CyberArk: 99% of Enterprises Lack Zero Trust JIT Access

As cyber attackers gain new AI muscle, the need for organisations to amp up their identity security defences is on the rise. 

Now, fresh research from CyberArk has highlighted a clear disconnect between companies' confidence in their privileged access programmes and the reality of how they operate day to day, as AI continues to expand the identity-centric attack surface.

At least three-quarters (76%) of firms believe their privileged access management (PAM) strategies are ready for today’s hybrid environments – despite relying on dated, always-on, access mechanisms, which were made for an older era. 

“Dynamic, evolving environments mean the nature of privileged access and how to secure it has fundamentally changed,” says Matt Cohen, CEO of CyberArk.

“With only 1% of organisations having fully implemented a just-in-time access model, it’s clear that industry-wide modernisation is overdue.

“As AI agents and non-human identities take on increasingly sensitive tasks, applying the right privilege controls to each identity and governing every privileged action is now essential.”

A security loophole

Zero trust operates on the principle that one should never trust, but always verify and authenticate every user, device and connection, leading to an environment that has zero standing privileges (ZSP). 

As enterprises modernise to incorporate this into their security models, CyberArk's study shows only a tiny minority have implemented current just-in-time privileged access in their environments.

Concerningly, 91% of the organisations surveyed by CyberArk report that at least half of their privileged access is always on, creating a huge security loophole by maintaining continuous access to sensitive systems. 

Almost half (45%) of organisations said they apply the same privilege access for AI identities and human identities., while a third (33%) reported a lack of clear AI access policies. 

What are shadow privilege and tool sprawl?

Shadow privilege comes from having unmanaged, unknown or unnecessary privileged accounts with access to sensitive information which sit unchecked as an extreme security weak point. 

The credentials, keys or tokens that grant access to these shadow privileged accounts are called ‘secrets’. A secret can belong to both human and non-human shadow-privileged identities.  

According to the CyberArk study, more than half (54%) of organisations find unmanaged privileged accounts and secrets every week. 

Organisations trying to bridge emerging security gaps by deploying various tools without a central oversight tend to create a fragmented security landscape, creating security blind spots. This known as tool sprawl. 

CyberArk's study reveals that 88% of companies manage two or more different identity security tools, creating tool sprawl blind spots that accelerate risks. 

With enterprises worrying about the speed of delivery, traditional privileged access policy reviews lay idle gathering dust and security risks. 

How to reduce enterprise security risk

CyberArk emphasises that incorporating PAM that implements dynamic, risk-based access is more important than ever in a world where machine identities significantly outnumber human identities.

Implementing best practices for just-in-time (JIT) access, particularly for high-risk and sensitive actions, is essential. 

CyberArk adds that creating strong AI, human and machine access policies and eliminating tool sprawl by consolidating identity security tools is non-negotiable when it comes to improving visibility and governance.