Zero Standing Privileges (ZSP)

Zero Standing Privileges (ZSP) is an advanced principle where no accounts (human or machine) retain continuous privileged access. Instead, all privileged rights are granted just-in-time, on demand, and immediately revoked once the task completes.

 ZSP extends Just-in-Time (JIT) to the entire environment, aiming for a state where there are literally no permanent admin roles or root accounts. Any user wanting to perform an admin action must obtain ephemeral privileges each time. Typically, ZSP is enforced by a PAM solution or a trust broker that issues short-lived credentials. 

While conceptually similar to JIT, ZSP goes further by disallowing even “some” accounts from always having privileges—there’s truly zero standing privileges. It’s a hallmark of a fully matured privilege management strategy, usually part of a zero trust approach.

How does it affect identity security?

ZSP drastically minimizes the risk of credential theft or insider abuse. If no account permanently has privileged rights, attackers cannot simply steal an admin credential and roam free. Even domain admin or root credentials become ephemeral tokens—once a session ends, the token is void. This eliminates the “keys to the kingdom” scenario. 

ZSP also enforces continuous auditing: every privileged action is preceded by an explicit request and approval, generating logs for accountability. Therefore, from an identity security standpoint, ZSP addresses a core weakness—long-lived privileges—which often lead to major breaches if compromised. 

ZSP is particularly relevant to cloud computing where resources spin up and down frequently. Cloud providers already encourage ephemeral credentials (e.g., AWS STS, Azure temporary roles). Under a ZSP model, even root or global admin roles in the cloud must be checked out via a secure workflow with limited tokens. 

Implementing ZSP can be challenging in large, dynamic environments, but the payoff is a near-complete removal of standing admin exposure.

Case studies

In mid-2022, GitLab reported a case where an attacker stole an internal team member’s credentials but found no standing privileges attached. The attacker attempted to request elevated access, triggering a security alert. Because GitLab had implemented a zero standing privilege model for engineering accounts, the attacker’s session was blocked before any privileged actions could be performed. 

Another instance is the Microsoft LAPSUS$ group infiltration attempts, where short-lived privileges in Microsoft’s internal systems limited the group’s ability to gain broad control, highlighting how ephemeral admin sessions hamper attackers. In both examples, ZSP prevented an otherwise easy takeover of admin capabilities.

‍