Why JIT Access
Standing privileges are the most exploited attack vector in identity-based breaches. When administrators hold permanent membership in groups like Domain Admins or permanent activation of roles like Global Administrator, every compromised credential becomes an immediate path to full environment control.
The pattern is well-documented: an attacker compromises a single privileged credential through phishing, credential stuffing, or token theft. Because the privilege is always active, there is no additional barrier — lateral movement begins immediately, escalation follows, and data exfiltration or ransomware deployment completes the chain. The entire sequence exploits one architectural flaw: the privilege existed before it was needed.
The Problem
Most organizations accumulate standing privileges over time. An administrator receives Domain Admin membership during a migration project and keeps it. A Global Administrator role is assigned for an emergency and never revoked. Service accounts are granted broad permissions because scoping them precisely takes time no one has.
The result is an environment where dozens — sometimes hundreds — of accounts hold privileges they rarely use but never relinquish. Each one is a potential entry point that requires no escalation.
The Principle: Zero Standing Privileges
Just-In-Time (JIT) access replaces permanent privilege assignments with on-demand, time-bound grants. Users request elevation only when they need it, provide a business justification, receive approval where required, and the privilege is automatically revoked when the activation window expires.
This eliminates the core vulnerability: if no account holds standing privileges, a compromised credential cannot immediately access privileged resources. The attacker must also compromise the JIT approval workflow — a fundamentally harder problem.
What This Section Covers
This section provides the factual foundation for understanding why JIT access matters, grounded in industry data and regulatory requirements rather than product marketing.
| Page | Focus |
|---|---|
| Risk Landscape | Industry statistics on breach costs, credential-based attacks, and the operational cost of standing privileges |
| Compliance Requirements | Specific NIS2, DORA, ISO 27001, SOC 2, and BSI Grundschutz articles that mandate privileged access controls |
| Feature–Risk Matrix | How JIT access capabilities map to specific risks in hybrid AD and Entra ID environments |
For Assessment Reports
These pages serve as reference material for infrastructure assessment reports. The data and regulatory citations here are designed to support management summaries, risk assessments, and actionable recommendations grounded in evidence rather than opinion.
Perspectives by Audience
Different stakeholders care about different aspects of the standing-privilege problem:
Executive leadership focuses on financial exposure — breach costs, regulatory fines, and insurance implications. The Risk Landscape page provides the quantified data.
IT management and CISOs need to map regulatory obligations to concrete technical measures. The Compliance Requirements page walks through each framework's specific demands.
IT operations teams want to understand the practical impact on daily workflows — what changes, what improves, and how the transition works. The Feature–Risk Matrix page shows the before-and-after for common administrative scenarios.