Least privilege defines how much access an identity should have, while zero standing privilege defines when that access should exist. For NHIs, both matter, but zero standing privilege is what removes always-on exposure from stolen secrets and stale service accounts. A team can be least-privileged and still be vulnerable if that access never expires.
Why This Matters for Security Teams
zero standing privilege and least privilege solve different parts of the same problem. Least privilege asks what an NHI should be allowed to do; ZSP asks whether that permission should exist at all when it is not actively needed. For service accounts, API keys, and agent workloads, the distinction is operational, not academic. Long-lived access is the usual failure point, because stolen secrets remain useful long after the original task is over. NHI guidance from Ultimate Guide to NHIs shows why persistent credentials and poor offboarding create lasting exposure, even in environments that appear well controlled.
That is also why current guidance around Zero Trust keeps stressing continuous verification rather than trust based on identity alone. NIST SP 800-207 Zero Trust Architecture treats access as something to be evaluated at request time, not granted as an enduring condition. The practical issue for security teams is that many access reviews find permissions are already too broad, while the more dangerous issue is that they are also always on. In practice, many security teams encounter this only after a secret leak, lateral movement event, or stale account misuse has already occurred, rather than through intentional review.
How It Works in Practice
In practice, least privilege is the design principle and ZSP is the enforcement model. A well-scoped NHI should still start with the minimum role, but that role should be activated only when the workload has a legitimate need. For humans, that often means approval workflows. For NHIs, especially agents and automated pipelines, it usually means ephemeral credentials, short token lifetimes, and tight scope boundaries. The goal is to make access temporary, attributable, and automatically revoked after the task completes.
This is where implementation details matter. A team may grant a deployment service account read access to one storage bucket, but ZSP would avoid leaving that credential present on disk, in code, or in a long-lived secret store. Instead, the workload should authenticate through workload identity and receive a JIT token or certificate only for the duration of the task. That approach aligns with the broader NHI risk picture described in Top 10 NHI Issues and the remediation themes in Ultimate Guide to NHIs — Key Challenges and Risks.
- Least privilege defines the minimum entitlement set for the workload.
- ZSP removes standing access and issues permissions only on demand.
- JIT credentials reduce the blast radius of leaked secrets.
- Workload identity proves what the NHI is before access is granted.
- Policy checks should occur at request time, not only during provisioning.
For operating models, this is consistent with the OWASP Non-Human Identity Top 10 focus on secret sprawl, over-privilege, and weak lifecycle control. These controls tend to break down when teams depend on static credentials embedded in CI/CD jobs because the secret remains usable long after the task that needed it has finished.
Common Variations and Edge Cases
Tighter privilege control often increases engineering overhead, requiring organisations to balance faster automation against stronger governance. That tradeoff becomes obvious in high-churn environments where tasks are short-lived, dependencies change frequently, or agents must chain multiple tools in one workflow. In those cases, least privilege alone can be too static, while ZSP can feel operationally expensive unless the identity layer is automated.
There is no universal standard for every agentic environment yet, but current guidance suggests moving toward context-aware authorisation, short TTL secrets, and per-task access grants. This matters most when autonomous systems can make decisions faster than human approval loops can keep up. For agentic workflows, the identity control plane should verify intent, scope, and time limit together, then revoke access as soon as the objective is complete. That pattern is more mature than broad RBAC for a workload that does not follow fixed paths.
One important edge case is emergency access. A break-glass NHI may temporarily violate ZSP, but that exception should be logged, narrowly bounded, and automatically retired. Another is shared platform automation, where teams often confuse convenience with necessity and leave privileged secrets in build systems. The breach patterns documented in Cisco DevHub NHI breach and 52 NHI Breaches Analysis show how quickly persistent access becomes incident fuel. In environments with legacy apps, cross-account automation, or unmanaged secrets, ZSP often degrades into policy theatre because the organisation cannot actually prove when access begins or ends.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Directly addresses secret rotation and standing access risk for NHIs. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Zero Trust supports request-time authorization instead of always-on access. |
| NIST AI RMF | AI RMF fits agentic workloads where intent and runtime context drive access. |
Replace persistent NHI secrets with short-lived credentials and enforce automatic rotation.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 31, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
