Just-in-time access issues credentials only when a task needs them and revokes them after use, while static secrets remain valid until someone changes them. In DevOps, that difference changes the blast radius of compromise. Ephemeral access limits reuse, but static secrets give attackers a reusable path into builds and deployments.
Why This Matters for Security Teams
Just-in-time access and static secrets solve different problems, but DevOps teams often blur them into a single “secure credentials” discussion. JIT is a control for reducing standing privilege at the moment of use; static secrets are long-lived assets that keep working until rotated or revoked. That distinction matters because build systems, deployment runners, and automation accounts are attractive targets for reuse, especially when secrets are copied into pipelines, chat tools, or tickets. NHIMG’s Guide to the Secret Sprawl Challenge shows how quickly credential exposure spreads across modern delivery workflows, and the CI/CD pipeline exploitation case study illustrates why pipeline identities are so often targeted after a single leak. Current guidance from the OWASP Non-Human Identity Top 10 treats overprivileged and persistent machine access as a core risk, not an edge case.
The practical issue is blast radius: static secrets are reusable even when the original request is over, while JIT credentials can narrow the window for misuse. In practice, many security teams discover the weakness only after a pipeline token has already been replayed from an unexpected location, rather than through deliberate access design.
How It Works in Practice
In a mature DevOps flow, JIT access is usually paired with workload identity and policy checks at request time. A pipeline or agent proves who it is, requests the minimum entitlement for a single task, receives a short-lived credential, and loses that credential automatically when the task ends. That pattern works well for deploy approvals, break-glass admin access, ephemeral cloud actions, and temporary access to secrets managers. For longer-lived automation, the better model is still to avoid static secrets where possible and replace them with cryptographic workload identity and tightly scoped, time-bound tokens.
Static secrets, by contrast, remain valid until rotated. They are easy to embed in CI variables, container images, scripts, and legacy integrations, which is why they become a reusable path into builds and deployments. The 2026 State of Secrets Sprawl 2026 reported that 64% of valid secrets leaked in 2022 are still valid and exploitable today, a clear sign that detection without revocation is not enough. That finding is consistent with broader breach patterns documented in the 52 NHI Breaches Analysis, where exposed machine credentials often become the pivot point for deeper compromise.
- Use JIT for privileged actions that do not need permanent standing access.
- Use workload identity for systems that must authenticate continuously.
- Keep secrets short-lived, narrowly scoped, and revocable by policy.
- Log issuance, use, and revocation so access can be audited end to end.
The best practice is to bind access to task, context, and time, not to a reusable secret that survives the job. These controls tend to break down when legacy tooling requires hardcoded credentials because the integration cannot call a broker or token exchange service.
Common Variations and Edge Cases
Tighter JIT controls often increase operational overhead, so organisations must balance reduced blast radius against deployment speed and integration complexity. There is no universal standard for this yet, especially where older build tools, third-party SaaS hooks, or air-gapped environments cannot support short-lived token issuance.
One common edge case is service-to-service automation that runs too frequently for human approval but still should not rely on static secrets. In those cases, guidance suggests moving toward workload identity, policy-based entitlement, and automated rotation rather than treating a long-lived token as acceptable just because the workload is “trusted.” Another edge case is emergency access: JIT is useful there, but only if approval, scope, and expiration are enforced automatically.
For implementation detail, the Ultimate Guide to NHIs - Static vs Dynamic Secrets is the clearest NHIMG reference point, while the OWASP Non-Human Identity Top 10 remains the most practical external lens for prioritising machine-identity risk. In practice, teams get into trouble when they treat static secrets as “temporary enough” and only later discover that the exposure window was effectively permanent.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses overlong secret lifetimes and missing revocation for machine identities. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access control fits JIT issuance and task-scoped entitlement. |
| NIST AI RMF | Runtime policy and accountability are essential when automation requests access dynamically. |
Replace persistent secrets with short-lived credentials and enforce automated revocation on expiry.
Related resources from NHI Mgmt Group
- What is the difference between secrets management and access management for workloads?
- What is the difference between JIT access and Zero Trust for NHIs?
- What is the difference between trust scoring and real access control for agents?
- What is the difference between delegated access and least privilege?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 30, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
