What Is Zero Standing Privilege?
Zero Standing Privilege (ZSP) is the practice of ensuring no identity holds elevated or privileged access by default. Instead, access is granted just-in-time (JIT) for the specific task and time window it’s needed, then automatically revoked once that window closes. The goal is to shrink the amount of standing, always-available privilege that exists at any given moment, since a credential that isn’t elevated can’t be misused for privilege escalation even if it’s compromised.
This is a direct response to the traditional model, where accounts hold persistent administrative rights 24 hours a day whether they’re being used or not. That standing privilege is a constant attack surface: an attacker who compromises the credential inherits full elevated access immediately, with no additional step required.
In practice, ZSP is implemented as a request-approve-revoke cycle: an identity requests elevation, a policy engine or approver evaluates the request, access is granted for a bounded window, and it’s automatically revoked when that window expires or the task completes. It’s typically layered on top of an existing PAM or IGA platform rather than replacing it, and it only works for the accounts already known to and enrolled in that platform.