Ephemeral Privilege
Standing access is a liability. Time-bound access is a design choice.
The Principle
Temporary access must be a first-class concept in the identity model. On-call engineers need elevated permissions only during their rotation. Contractors need access only for the duration of their engagement. Emergency responders need break-glass access that expires automatically. Time-bound access is not an afterthought. It is not managed with calendar reminders and “don't forget to revoke” tickets.
The Problem With Standing Privilege
A permission that exists permanently can be exploited for as long as it exists. A person who has production database access because they were on call six months ago still has that access today because no one revoked it. Standing privilege is the accumulation of temporary needs that were never cleaned up.
Contractors are the most visible example. A contractor's engagement has a defined end date, yet their access is often granted through the same mechanism as permanent employee access, with revocation delegated to a calendar reminder or an email to the IT team. The contractor who finished their engagement in March still has access in October because no one triggered the manual revocation. Multiply this across every contractor, every vendor support engineer, every auditor who needed temporary elevated access, and the accumulated standing privilege from external identities alone can exceed that of the permanent workforce.
Time as a Dimension of Access
In the declarative model, access definitions can include temporal constraints: start dates, end dates, duration limits, recurring windows. A contractor's access expires on their contract end date without anyone filing a ticket. An on-call engineer's elevated permissions activate at the start of their rotation and deactivate at the end. An emergency access grant expires after a defined window and must be explicitly renewed.
This addresses the class of problems where temporary access becomes permanent through neglect. The system enforces time boundaries with the same reliability that it enforces permission boundaries.
Acquisitions introduce a different class of standing privilege: access that was properly governed in its original context but has no temporal bounds in the new one. An employee of the acquired company may have had standing access that was appropriate for a small team with strong social accountability. In the combined organization, that same access becomes a broad, unreviewed privilege that no one remembers granting and no one is responsible for revoking. The declarative model addresses this by making every assignment explicit, including those inherited through acquisition. Roles that were implicit in the acquired company's culture become explicit definitions in the configuration, subject to the same temporal constraints and review cycles as any other assignment.
Antipatterns
- Temporary access is tracked with calendar reminders and manual revocation tickets.
- No one can list which access grants have exceeded their intended duration.
- Contractor access persists after the contract ends because no one filed a revocation ticket.
- Standing privilege is the default, not the exception.
- Contractor access is granted through the same mechanism as permanent access, with no automatic expiration.
- Acquired employees carry standing privileges from their original context with no review in the new one.