It’s 2am. An AI agent with persistent read/write access to your production database receives a document to process. That document contains a prompt-injected payload. The agent executes the instruction — exactly as designed. Within seconds, 10,000 customer records are gone. No credential was stolen. No human account was touched. The agent just used the access it always had.
“Least privilege” — granting only the minimum permissions necessary — isn’t enough when those permissions are available around the clock at machine speed. Zero Standing Privilege (ZSP) is the higher bar: no identity holds persistent, always-on permissions between tasks. Access is granted dynamically when needed and revoked when the task ends.
So in this article we’re going to cover what ZSP means technically, why legacy PAM can’t deliver it, what the CrowdStrike–SGNL acquisition means for the market, and how to approach ZSP without a dedicated identity engineering team. For the broader picture, see the full AI agent security landscape.
Why Is Least Privilege Not Enough When AI Agents Never Sleep?
Least privilege limits what an identity can access. Zero standing privilege eliminates standing access entirely. Both are necessary, but they are not the same thing.
An AI agent with least-privilege access still holds those permissions at 3am on a Sunday. A prompt-injected payload executes with full permissions before any analyst even gets an alert. The standing access is the attack surface — not just its scope.
Privilege drift makes it worse. Service accounts get reused across dev, staging, and production. OAuth scopes balloon as agents evolve. Nothing gets revoked because no one wants to break a workflow that’s finally running. Non-human identities (NHIs) — service accounts, API keys, OAuth tokens, workload credentials, AI agent identities — outnumber human identities by approximately 144 to 1 in enterprise environments. Manual governance is overwhelmed before it starts.
Then there’s the delegated authority problem. When an agent acts on behalf of a human employee, it may inherit that employee’s full permission set. The agent’s blast radius is bounded by the human’s permissions, not the task’s requirements. When that person leaves or changes roles, every agent they deployed carries the legacy of their former access. That’s where shadow AI comes from — agents deployed outside enterprise visibility. For the foundational framing of why AI agents are a new category of insider threat, see our companion article on the NHI mental model.
CyberArk‘s January 2026 study found that 91% of organisations report at least half their privileged access is always-on. Least privilege is being applied in name. ZSP is not being applied at all.
What Is Zero Standing Privilege and How Does It Differ from What You Already Have?
ZSP is a security model where no persistent, pre-provisioned permissions are held by any identity between task executions. Access is minted at runtime and expires when the task ends.
The contrast with least privilege is architectural, not incremental. Least privilege asks “how much access should this identity have?” ZSP asks “should this identity hold any access when it’s not actively working?” Under least privilege, an agent holds minimised permissions continuously. Under ZSP, an agent holds nothing between tasks — no persistent credential to steal or abuse.
The threat model is different for AI agents. Humans authenticate interactively and leave traces. Agents operate programmatically and continuously. A persistent credential for an AI agent gets abused by any payload the agent processes — at any hour, without any human involvement required.
The mechanism is the ephemeral credential: a short-lived token minted at runtime, bound to a specific agent, tool, and authority chain. An AI Identity Gateway sits between agents and resources, downscoping tokens before agents touch tools. Even if an agent was granted a broad OAuth scope at deployment, the gateway narrows those permissions to only what the current task actually requires.
ZSP moves identity governance from provisioning time — applied once, rarely revisited — to execution time, applied on every single task. It’s a harder engineering problem. It’s also the right one to solve.
For more on blast-radius exposure, see how access controls limit the blast radius of a hijacked agent.
How Does Just-in-Time Access Work for an AI Agent in Practice?
Just-in-Time (JIT) access is the operational mechanism through which ZSP is enforced. Access rights are granted dynamically for a bounded time window tied to a specific request context, then automatically revoked when that window closes.
Here is the authorisation flow for a concrete task — an agent querying customer records for account ID 4821:
- Agent receives a task and calls the authorisation gateway with a structured request: resource (customer records table), action (read), duration (60 seconds), purpose (account query for ID 4821).
