It’s sometimes said that information wants to be free. However, freedom comes with risks. Especially when dealing with data that’s subject to laws around access, that’s property of individuals and entities, or that represents a business’s IP.
After all, granting privileges puts information at the fingertips of employees – and potentially threat actors too. Because when dealing with over-privileged accounts or standing privileges, organizations are now vulnerable like never before.
What are standing privileges?
Standing privileges in cybersecurity refer to permanent, always-on access rights assigned to user accounts—typically administrative or privileged accounts—that allow them to access sensitive systems, data or resources at any time.
Why standing privileges are an issue now
The world requires on-demand connectivity, for everything from online banking to booking flights. Of course, that also means standing privileges are always on too.
This allows businesses to compete in terms of access to insights, such as, for example, granting employees access to resources at the right time to complete their tasks. Privileges also allow businesses to gain competitive advantage through a self-service approach, rather than waiting for busy helpdesks to review and approve requests manually.
Meanwhile, the freedom to self-serve often means less visibility – and security – into privilege usage and escalation. That can lead to compromises such as Uber’s 2022 breach, when an ‘attacker found high-privileged credentials on a network file share and used them to access everything.’
The rise of non-human entities such as with IoT that require access has further widened corporate attack surfaces. This is what led to high-profile attack involving Dropbox, when attackers compromised a non-human account that ‘had privileges to take a variety of actions’ within the production environment.
These trends help explain why Gartner is pushing Zero Standing Privileges (ZSP) and Privileged Access Management (PAM) as a top priority in 2025. Back in 2019, the analysts highlighted the need to ‘remove standing privileges through a Just-In-Time PAM approach.’
Fast forward to this year, when ZSP was a hot topic at the Gartner IAM Summit 2025, with Zero Trust and PAM mentioned in the executive summary key takeaways (pdf). That’s why businesses are being urged to apply Zero Trust principles as a way of avoiding PAM pitfalls and defending against dangers of standing privileges.
Dangers of standing privileges
Standing privileges means giving ongoing access, without restrictions to data, systems and the environment placed on standard users. Some of these privileges may be necessary, but often only for limited periods of time or until a task is completed. Though, if compromised, standing privileges can offer an open door into the business. That’s why there are multiple reasons why these types of accounts are a target for insiders and hackers:
- Freedom with undetected movement:Privileged accounts are less likely to be monitored, so malicious activity and lateral movement through network traffic are less likely to be detected. This can lead to advanced persistent threats that can last ‘on-average for more than 200 days.’ (pdf).
- Single point of entry:One privileged account offers wide, deep. always-on access to the business environment. For attackers, resources can be focused on simply gaining entry to a targeted account, rather than adopting a brute force ‘spray and pray’ approach.
- Social engineering:Persuading employees to bypass security controls remains a popular attack vector. The Scattered Spider group used this approach in their MGM Resorts breach to ‘lure users into giving up their login credentials or One-Time-Password codes to bypass multi-factor authentication.’
- Privilege escalation:When account credentials are compromised, it’s often easier for the attacker to escalate privileges, either horizontally or vertically. This may include rights to add or modify objects as domain admins.
- More rights that necessary:Privileges may be excessive, applied across a department without granularity that separates individual employee roles and responsibilities. Not everyone needs root access to servers, especially if their role concerns troubleshooting or general maintenance.
Naturally, these dangers bring a variety of risks. There’s the prospect of data exfiltration. If there’s valuable IP, then the business may lose profitability, especially if corporate secrets are shared publicly or with competitors.
Further financial fallout comes from the impact on reputation and how this may affect current and potential customers. The average cost of a data breach has been estimated at $4.24 million, but other less tangible costs can have a longer-term impact, from stolen data and increased insurance premiums, to share price impact and the loss of trust among a reported 66% of US consumers.
Compromised data can also lead to risks of non-compliance if the data hasn’t been processed or stored correctly. For example, data minimization is a ‘foundational principle’ of the CCPA (pdf) and its requirements for managing consumers’ personal information. Organizations will also need to align processes to NIST’s draft proposals, which are ’broadly intended to help organizations manage the privacy risks that arise from personal data flowing through complex information technology systems.’
