Identity GlossaryLast updated July 17, 2026

Zero Standing Privilege (ZSP)

A neutral definition of Zero Standing Privilege and just-in-time access: granting elevated permissions only for the moment they’re needed, then revoking them automatically.

What Is Zero Standing Privilege?

Zero Standing Privilege (ZSP) is the practice of ensuring no identity holds elevated or privileged access by default. Instead, access is granted just-in-time (JIT) for the specific task and time window it’s needed, then automatically revoked once that window closes. The goal is to shrink the amount of standing, always-available privilege that exists at any given moment, since a credential that isn’t elevated can’t be misused for privilege escalation even if it’s compromised.

This is a direct response to the traditional model, where accounts hold persistent administrative rights 24 hours a day whether they’re being used or not. That standing privilege is a constant attack surface: an attacker who compromises the credential inherits full elevated access immediately, with no additional step required.

In practice, ZSP is implemented as a request-approve-revoke cycle: an identity requests elevation, a policy engine or approver evaluates the request, access is granted for a bounded window, and it’s automatically revoked when that window expires or the task completes. It’s typically layered on top of an existing PAM or IGA platform rather than replacing it, and it only works for the accounts already known to and enrolled in that platform.

Share

How Zero Standing Privilege Works

A ZSP model runs through five stages for every elevation request.

1

Access Request

An identity or automated process requests elevated access for a specific task, rather than holding that access continuously.

2

Policy Evaluation

A policy engine or human approver checks the request against defined rules before granting anything.

3

Time-Boxed Grant

Access is elevated for a bounded window, minutes or hours, scoped to the task rather than indefinite.

4

Automatic Revocation

Elevated access is automatically removed when the window expires or the task completes, with no manual cleanup step required.

5

Audit Trail

Every request, approval, and revocation is logged, giving a complete record of who was elevated, when, and why.

Frequently Asked Questions

See the Identity System of Record in Action

Hydden discovers, reconciles, and continuously governs every identity (human, machine, and agentic) across your enterprise.

© 2026 Hydden Inc. All rights reserved.Privacy PolicyTerms of Service