Zero Trust in Practice (2025): Continuous Identity Security with UARs, CAR, JITPBAC, and Automated IGA

Zero Trust isn’t a gate anymore, it’s a loop. And in 2025, that loop runs continuously. Perimeters dissolved, data sprawled, and attacker tooling went mainstream. Mobility and cloud erased borders. Zero Trust has to run as a continuous loop with identity as the control plane; data and apps live everywhere, and access must adapt in near-real time to purpose, risk, and change. Traditional, calendar-driven governance can’t keep up. What works now is continuous identity security: always-on discovery, always-on checks, and always-on remediation.

User Access Reviews (UARs) still matter, but they’re just one piece. To make Zero Trust real in day-to-day operations, you need continuous access reviews, intelligent lifecycle automation, and Just-in-Time Purpose-Based Access Control (JITPBAC), all orchestrated by playbooks that run on their own, escalate when needed, and leave behind audit-ready evidence.

This post lays out the loop, the building blocks, how to scale by company size, and a 90-day plan to make measurable progress.

Zero Trust is a loop (not a gate) - From periodic controls to continuous identity security

The first shift to understand is that Zero Trust is not an occasional checkpoint, it’s an operating model that never pauses. Treat every access as suspicious by default, internal and external, human and non-human, user-to-app and app-to-data. The threat landscape moved on: attacker tooling is commodity, mobility and cloud erased borders, and long-lived privileges plus token sprawl create easy lateral paths. Compliance, risk reduction, and business continuity demand controls that run when the business runs, continuously.

In practice, the operating loop looks like this:

UARs live in steps 4 and 5. CAR turns UARs from a quarterly ritual into a steady heartbeat. With that foundation in mind, the next step is to look at the key building blocks that make this loop work.

The building blocks

Zero Trust doesn’t succeed through intention alone, it requires specific, interconnected components. Each of these building blocks strengthens the loop, and together they transform governance from episodic to continuous.

Connect systems and apps to IGA

Connect Human Resource Systems (HRIS), every system and app to your Identity Governance & Administration (IGA) and set it up there as the source of truth. From that hub, you will be able to obtain a unified identity graph linking people and non-human identities to accounts, groups, roles, policies, data domains, and owners. IGA helps normalize entitlements, flatten nested groups, tag purpose, and track actual usage. If a manager can’t answer “who, what, why, and how often” on a single screen, reviews turn into guesswork.

Relationship-aware risk

But visibility alone isn’t enough, you need context. Access isn’t just about who has what, it’s about what those combinations mean. Score more than raw privilege. Consider toxic combos, SoD breaks across finance and ops, dormant access, high-blast-radius roles, contractor status, and reachable crown jewels. Rank what truly needs attention.

JITPBAC: access that expires with purpose

Next, access itself must adapt. Roles are a blunt instrument. Purpose makes them precise. Encode the “why” in the request (e.g., “Write to repo X to ship Feature ABC until Sept 30”). Grant just-enough access just-in-time, scoped and time-boxed. When purpose or time expires, access does too, unless renewed with need.

Continuous Access Reviews (CAR)

Traditional campaigns operate on the auditor’s calendar. Calendar campaigns satisfy auditors, but CAR operates on change. Trigger micro-reviews when events happen:

• Joiner/Mover/Leaver events: title, department, or manager changes; contractor end-dates.
• Privilege elevation: new app admin, AdministratorAccess, broader data role, or consent to sensitive scopes.
• Dormancy: unused entitlements for 60/90/120 days, tuned by risk.
• Exception expiry: temporary access and break-glass accounts auto-expire; renewals require purpose.
• Sensitive data touch: new access to regulated data domains.

Give reviewers a guided decision: person/owner, role, entitlement, usage, risk rationale, expected impact of removal, and a recommended action, plus bulk actions for identical patterns.

Automated playbooks that run continuously

Automation is where theory becomes scalable practice. Automation closes the loop. Automations should watch for change, take the safe action, and escalate with context. Treat them like code: version, review, and roll back when needed.

Examples that consistently deliver value:

• Privilege-access guardrail: detect new admin or wide policies in IdP, cloud, or data platforms; replace standing admin with JIT access and auto-downgrade where safe.
• Dormant write cleanup: monthly pass over production repos, DB write roles, and admin policies; remove or downgrade anything unused for N days and notify owners.
• SoD sentinel (finance/ops): continuously check toxic combinations (e.g., vendor create + payment approve) and open targeted remediations.
• Contractor end-of-engagement autopurge: seven-day pre-check with owners; day-zero revocation across IdP, SaaS, cloud, and data platforms; residual scan for stragglers.
• Break-glass hygiene: rotate credentials monthly, test access paths quarterly, and flag any use for post-incident review.

