Standing access
Standing access is permission that remains granted when nobody is using it: the production database password sitting in a developer's password manager, the cluster-admin kubeconfig on a laptop, the service account token issued two years ago and never rotated. It is the default state of most access, and it is what attackers actually use. Verizon's 2026 Data Breach Investigations Report puts credential abuse in 39% of breaches, the single most common way in. The reason standing access is singled out is that a credential's risk is not a property of the moment it is used; it accumulates for as long as the credential exists. Every day it exists is another day it can be phished, committed to a repository, left on a decommissioned laptop, or carried to a new team by someone who no longer needs it. A credential that was never issued cannot be any of those things.
Why it exists everywhere
Standing access is not usually a decision. It is the residue of decisions. Access is granted for an event (an incident, an onboarding, a migration, one bad Friday) and then scoped to a person rather than to the event. Revocation has no forcing function: nothing breaks when a permission is left in place, and something might break if it is taken away, so the safe move for whoever is holding the ticket is always to leave it.
The result is that a credential's real exposure is the union of everywhere it has ever been: the laptop, the second laptop, the CI log it was accidentally echoed into, the screenshot in the incident channel, the backup of the password manager. None of that is visible at the moment you decide whether to revoke it, so the decision keeps going the same way.
The standard answers, and what each one leaves behind
- Rotation. Shortens the window in which a leaked credential is useful. It does not reduce the number of credentials in existence, and a credential rotated every ninety days is still standing access for ninety days.
- Vaulting. Secures storage and centralises issuance, which is a genuine improvement to how credentials are handled. The credential still exists, and it still does everything it could do before, for whoever pulls it out of the vault.
- Just-in-time elevation. The best of the three: access exists only inside an approved window, which is what "zero standing privilege" aims at. Two things survive it. It is still access: during the window, the blast radius is whatever the role allows. And the approval is a workflow a human has to complete, usually in the middle of an incident, which is precisely when people route around it.
Each of these is worth doing and none of them removes the credential. That is not a criticism of them; it is a description of the ceiling they share. They make holding dangerous access safer. They do not answer the question of why the developer needs to hold it.
The alternative: don't issue one
If a developer never holds a credential, there is nothing to rotate, steal, vault, or revoke. Getting there means the operation is performed on their behalf by something that does hold a scoped identity, and their authority to ask for it is checked at the moment they ask. The permission is attached to the operation, and the human is attached to the request.
This is a real trade, not a free lunch, and it is worth stating the cost plainly: the thing performing the operation now holds a permission, and that permission is standing. What changes is its shape: one identity, confined to a fixed set of operations, running inside the cluster, that cannot be phished off a laptop or committed to a repository, instead of one credential per developer, each able to do anything the role allows, from anywhere, forever.