Why just-in-time access is the only sane way to survive multi-cloud compliance

There’s a moment every CISO and security architect hits sooner or later. You’re staring at a NIST SP 800-171 requirement, nodding along. Least privilege, controlled privileged access, auditability, and then you look at your environment. AWS over here. Azure, inherited through a merger or acquisition over there. GCP quietly doing its own thing in the corner. Multiple identity models, different permission languages, and twelve thousand ways to get it wrong.

NIST SP 800-171, unfortunately, has zero sympathy.

It doesn’t care that your teams span multiple clouds. It doesn’t care that each provider models access differently. And it definitely doesn’t care that your admin roles were created during an outage three years ago and never touched again. It expects you to prove that access to Controlled Unclassified Information (CUI) is intentional, minimal, time-bound, and auditable; in real systems, not in policy decks.

That’s where just-in-time access (JIT) is the adult in the room.

AWS: where “temporary” can actually mean temporary

AWS is often the easiest cloud to explain to assessors, and the hardest to keep tidy. IAM users multiply, policies get reused “just for now,” and admin roles linger because removing them feels risky.

From an 800-171 perspective, the red flags are predictable: long-lived credentials, permanently attached admin policies, and no clear evidence of why access exists. Least privilege becomes a theory rather than a practice.

JIT access fits AWS neatly. Instead of standing admin access, engineers assume narrowly scoped roles, protected by MFA, for a defined window. Sessions expire. Permissions fall away automatically. Logs show who requested access, who approved it, what role was assumed, and when it ended.

When an assessor asks, “Who had privileged access to this CUI workload last quarter?” you don’t have to reverse-engineer CloudTrail and hope for the best. You already have the answer, and the receipts.

Azure and Entra ID: escaping permanent directory power

Azure environments tend to drift into privilege through convenience rather than malice. Directory roles get assigned to “trusted” people. Subscription-level permissions inherit downward. Someone becomes a Global Administrator during an incident and… stays one.

NIST SP 800-171 is very clear that privileged accounts should be restricted and used only when necessary. Living in an admin role as part of your day job is a difficult position to defend, no matter how senior the person is.

JIT changes the rhythm of access. Engineers work day-to-day as normal users. Elevated roles are activated deliberately, for a defined purpose, with approval and justification. When the timer runs out, access is gone. Not “to be reviewed later,” but gone.

For assessors, this is a slice of fried gold. It demonstrates the separation of duties, controlled use of privilege, and a clear distinction between authentication and authorization. For security teams, it reduces the blast radius when (not if) a credential is compromised.

GCP: fine-grained access without fine-grained chaos

GCP’s IAM model is powerful, precise, and very easy to overdo. Projects accumulate bindings. Service accounts and non-human identities gain broad roles. Nobody quite remembers why a particular permission exists, only that removing it feels dangerous.

Under 800-171, that ambiguity is a problem. Least privilege isn’t just about precision; it’s about intent. Can you explain why access exists, how long it’s needed, and what happens when it’s no longer required?

JIT in GCP focuses on short-lived credentials, narrowly scoped roles, and explicit elevation paths for sensitive projects. Privileged access becomes an event, not a background condition. And events are much easier to justify, log, and review.

Assessors don’t expect perfection. They expect control. JIT gives you a way to show that control without freezing engineering teams in amber.

The Real Challenge: NIST SP 800-171 across all three

Here’s the uncomfortable truth: NIST SP 800-171 isn’t a cloud problem. It’s an identity problem. And identity problems get worse when multiplied by three.

The standard expects consistency. Least privilege, controlled use of privileged accounts, and auditability. Even when the underlying platforms behave very differently. Trying to meet those expectations cloud-by-cloud usually results in bespoke processes, inconsistent evidence, and a lot of late-night spreadsheet archaeology before assessments.

This is where treating JIT as a first-class access strategy, rather than a cloud-specific feature, changes the game.

A unified approach lets teams:

• Request access the same way, regardless of the cloud
• Apply risk-based approvals and time limits consistently
• Enforce automatic revocation everywhere
• Produce a single, coherent audit trail that tells one story

Assessors don’t want to learn three identity systems during an engagement. They want to see that you understand yours.

What “Good” Looks Like to an Assessor (and an Incident Responder)

Across AWS, Azure, and GCP, a strong 800-171 posture tends to converge on the same pattern:

• No permanent admin access “just in case”
• Privileged access granted only when needed, for a defined purpose
• Clear separation between who someone is and what they can do
• Automated expiry, not manual cleanup
• Centralized logging that answers who, what, when, why, and for how long

Do this well and something interesting happens: compliance work starts to align with operational sanity. Access reviews stop being archaeology. Incidents become easier to scope. And least privilege stops being a slogan and starts being observable behavior.

The Advantage of Modern Access Workflows

The most effective teams don’t bolt JIT onto their environment as an afterthought. They build it into how work actually happens: approvals in collaboration tools, policies that reflect real risk, and visibility into entitlements across clouds rather than per-provider silos.

When access requests, approvals, enforcement, and revocation are automated and consistent, NIST SP 800-171 stops feeling like an external imposition and starts behaving like a forcing function for better security hygiene.

Which is, frankly, what the standard was trying to achieve all along...

If you can show that privileged access is rare, deliberate, temporary, and well-documented, most assessors will stop asking theoretical questions and start nodding. And in the world of compliance, a nod is as close to praise as it gets.