Zero Standing Privilege: Marginal Improvement on the Wrong Paradigm

Press enter or click to view image in full size

Proof not Privilege

Zero Standing Privilege (ZSP) sounds like progress. After all, who wants “standing” privilege — lingering, unrevoked, over-provisioned access that can be exploited long after it’s needed? In practice, ZSP proposes a model where access is granted only when necessary and revoked immediately afterward. It’s a cleaner, leaner take on the traditional “least privilege” doctrine.

But if we look closer, it’s not a paradigm shift. It’s a patch on an old mental model that still assumes that the starting point of authorization is a person and their entitlements. ZSP is a marginal improvement on a fundamentally human-centric framework of privilege management. And that framework — born in the age of identity directories and access certification campaigns — is holding enterprises back.

The Wrong Starting Point: People, Not Capabilities

ZSP begins with the question: Which privileges should we assign to this user? That’s already the wrong question. Privilege implies that somewhere, a list exists — a master ledger of entitlements attached to individuals or groups, each awaiting certification. But in reality, access control today is less about “who” and more about what action is being attempted under what conditions.

A person (or software process, or agent) is not the unit of access. It’s context — important, yes — but secondary. The true unit is the capability: a declaration that this action can be performed on that resource.

From this perspective, identity authentication — verifying a human or process — is just one contextual signal among many that informs a decision. The decision itself, however, should be declarative: defined by formal policy logic that can be reasoned about, analyzed, and proven consistent.

When we describe privileges as being “standing” or “ephemeral,” we’re still speaking in the language of entitlements — lists, assignments, and revocations. That’s not declarative. That’s procedural.

Zero Trust Did It Better

For all its vagueness, Zero Trust is a better metaphor. It doesn’t carry the semantic baggage of “privilege.” It focuses on a more universal principle: that every access decision must be justified by verifiable context, regardless of who or what is making the request.

Zero Trust doesn’t ask whether a privilege exists; it asks whether the evidence of trust is valid right now. It implies dynamic evaluation, continuous assurance, and distributed enforcement. In that sense, Zero Trust already contains the idea that there should be no “standing” permissions — because trust, like context, expires.

ZSP merely narrows the focus to the temporal dimension of privilege, without questioning the foundational model itself. It’s like polishing the lock and oiling the hinges, while ignoring that the door leads to the wrong room.

The Comfort of Familiar Terms

So why does ZSP get traction? Because it fits neatly into the enterprise governance narrative. It gives CISOs a way to show improvement without fundamentally re-architecting how access works. Instead of questioning why entitlements exist, ZSP offers to make them less dangerous.

In many organizations, this means building new tooling to rotate privileges, manage just-in-time (JIT) access, and automate revocation. These are all worthy engineering challenges, but they do not change the underlying ontology. They don’t move us closer to a world where access decisions are formally expressed and reasoned about as policy logic rather than lists of people and roles.

The deeper problem is that “privilege” assumes control through assignment. Declarative security assumes control through policy and proof. These two paradigms are fundamentally different: one is about state management; the other is about reasoning.

Declarative Security and Formal Reasoning

Declarative security is not a new buzzword — it’s a return to first principles. Instead of scripting access flows (who gets what when), we define statements of truth that a policy engine evaluates.

For example:

• “A process can modify a resource only if its attested build hash matches an approved version.”
• “A human can initiate a transfer only if authenticated via FIDO2 and the risk score is below threshold.”
• “An agent can read a dataset only if the consent purpose aligns with the declared processing context.”

Each statement is formal, analyzable, and testable. There’s no need to track privileges because privileges don’t exist — only conditional truths that can be proven or disproven given current inputs.

This is how we achieve least authority in a mathematically sound way, not through endless cycles of access reviews.

Fixing a Broken Process Is Not Transformation

Temporal limitation of access — granting privileges just in time — is undoubtedly better than over-provisioning. It reduces attack surface and eliminates much of the audit overhead that comes from certifying standing access. But it remains a process optimization, not a conceptual breakthrough.

ZSP fixes a symptom: excessive entitlement sprawl. It doesn’t cure the disease: the flawed assumption that entitlements should exist in the first place.

Enterprises cling to this model because it mirrors organizational structure — people, roles, departments, hierarchies. But software doesn’t operate that way. Cloud functions, microservices, and AI agents act on behalf of multiple principals, often simultaneously. The “privilege” metaphor breaks down completely in such distributed systems.

What we need instead is a capability-based and policy-declarative model, where access flows from verifiable assertions, not directory entries.

From Governance Theater to Governance Logic

The future of security governance isn’t about granting or revoking privileges; it’s about defining, analyzing, and enforcing universal statements of policy that govern both humans and machines uniformly. In such a world:

• Authentication remains crucial, but as context, not the center.
• Policy becomes the language of governance.
• Proof, not permission, becomes the evidence of compliance.

Zero Standing Privilege gets the symptom right but the framing wrong. It seeks to reduce exposure while staying loyal to an outdated idea of how authority should be managed.

If Zero Trust taught us to verify everything, declarative security teaches us to reason about everything. And that’s not a margin improvement — it’s a new paradigm.

Learn how to Govern with Proof: schedule a meeting with Gluu https://gluu.org/booking