Just-In-Time elevation in use
Demonstrate that privileged access is granted on a time-limited, as-needed basis through automated elevation workflows rather than through persistent administrative role assignments.
Description
What this control does
Just-In-Time (JIT) elevation grants administrative or elevated privileges only when needed, for a limited duration, rather than persistently assigning standing privileges. Users request elevated access through an automated workflow, receive time-bound credentials or role assignments, and permissions automatically expire after the specified period or task completion. This approach minimizes the attack surface by reducing the number of accounts with persistent high-privilege access and limiting the window of opportunity for credential compromise or insider abuse.
Control objective
What auditing this proves
Demonstrate that privileged access is granted on a time-limited, as-needed basis through automated elevation workflows rather than through persistent administrative role assignments.
Associated risks
Risks this control addresses
- Attackers gaining persistent administrative access through compromise of accounts with standing privileges
- Insider threats exploiting continuously available elevated permissions to exfiltrate data or sabotage systems outside legitimate business needs
- Lateral movement and privilege escalation facilitated by large numbers of persistently privileged accounts across the environment
- Credential theft attacks targeting accounts with permanent administrative rights that remain valid indefinitely
- Lack of accountability and audit trail when privileged actions cannot be correlated to specific approved requests or business justifications
- Compliance violations due to inability to demonstrate least-privilege principles and separation of duties for sensitive operations
- Orphaned or forgotten administrative accounts retaining elevated access long after the business need has expired
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's privileged access management (PAM) policy and JIT elevation procedures documentation
- Inventory all systems, platforms, and applications where JIT elevation mechanisms are claimed to be implemented
- Export configuration settings from JIT elevation tools (e.g., Azure PIM, AWS IAM Identity Center, CyberArk EPM, HashiCorp Boundary) showing maximum session durations and approval workflows
- Select a sample of 15-20 user accounts across different roles and review their baseline permission assignments to verify absence of standing administrative privileges
- Review access request logs for the past 90 days and select 10-15 elevation requests to trace from initiation through approval, activation, usage, and automatic expiration
- Examine audit logs to confirm privileged actions performed during JIT sessions are logged with correlation to the specific elevation request ID and business justification
- Attempt to simulate or review evidence of a JIT session expiration event to verify that elevated permissions are automatically revoked after the time window expires
- Interview 3-5 administrators and validate their understanding of JIT request procedures and confirm they do not possess persistent administrative credentials for routine use