- Gateway evaluates context. Task type, data sensitivity (PII in scope), time of day, network posture, risk score. For agent JIT, the relevant signals are task type and data sensitivity — not user location and device health.
- Policy engine issues a scoped, time-boxed token. Read access to one specific database table, valid for 60 seconds, bound to this agent and this request.
- Agent executes the query. Any attempt to access resources outside the token’s scope is rejected at the gateway.
- Token expires automatically. The agent holds no credentials until the next task requires a new request cycle.
Every grant, tool call, and resource access is logged with the human principal whose delegated authority underpins the request. Every agent action traces to a human decision. If a task requires access beyond the baseline JIT grant — a write to a production table rather than a read — an explicit privilege escalation gate triggers before the elevated grant is issued.
What Is the Shared Signals Framework and How Does It Make Real-Time Authorisation Possible?
JIT access grants the right permission at the right time. But what happens when the risk context changes mid-session? That’s what the Shared Signals Framework (SSF) and Continuous Access Evaluation Profile (CAEP) solve.
Think of SSF as a real-time intercom between your security tools. When threat detection spots an anomaly, it doesn’t wait for the next scheduled scan — SSF delivers that risk signal to the authorisation policy engine immediately. CAEP rides on top of SSF, defining the events: which signals trigger access re-evaluation, how revocation propagates downstream, what happens when a session transitions from low-risk to high-risk mid-execution.
Standard OAuth tokens stay valid until they expire — typically hours or days. Under CAEP, the authorisation system revokes or downscopes a token within seconds of detecting an anomaly. An agent exhibiting unexpected behaviour at 2am doesn’t wait for its 24-hour token to expire.
Both are OpenID Foundation standards — not proprietary lock-in. Any platform implementing them interoperates regardless of vendor. SGNL was built from inception on CAEP, not retrofitted onto legacy PAM. CrowdStrike’s acquisition delivers “CAEP-driven enforcement integrated into Falcon Fusion SOAR” — continuous access evaluation for every human, NHI, and AI agent identity in the platform.
For how real-time signals integrate with security operations, see how real-time signals feed your security operations.
What Does the CrowdStrike–SGNL Acquisition Mean for Teams Evaluating NHI Security Platforms?
In January 2026, CrowdStrike acquired SGNL for approximately $740M. Founded in 2021 by former Google executives, SGNL built continuous authorisation infrastructure for non-human identities — access granted the moment it’s needed, revoked the moment it’s not, built natively on CAEP and SSF. CrowdStrike integrates SGNL’s engine into Falcon as Falcon Next-Gen Identity Security, extending JIT access beyond Active Directory and Entra ID to AWS IAM, Okta, and other cloud identity systems.
This isn’t an isolated deal. Palo Alto Networks pursuing CyberArk at approximately $25 billion is a second major signal that identity security is a strategic platform priority at the highest level. Microsoft launched Entra Agent ID in November 2025. The market is converging on continuous, context-aware authorisation as the baseline. IDC projects the identity security market growing from $29 billion in 2025 to $56 billion by 2029. Gartner predicts 40% of agentic AI projects will be cancelled by 2027 without adequate risk controls.
For teams evaluating platforms, SSF/CAEP compliance is the vendor-neutral hedge — a more durable assessment criterion than a feature list that’ll change after the next acquisition.
Static PAM vs. Dynamic Authorisation: What Breaks and What You Gain?
PAM was designed for humans with predictable work patterns — role-based access, scheduled windows, manual approvals, periodic credential rotation. AI agents break every one of those assumptions: they run at any hour, chain access across systems in seconds, and make thousands of access decisions per session.
Three architectural gaps define PAM’s failure mode for NHIs:
- Context evaluation: PAM grants at provisioning time and can’t re-evaluate mid-session.
