the cost of continuous discovery and faster rotation. That tradeoff becomes more pronounced in hybrid environments, where legacy applications still depend on hard-coded secrets or long-lived service accounts. Current guidance suggests that JIT should not be treated as a replacement for cleanup; it should trigger cleanup.
There is no universal standard for this yet, but the practical pattern is consistent: if a team cannot prove where a secret exists, it cannot prove that JIT has fully removed access. The risk is highest in CI/CD pipelines, ephemeral environments, and developer tooling, where credentials may be cached, cloned, or injected outside the vault workflow. The 52 NHI Breaches Analysis shows how often machine identity failures are driven by unseen credential paths rather than a single bad grant.
One useful rule is to treat any unexplained secret as standing access until proven otherwise. That stance is conservative, but it reflects how attackers operate: they use whichever credential path still works, even after the “official” JIT session has ended.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses secret lifecycle and rotation gaps that break JIT revocation. |
| NIST CSF 2.0 | PR.AC-1 | Access control fails if active secrets are invisible to governance. |
| NIST AI RMF | GOVERN | AI RMF governance supports accountability for automated access decisions. |
Inventory all active machine secrets and revoke any static credential that outlives its JIT task.
Related resources from NHI Mgmt Group
- What breaks when organisations try to run Zero Trust without full certificate visibility?
- What breaks when privileged access is not governed with least privilege and JIT?
- How should security teams decide whether JIT access is safe for non-human identities?
- What is the difference between JIT access and Zero Trust for NHIs?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
