What is just-in-time (JIT) access, and how do break-glass accounts fit in?
Short answer
Just-in-time access grants elevated privileges only when needed, for a limited time, usually with approval — then they expire automatically, so there's no standing privilege to steal. Break-glass accounts are the deliberate exception: highly privileged emergency accounts, normally dormant, locked behind strict controls and heavy alerting, used only when normal access paths fail. JIT shrinks the everyday attack surface; break-glass guarantees you can still get in during a crisis.
The cheapest privilege to steal is one that's always there. Just-in-time (JIT) access attacks that by making elevation temporary, and break-glass accounts handle the corner case where automation itself fails.
Just-in-time access
Instead of permanently holding admin rights, a user requests elevation when they need it. The request is approved (by a person or policy), granted for a bounded window, and then automatically revoked when the time expires. The privilege is also typically scoped to a specific role or resource.
The win is the elimination of standing privilege. If accounts only hold elevated rights for the minutes they're actually used, then a phished session or stolen token usually lands on an account with nothing extra to grab. It also creates a clean audit trail: every elevation is a logged, justified, approved event.
Break-glass accounts
JIT and SSO/IdP-driven access can themselves break — the IdP is down, the PAM tool is offline, a misconfiguration locks everyone out. Break-glass accounts are the deliberate escape hatch: a small number of highly privileged emergency accounts that bypass the normal access machinery.
Because they're so powerful, they must be wrapped in strict controls:
- Stored offline / in a sealed vault, with very long unique credentials and ideally phishing-resistant MFA.
- Excluded from the conditional-access policies that could lock them out (that's the point) — but heavily compensated with monitoring.
- High-severity alerting on any use — every sign-in should page someone immediately and trigger a review.
- Regularly tested so you know they work before the real emergency.
How they fit together
JIT minimizes everyday privilege; break-glass guarantees recoverability when the system that grants JIT is itself unavailable. One reduces routine risk, the other prevents a self-inflicted lockout.
What interviewers look for: you frame JIT as killing standing privilege with time-bound, approved elevation, and you describe break-glass as a tightly-controlled, heavily-alerted emergency exception — not just "a backup admin login."
Likely follow-ups
- Why is standing privilege riskier than time-bound elevation?
- What controls should wrap a break-glass account?
- How do you make sure break-glass usage never goes unnoticed?