- Session model mismatch: PAM assumes interactive human sessions. Agent workflows are programmatic and non-interactive.
- Attestation gap: PAM governance assumes humans can periodically attest that they still need their access. Agents accumulate access without any reviewer capable of attesting on their behalf.
CyberArk’s January 2026 study found that 88% of organisations define “privileged user” as applying solely to humans, even though 42% of machine identities already hold privileged access. Only 1% have fully implemented a modern JIT privileged access model.
Dynamic authorisation — ZSP combined with CAEP — addresses each failure mode: per-request context evaluation, real-time revocation, and auditable authority chains tracing every grant back to a human principal.
Where Do Human-in-the-Loop Controls Fit and How Do You Avoid Alert Fatigue?
Even a well-designed ZSP system needs a mechanism for actions that genuinely require a human decision. That’s where Human-in-the-Loop (HITL) controls come in.
HITL threshold setting is both a security and a product design decision. Set it too low and agents become impractical — every routine query blocked on human availability. Set it too high and the gate never triggers. Target a 10–15% escalation rate: 85–90% of decisions execute autonomously; critical cases get reviewed.
A practical three-tier risk framework:
LOW risk — automated JIT grant, no HITL: Read-only queries on non-sensitive data, scoped to a single resource for under 60 seconds, no PII or regulated data in scope.
MEDIUM risk — elevated logging and alert, automated grant: Write operations to non-production systems, access to PII or financial records (scoped, single-record), cross-system chaining within defined workflows.
HIGH/CRITICAL risk — HITL gate required: Destructive writes, bulk data operations, production configuration changes, access to regulated data beyond single-record scope.
The ZSP integration: agent requests access → context evaluation classifies risk tier → HITL triggers for HIGH/CRITICAL → human approves via an out-of-band channel the LLM can’t manipulate → access granted for a fixed window, then automatically revoked. The CAEP layer adds dynamic escalation: if a risk signal changes mid-session, CAEP upgrades the session to HITL-required without a static threshold having pre-classified it.
For governance frameworks that set the policies HITL controls enforce, see how to build an AI agent governance and monitoring programme from scratch.
How Do You Implement a Proportionate ZSP Approach Without a Dedicated Identity Engineering Team?
Most ZSP guidance assumes enterprise IAM budgets and greenfield infrastructure. The practical reality is existing cloud infrastructure, a small engineering team, and a compliance requirement arriving faster than the budget. A three-tier approach lets you start with tools you likely already have.
Tier 1: Cloud IAM Primitives. Start here. AWS IAM roles with condition keys scope permissions by time, source IP, and resource; instance profiles eliminate long-lived access keys. Azure Managed Identities eliminate credential management — pair with RBAC scoped to the minimum required resource group. Okta Workflows handles JIT provisioning automations: access grants on task start, revocations on completion, all transitions logged.
Tier 2: MCP Gateway Enforcement. Add this when agents interact with external APIs. An MCP (Model Context Protocol) gateway intercepts every tool call, evaluates it against an authorisation policy, and handles token downscoping. Cisco Duo Agentic Identity operates at the identity and network layers simultaneously. Strata Identity‘s Agentic Identity Sandbox lets you validate ZSP patterns before production.
Tier 3: Dedicated WIAM Platform. Escalate when more than 20 active agent identities are in scope, multi-cloud cross-system chaining is required, or regulated data (HIPAA, PCI, SOC 2) requires continuous authorisation evidence. Aembit implements secretless JIT with cryptographic workload attestation across AWS, Azure, GCP, Kubernetes, and CI/CD. CrowdStrike Falcon Next-Gen Identity Security (incorporating SGNL) provides CAEP-native authorisation built for machine-identity governance.
Imperfect ZSP controls deployed today are more valuable than a perfect implementation deferred. For the complete picture across identity, prompt injection, supply chain, sandboxing, and governance, see securing AI agents across all attack surfaces.
Frequently Asked Questions
What is zero standing privilege in plain English?
