Key points
- Includes always-on admin rights, long-lived API keys, and persistent cloud roles
- Primary target of credential-theft and supply-chain attacks
- Reduced by JIT access, secrets rotation, and least-privilege reviews
- Visible in CIEM and IGA reports
- Often invisible in legacy access reviews focused on apps, not cloud entitlements
What it is
Standing privilege is the catch-all term for elevated access that exists whether or not it's being used right now. It includes always-on Global Administrator accounts, long-lived AWS access keys, service accounts with broad cloud roles, and developers with permanent production access.
Why it matters
Most modern breaches don't start with a 0-day — they start with a stolen credential. When that credential carries standing privilege, the attacker inherits the same blast radius the legitimate user had. Eliminating standing privilege is the highest-ROI security control most organizations can implement.
How to reduce it
- Move privileged humans to JIT access workflows
- Rotate / vault long-lived credentials, replace with short-lived tokens (OIDC for CI/CD, IAM Roles Anywhere, workload identity)
- Run CIEM tools to surface unused entitlements
- Tie access reviews to actual usage data, not org-chart assumptions
Common misconceptions
- MFA doesn't fix standing privilege. A phished session token can still wield the same standing rights.
- Standing privilege isn't just admins. A developer with permanent prod read access is still standing privilege.
FAQ
Is zero standing privilege achievable?
Not literally — break-glass accounts will always exist. But the goal is to drive standing privilege to a small, monitored, audited set.