API/token lifecycle: convert long-lived tokens to short-lived, brokered credentials; bind each token to an owner, purpose, and expiry; auto-revoke when unused.

Evidence by default

Finally, none of the above matters if you can’t prove it. Auditors want design and operating effectiveness. Your system should produce immutable artifacts: scope, participants, rationale, outcomes, timestamps, system logs, and coverage metrics. You should be able to hand this bundle to the auditor and walk away.

With these building blocks in place, the focus shifts to the practical controls that anchor Zero Trust in daily operations.

Core controls that make Zero Trust work

Core controls are the minimum set of practices every organization must enforce. They provide the guardrails within which continuous automation can operate effectively.

• SSO everywhere to reduce password reuse and centralize policy.
• MFA as table stakes (prefer phishing-resistant factors).
• Password managers for the long tail of secrets you can’t eliminate.
• Privileged access management to shrink standing admin to near zero; apply JIT elevation, session recording for break-glass, and short expiry windows for exceptions.
• Policies with teeth tied directly to automation and evidence (developers don’t keep production access; engineers don’t access customer PII directly; quarterly reviews are the floor, not the ceiling).

Once these basics are in place, the real gains come from embedding Zero Trust into the identity lifecycle itself.

Intelligent lifecycle that actually reduces risk

Lifecycle automation (joiner, mover, leaver) is where Zero Trust becomes muscle memory. It ensures that identity governance isn’t just about access assignment, it’s about continuous risk reduction.

• Joiner: create least-privilege baselines by role plus purpose; no default standing admin.
• Mover: on job or team change, compare “old vs. new” and remove mismatched access within hours, not quarters.
• Leaver: time-boxed revocation by system with a residual scan for stragglers (SaaS, cloud, secrets, service accounts).
• Contractors: tie all access to end dates; seven days before end, run a review; on end date, auto-revoke and verify.
• Non-human identities: assign accountable owners and purposes; rotate secrets aggressively; prefer short-lived credentials.

Tie lifecycle to CAR so every change prompts right-sized validation. Tie both to JITPBAC so privileged actions happen through elevation, not standing keys. This interplay is critical, and that’s where JITPBAC deserves its own focus.

JITPBAC: how it interlocks with CAR and lifecycle

JITPBAC isn’t standalone, it works best when interlocked with CAR and lifecycle.

1. Request: a user (or playbook) requests elevation with a purpose, scope, and duration.
2. Grant: policy engine approves automatically for low risk or routes to a fast approval path for high risk.
3. Use: telemetry binds elevation to the work (ticket, commit, deployment, or data job).
4. Expire: access ends automatically; renewal requires purpose and evidence.
5. Review: CAR samples elevated events and flags outliers or repeated renewals for human scrutiny.

The result is fewer standing privileges, better evidence, and less friction for legitimate work. And this cycle is supercharged by continuous playbooks.

Automatic playbooks that run continuously

Here are playbooks I’ve seen deliver outsized value quickly. These aren’t one-off scripts, they’re ongoing guardians.

• Privilege elevation guardrail: when any identity gains admin in Okta/Entra, AWS/Azure/GCP, Snowflake, GitHub/GitLab, trigger an immediate micro-review with usage predictions and a one-click “replace with JIT” option.
• Dormant write access cleanup: monthly pass over production repos, DB write roles, and admin policies; remove or downgrade anything unused for N days and notify owners.
• SoD sentinel for finance/ops: continuously check toxic combinations (e.g., vendor create + payment approve); open an escalation with rationale and suggested remediation.
• Contractor end-of-engagement autopurge: seven-day pre-check, day-zero revoke across IdP, SaaS, cloud, and data platforms; evidence report to HR, IT, and app owners.
• Break-glass hygiene: rotate credentials monthly, test access paths quarterly, and require security sign-off; flag any use for post-incident review.
• API/token lifecycle: detect long-lived tokens, convert to short-lived, brokered credentials, and associate each token with an owner, purpose, and expiry.

These run continuously. Most cases close without a meeting; exceptions route to the smallest possible group with clear context and a recommended action. To scale further, AI can assist, but only if it’s explainable and safe.

AI for IGA, assistive, explainable, and safe

Identity governance has always been labor-intensive. AI now makes it manageable, but not by replacing accountability. Instead, AI amplifies teams through prioritization, risk scoring, and context.

Where AI adds leverage:

• Prioritization and drafting: rank review items by risk and context (usage, peer norms, historical actions) and draft decisions for human approval.
• Real-time risk assessment: continuously score identities, tokens, and entitlements and propose proactive responses (revoke, downgrade, or convert to JIT).
• Natural-language data access: ask, “Who still has write access to prod repos but hasn’t committed code in 90 days?” and get an answer with evidence, no SQL.‍
• Visualization and pattern discovery: surface hidden relationships, repeated exception renewals, a token reused across systems, or a SoD pair that never appears alone.