No identity holds always-on permissions between tasks. When an AI agent finishes a task, its access credentials expire. The next time it needs access, it requests fresh permissions scoped to that specific task. Nothing is left over; nothing can be abused during idle time.
What is the difference between least privilege and zero standing privilege?
Least privilege limits what an identity can access. ZSP eliminates standing access entirely. An identity under least privilege still holds its minimised permissions 24 hours a day. An identity under ZSP holds nothing between tasks. Both principles are necessary, but ZSP is the higher bar for AI agents that operate continuously and autonomously.
What is privilege drift and why does it matter for AI agents?
Privilege drift is the gradual accumulation of unnecessary permissions over time — caused by service account reuse, OAuth scopes never narrowed, and absent revocation workflows. AI agents accelerate drift because each redeployment adds permissions without removing prior grants.
What did CrowdStrike buy SGNL for?
CrowdStrike acquired SGNL for approximately $740M in January 2026 to integrate SGNL’s CAEP-native authorisation engine into the Falcon platform — enabling real-time, context-sensitive access decisions for non-human identities rather than static, pre-provisioned roles.
What is the Shared Signals Framework (SSF)?
SSF is an OpenID Foundation standard that creates a common event transport layer between security tools. It allows a threat detection system to signal an authorisation policy engine in real time when risk conditions change — without API polling delays. CAEP (Continuous Access Evaluation Profile) defines which events trigger access re-evaluation and revocation.
What is CAEP and how does it differ from regular OAuth?
CAEP is an OpenID Foundation standard that enables real-time access token revocation in response to security events. Standard OAuth tokens remain valid until they expire — typically hours or days. CAEP allows revocation or downscoping within seconds of detecting an anomaly, regardless of the token’s original expiry.
Can an AI agent inherit a human employee’s permissions?
Yes, and it’s a significant problem. When an AI agent acts on behalf of a human, it may inherit their full permission set — far broader than any specific task requires. This “delegated authority problem” means the agent’s blast radius is bounded by the human’s permissions, not the task’s requirements. ZSP addresses this by issuing task-scoped ephemeral credentials.
Why does traditional PAM fail to secure AI agents?
Legacy PAM was designed for humans: scheduled access windows, role-based needs, interactive sessions. Agents violate all three — they run at any hour, chain access across systems in seconds, and make thousands of access decisions per session. The vault-and-rotate model creates standing access windows between rotations and can’t evaluate per-tool-call context.
What is a non-human identity (NHI)?
A non-human identity is any machine credential that authenticates and consumes access without direct human interaction: service accounts, API keys, OAuth tokens, workload credentials, and AI agent identities. NHIs outnumber human identities by approximately 144 to 1 in enterprise environments.
How does just-in-time access prevent AI agent security breaches?
JIT access ensures there are no persistent credentials to steal or abuse. An agent under JIT holds time-boxed, task-scoped credentials that expire automatically. Even if an attacker compromises an agent mid-task, they receive a credential valid for seconds, scoped to a single resource — not a standing key valid indefinitely.
What is an MCP gateway and how does it enforce zero standing privilege?
An MCP (Model Context Protocol) gateway is an enforcement point between AI agents and the APIs or databases they call. It intercepts every tool-call request, evaluates it against authorisation policy and risk context, permits or blocks the action, and handles token downscoping — narrowing OAuth scopes to only what the specific current tool call requires.
Is zero standing privilege realistic for a small company without a dedicated identity team?
Yes, with a tiered approach. AWS IAM condition keys, Azure Managed Identities, and Okta Workflows approximate JIT access without specialist tooling. Add an MCP gateway when agents interact with external APIs. Escalate to a dedicated WIAM platform when scale or compliance requirements exceed what cloud-native tools can support.
For the complete AI agent security landscape — spanning identity, access control, prompt injection defence, and governance — see securing AI agents across all attack surfaces.