The path forward: Just-in-Time access
The answer is to give users what they need. Just-In-Time (JIT) for when they need it – and to remove it when they no longer need it.
Policies can be defined to support least privilege principles, aligned with Gartner’s push for ZSP. Each request can be evaluated before being authorized, or additional steps may be triggered based on a higher risk profile. For example, the user might try to login from an unrecognized device, from a new location, out of normal working hours, which would trigger a more aggressive verification check.
The attack surface is then reduced by the limited window of opportunity for credential stuffing. This attack vector figured in high-profile incidents such as with PayPal in 2023. A breach impacted almost 35,000 accounts and led to New York’s financial regulator issuing a $2 million fine.
Credential stuffing relies on compromised users reusing passwords across multiple accounts, something 78% of surveyed Americans admit to. To mitigate this threat, organizations could insist on users always creating, using, and remembering unique passwords. But in reality, there’s no way to ensure this happens. In any case, it’s not really practical when the average knowledge worker uses 11 applications, with 40% using even more (and 5% use 26+).
Instead, JIT and ZSP can add layers of privileged access security, with automated processes carrying the load instead of IT and security practitioners. With automation generating historical records of actions taken, there’s a consistent trail for auditors and regulators. There’s also benefits for compliance and governance professionals, who can generate real-time reports and detailed logs to prove compliance with relevant laws and directives.
How organizations can make the shift
Ongoing monitoring is needed to audit current roles and policies, to avoid making PAM implementation mistakes. These should be mapped to relevant requirements such as NIS2 Directive, SOX and any others where access control must be enforced for legal reasons. Access can be granted using role-based controls and supported with expiry tokens and policy conditions to revoke permissions, such as when offboarding workers and deprovisioning resources.
For compliance and audits, this means scalable PAM solutions that are capable of logging who accessed what, when and for what purpose. Session recordings play a crucial role in capturing both this activity and user interactions, offering granular forensic analysis for auditing and investigating.
PAM user adoption strategies are business-critical – and often become one of the PAM deployment challenges. After all, employees want to know why they’re being prompted for additional factors. They don’t need to be locked out; they just need to know that access is controlled and contextualized.
This will involve measuring current PAM training and changing management programs. Employees need to be educated on risks such as privilege creep, and on the importance of granting privileges just in time rather than just in case they’re needed.
PAM implementation checklist: Are you at risk?
Start with evaluating current privilege practices within your organization. All privileged accounts should be recorded with granular categories such as whether they’re internal, third-party or a non-human entity. Assess whether these are active and whether the associated privileges are necessary.
Examine how privileges are assigned, including the default permissions. Analyze whether these are based on roles and attributes, and determine what happens if an employee moves departments and gains new or different responsibilities. The goal here is to check for potential privilege creep.
Eliminating standing privileges is only part of the puzzle. For comprehensive posture hardening, there should also be assessment of protocols for identity-based logins, and the application of contextual MFA for layered security, rather than a rigid one-size-fits-all approach. The limited exposure makes breaches harder and can more likely limit and contain the potential damage.
Assessing PAM program maturity
When implementing a ZSP model, look toward the Zero Trust model for guidance. For example, with “never trust, always verify,” start by minimizing the default privileges. The assumption is that the user shouldn’t have any privileges until they’ve verified their identity.
To bring it all together, deploy a PAM tool that allows end-to-end visibility of privileged accounts, for monitoring and recording sessions in real-time. That means collecting, storing, managing, authenticating, recording and analyzing privileges, access and activity.
The resulting insights can be used to create a baseline of expected behaviors within the environment. Any excessive deviations can be detected and remediated. This pattern-free operation means organizations use their own ‘norm’ rather than relying on pattern-based matching and its dependence on detecting known patterns.
When implemented with PAM best practices such as JIT and ZSP, organizations can move toward eliminating standing privilege risks. There’s measurable and visible data to meet governance requirements, and a system that adapts and scales while maintaining a robust identity security posture.