Guardrails matter: keep recommendations explainable; retain human approval for material risk; version decision logic; and minimize the attributes AI sees to those needed for the decision.

Even with AI, the shift is not optional, the threat landscape makes it inevitable.

Why this shift is unavoidable

Attackers now enjoy tools once reserved for nation-states, commodity malware kits, zero-day brokers, automated recon, and polished social engineering. Cloud convenience becomes attacker convenience when privileges and tokens live too long. Meanwhile, identity teams are underwater. The answer isn’t bigger CSVs or more meetings, it’s precision at machine speed, with automation doing the repetitive work and people making the judgment calls that matter.

With the inevitability clear, the question becomes: how should organizations of different sizes approach the shift?

What this may look like by company size

Different sizes demand different approaches. The principles remain the same, but the scale, resources, and outcomes vary.

• SMB (≤500): start with SSO/MFA everywhere, a unified role map for top apps, quarterly mini-campaigns, and 3–4 continuous playbooks (admin hygiene, contractor offboarding, dormant access). Target outcome: eliminate standing admin and orphaned accounts without extra headcount.
• Mid-market (≤5,000): tie CAR to lifecycle, extend coverage to data platforms and developer tools, and move privileged actions to JITPBAC. Target outcome: measurable risk reduction in 90 days, with SoD coverage.
• Enterprise (5,000+): standardize the roles, federate ownership to app/data stewards, run risk-based CAR to keep volume sane, and treat non-human identities as first-class. Target outcome: strong evidence, shorter audits, and privileged access via elevation, not standing roles.

And within those companies, the realities differ even more by department.

Department-level realities

Zero Trust must meet teams where they are. Different functions use different systems, and each brings unique risks.

• Marketing: enforce SSO/MFA across martech, restrict token sprawl to Customer Data Platforms (CDPs) and ad platforms, and renew campaign-specific access by purpose.
• Sales: lock down exports and third-party Customer Relationship Management (CRM )apps; micro-review high-risk scopes and deal-room access.
• Finance: SoD guardrails with weekly micro-reviews; small, accountable reviewer groups.
• HR: joiner/leaver-driven CAR, restricted bulk export, and tight control on HR data API credentials.
• Engineering: monthly review of write/admin on prod repos, instant reviews on cloud/IdP elevation, short-lived, brokered credentials, and guardrails for AI coding tools.

With these operational realities in mind, progress needs to be tracked. That’s where metrics matter.

Metrics that show progress

Leaders fund what they can see improving. Metrics provide the proof that Zero Trust is working, not just in theory, but in daily practice. Track:

• Mean time to certify/revoke high-risk changes.
• Percentage of privileged actions executed via JIT vs. standing access.
• Reduction in dormant and orphaned accounts across top systems.
• Drop in SoD violations and toxic combinations.
• Completion and escalation rates by business unit and app owner.
• Ticket cycle time from review to remediation.
• Residual access risk by application and data domain.

Publish monthly, with before/after for each playbook. Tie improvements to audit outcomes and incidents averted. With metrics in place, you can map a clear 90-day action plan.

A realistic 90-day plan

Transformation doesn’t need to take years. In fact, the first 90 days are critical to building momentum.

Weeks 1–2: stand up the IGA for your top 10 systems, normalize entitlements, tag owners and purposes. Define three high-impact playbooks and metrics.

Weeks 3–4: enable CAR for those playbooks. Run one end-to-end cycle including remediation and evidence. Fix obvious gaps.

Weeks 5–8: expand to 5–7 playbooks. Introduce JITPBAC for your most sensitive roles. Add non-human identity coverage for key platforms, starting with one.

Weeks 9–12: run a targeted quarterly campaign for one business unit (now cleaner thanks to CAR). Publish your first metrics report and a next-quarter roadmap.

Momentum matters more than perfection. Start small, prove value, scale what works. And once the plan is underway, the final recommendation becomes clear.

Closing recommendation

Zero Trust becomes practice when access is continuous, contextual, purpose-bound, automated, and provable. UARs provide the attestation layer; CAR keeps the picture fresh; lifecycle removes drift at the source; JITPBAC shrinks standing privilege; and automation handles the repetitive work so people can focus on decisions that matter.

You can this blueprint as your starting point, adapt it to your environment, and measure progress monthly to keep investment and attention aligned.

If you’re rethinking identity security and access governance (IGA) this year, I’m happy to compare notes and map a path that reduces risk in weeks, not quarters, and makes Zero Trust feel lighter and faster for your teams.