Provisional access

Expanded Definition

Provisional access is a controlled, time-bound entitlement granted to preserve operations during a transition, such as a merger, acquisition, migration, or ownership handoff. In NHI environments, it most often applies to service accounts, API keys, tokens, certificates, and agent permissions that need continuity while governance is being re-established.

Definitions vary across vendors and internal IAM teams, but the operational distinction is consistent: provisional access is not meant to be permanent, and it should be wrapped with expiry, explicit ownership, documented purpose, and a review trigger. That makes it different from ordinary temporary elevation, because the access is tied to a business transition and should be removed or re-scoped once the transition closes. OWASP’s OWASP Non-Human Identity Top 10 is useful here because it frames the surrounding risks of over-privileged and poorly governed non-human credentials.

The most common misapplication is treating provisional access as a convenience layer with no hard expiry, which occurs when transition owners assume later cleanup will happen automatically.

Examples and Use Cases

Implementing provisional access rigorously often introduces coordination overhead, requiring organisations to balance continuity during a transition against the cost of tight expiry controls and frequent reviews.

• During a merger, a legacy finance integration account is allowed to keep posting transactions for 30 days while target-state ownership is assigned and credentials are reissued.
• In a cloud migration, a deployment bot retains limited read access to the old environment until cutover validation is complete, then expires automatically.
• After a vendor transition, a third-party automation token is kept active only long enough to export records and reconcile data, then revoked during offboarding.
• When a platform team restructures, a shared certificate is provisioned provisionally while the team maps service ownership and updates the NHI Lifecycle Management Guide controls into the new operating model.
• For emergency continuity, a break-glass-style service credential may be granted provisional scope, but only with logging, approval, and a specific review date aligned to the transition window.

These patterns align with the broader governance concerns documented in the Ultimate Guide to NHIs, especially where temporary rights can outlive the event that justified them.

Why It Matters in NHI Security

Provisional access becomes dangerous when no one owns the cleanup. In NHI programs, temporary rights can survive well beyond mergers, cutovers, and reorganisations, turning a business exception into standing privilege. That is especially risky because non-human identities already tend to accumulate excessive permissions, and the absence of review lets old access paths remain live across applications, APIs, and automation agents.

NHIMG research shows that 97% of NHIs carry excessive privileges, and 20% of organisations have formal processes for offboarding and revoking API keys. That gap matters because provisional access often sits exactly where lifecycle discipline is weakest. The same risk pattern appears in the Top 10 NHI Issues and in the Ultimate Guide to NHIs, where unmanaged access persists after the business reason has expired.

Organisations typically encounter the consequence only after an audit, breach, or failed decommissioning effort reveals that temporary access became an untracked standing entitlement, at which point provisional access is operationally unavoidable to address.

Related resources from NHI Mgmt Group

• Non-Human Identity Access Management
• What is Just-in-Time (JIT) access and why is it important for NHI security?
• When is it crucial to implement least-privilege access for AI agents?
• How should security teams run access reviews for non-human identities?