IAM teams have spent years trying to kill standing privilege, and for good reason. Long lived API keys, service accounts and persistent machine access have become some of the easiest ways for attackers to escalate privileges and move quietly across environments.
Just-In-Time (JIT) access promised a cleaner model. If access exists only for a short window, the logic goes, the blast radius will shrink with it. A token that exists for minutes should be far less dangerous than one that sits valid for months.
That logic is directionally right, but it is also incomplete. JIT reduces the lifespan of the credential, not the trustworthiness of the non-human identity (NHI) using it for access.
And that distinction matters more than ever. If a compromised service account or hijacked CI/CD runner can still get fresh privileged access on demand, then the organization has not removed trust from the system. It has simply automated it.
That is the JIT paradox. The credential may be dynamic, but the trust behind it is still standing.
Enterprise Security for AI Agents & Non-Human Identities
Ephemeral credentials. Persistent assumptions.
JIT is often framed as the destination of modern access security. In practice, it is only one important layer. Short-lived secrets reduce the window of abuse, but they do not answer the more important question of whether the NHI requesting that access should be trusted at all.
Every JIT model depends on some form of trusted issuer: a broker, a workload identity system, a pipeline runner, a token service or a cloud IAM policy capable of granting access dynamically. In other words, ephemeral access still rests on a standing assumption that some other NHI or service is trustworthy enough to request it.
That is where the weakness begins.
Threat actors do not need to hunt for every 15-minute token if they can compromise the identity, workload, or automation path permitted to mint new ones. Once that happens, the request looks normal, the token is valid, and the action can blend in as legitimate.
The “factory” is now the target
Defenders usually focus on the product coming out of the system: the token, the credential, the temporary privilege. Modern attacks focus on the factory.
An attacker who compromises that layer no longer has to steal access in the traditional sense. They can abuse the mechanism that creates it, often in ways that look operationally normal. That is what makes these architectures so attractive to attackers: the closer they get to the issuer, the cleaner the resulting access appears.
The 2025 Salesforce Drift supply chain attack illustrated this dynamic. In that campaign, attackers compromised the Drift integration layer and used compromised OAuth tokens associated with the app to access Salesforce customer environments. The lesson was not merely that tokens can be stolen. It was that once a trusted intermediary is compromised, the downstream access can still look legitimate enough to pass through normal operational paths.
This is the real architectural gap in many deployments. Organizations replaced static secrets with dynamic issuance, but never added enough scrutiny to the non-human identities behind the request.
That is not Zero Trust. It is trust with a shorter expiration date.
Zero Trust for NHIs is not a principle. It is an enforcement layer.
For Entro, Zero Trust is not a slogan or a box to check. It is an operational outcome we deliver by continuously evaluating trust at the level of the non-human identity itself, not just the secret it happens to use.
That starts with context. Entro learns what normal looks like for each NHI by continuously tracking:
- Baseline Activity: The specific actions it performs and what resources it typically touches over time.
- Consumer Usage: Who or what is invoking the identity.
- Sensitive Operations: Monitored alongside IAM policy changes through native cloud audit logs to detect deviations.
Entro uses that context to apply adaptive controls that restrict risky behavior without disrupting legitimate production workloads.
That distinction matters because most NHI security programs stop at visibility. Many can identify an over-privileged identity. Some can tell you when an identity or secret has been exposed. Far fewer can safely enforce least privilege when that identity starts behaving in ways it never has before. That is the gap Entro is built to close, and the point at which Zero Trust stops being a principle and becomes a control security teams can actually enforce.
Trust should break before production does
One of the reasons security teams hesitate to enforce machine access controls is the fear of breaking production, and that fear is justified. Broad revocations, blunt policy changes, and overreactive blocking can cause outages just as easily as they can stop abuse. As a result, many teams stop at visibility and context. They monitor, alert and triage manually, even when they already know an NHI is risky.
That is why targeted enforcement matters.
Entro’s approach is not about shutting down entire environments or applying overly wide controls that security teams are afraid to touch. It is about understanding baseline behavior for each NHI and applying targeted deny policies only when that identity crosses a meaningful threshold, whether by performing a new sensitive action, being used by an unknown consumer, or operating outside its expected pattern.
That is how least privilege stops being an aspiration and becomes an enforceable control.
JIT is necessary. Blind trust is optional.
None of this means JIT is the wrong model. Moving away from standing privilege is still one of the most important shifts in modern identity and cloud security. Short-lived access is better than long-lived access, and dynamic secrets are safer than static secrets left to sprawl across pipelines, workloads, and cloud environments.
But temporary access is not the same as verified access.
If the NHI requesting access is never evaluated in context, if its behavior is not baselined, and if enforcement remains too blunt to apply safely, then JIT only solves half the problem.
The next phase of access security will be defined not only by how quickly credentials expire, but by how intelligently trust is enforced around the identities using them. For Entro, that is where Zero Trust becomes real: not as a slogan, but as an outcome delivered through behavior-based controls that can safely restrict risky NHIs before abuse turns into impact.
The real question is not how short-lived the token is
JIT has helped the industry move in the right direction, but it should be seen for what it is: an important control, not the final architecture. The real challenge is no longer just eliminating standing privilege. It is eliminating standing trust in the non-human identities, brokers, and automation paths that can still generate access on demand.
That is the JIT paradox. The credential may be ephemeral, but the assumptions behind it often are not.
The organizations that get this right will be the ones that stop treating Zero Trust as a human access model alone and start applying it to the machine identities that now power cloud operations, automation, and AI-driven workflows. In the end, the real question is not whether a token lives for five minutes or fifteen.
It is whether the machine asking for it should have been trusted in the first place.
Are your ephemeral credentials masking standing trust?
JIT is an important step forward, but without Zero Trust enforcement for NHIs, it still leaves one of the most important questions unanswered: can the machine asking for access actually be trusted? That is the gap Entro is built to close. To see where standing trust may still exist in your environment, connect with the Entro team here
