Temporary access to shared credentials
Temporary access that expires on its own beats access somebody has to remember to revoke. Because they will not remember. Nobody ever does.
Standing access only accumulates. Nobody is ever rewarded for going back and taking permissions away.
So make expiry the default: grant access for four hours, not forever, and let the system clean up after itself.
Permissions only ever go one way
Think about the last time anyone on your team removed someone's access to something. Not offboarded an employee, just removed a permission that was no longer needed. It almost never happens, and the reasons are entirely rational:
- Nobody is thanked for it.
- It carries risk: if you remove the wrong thing, you break someone's work and it is your fault.
- Leaving it alone has no visible cost. Until it does.
So access accumulates. Every grant is permanent by default, and after two years you have a permission set nobody designed, nobody remembers the reasons for, and nobody can safely unpick.
Invert the default
The fix is not more discipline. Discipline does not scale and it is not a security control. The fix is to make the expiry the default state and the extension the deliberate act.
When a request is approved here, it is approved for a duration. When that duration is up, the grant expires by itself. Nobody has to remember, nobody has to be brave enough to take something away, and the system does not quietly accumulate risk while everyone is busy.
The friction is doing real work
Requesting access again when it expires sounds annoying, and it is a little. That is deliberate. That small piece of friction converts an invisible, permanent grant into a visible, logged decision, and it produces something you cannot get any other way: a record of who genuinely needs what, how often.
After a month, the audit log tells you that one contractor reveals the ad platform login twice a week and another has not touched it since March. That is not just a security control, it is information about how your team actually works.
Enterprise-grade thinking, without the enterprise price tag
Time-boxed access is the same principle the security industry calls just-in-time access, the one that privileged access management platforms charge six figures and a nine-month rollout for.
The idea was always right. It was just priced and packaged for banks. We apply the same request-approve-expire loop to the ordinary vendor credentials a normal team actually deals with, and it takes about thirty seconds to set up. See how it compares to a shared vault.
Common questions
- What is time-boxed access?
- Access to a credential that is granted for a set duration and then revokes itself, with no human action required. Instead of 'you now have the password', it is 'you can reveal this credential for the next four hours'. It is the same idea the security industry calls just-in-time access, applied to the boring, everyday case of a person needing a vendor login.
- Why is standing access such a problem?
- Because permissions only ever accumulate. Every grant is a decision someone made once, in a hurry, for a reason that expired long ago. Nobody is incentivised to go back and remove access, and removing it risks breaking something, so it stays. Over a couple of years you end up with a permission set that nobody designed and nobody can justify, which is exactly the surface an attacker wants.
- Is this the same as just-in-time (JIT) access?
- It is the same principle, scaled down to something a small team can actually run. Enterprise JIT and privileged access management platforms do this for infrastructure, with session recording and dynamic credentials, and they cost accordingly. We apply the request-approve-expire loop to ordinary vendor credentials, for teams who do not have an enterprise PAM budget.
- What if someone still needs access after it expires?
- They request it again, and somebody approves it again. That sounds like friction, and it is, deliberately. The friction is the point: it converts a permanent, invisible grant into a small, visible, logged decision. In practice it takes seconds, and the audit log now shows a pattern of who genuinely needs what, which is information you simply do not have with standing access.
Make expiry the default, not a chore
Free while we build. No credit card, no sales call.