Overview
Document and audit Just-in-Time (JIT) privileged access management aligned to NIST SP 800-207 Zero Trust Architecture. The skill helps you define no-standing-privilege, time-bound elevation, approval workflows, and MFA for privileged sessions. A built-in validation tool ensures the document explicitly describes JIT patterns, duration limits or approval workflow, and MFA for 100% of privileged sessions before you finalize.
Example Conversation
You: We need to document our JIT PAM design for Zero Trust and NIST 800-207. We use Azure PIM with 4-hour activation and MFA for all privileged access. Can you draft the document and validate it?
Agent: I’ll use the JIT PAM Zero Trust skill. I’ll copy the template into the workspace, fill in scope, JIT model (no standing privilege), authorization flow, session controls (4h duration, MFA), and audit sections using the skill’s references. Then I’ll run
jit_pam_validatorto ensure the document passes.
Agent: (Creates the document from the template.) I’ve documented that privileged access is granted only when needed (no standing privilege), Azure PIM provides time-bound elevation with 4-hour max duration, and MFA is required for 100% of privileged sessions. Running
jit_pam_validator…
Agent: Result of
jit_pam_validator:— JIT PAM VALIDATOR — Result: PASS Document: jit-pam-zero-trust.md JIT coverage: found (just-in-time, time-bound, or no standing privilege). Duration/approval: found (session duration limits or approval workflow). MFA coverage: found (MFA for privileged sessions).
Document meets JIT PAM Zero Trust (NIST 800-207) documentation requirements. Ready for review.
Output Excerpt
A typical JIT PAM document includes scope, JIT model, authorization flow, and session controls. Excerpt:
## 2. JIT privileged access model
- No standing privileged access; privileged access is granted only when needed, for a limited duration.
- Approval workflow: PIM activation requires justification; eligible assignments only.
- Time-bound elevation: maximum session duration 4 hours (cloud), 8 hours (on-prem).
## 4. Session controls
- MFA requirement for 100% of privileged sessions.
- Session recording and audit for all privileged access.
- Automatic revocation after duration limit.
The validator would FAIL if the document did not explicitly state JIT, duration/approval, and MFA; after adding the required language, the check passes.
Extension Tools and Validations
jit_pam_validator validates that a JIT PAM document adequately describes Zero Trust (NIST 800-207) and JIT privileged access patterns:
| Check | What it looks for | Pass condition |
|---|---|---|
| JIT coverage | Just-in-time, time-bound, or no standing privileged access. | At least one such statement found. |
| Duration/approval | Session duration limits (e.g. 4h, 8h) or approval workflow. | At least one such statement found. |
| MFA coverage | MFA for privileged sessions (NIST CSF 2.0 Protect); includes TOTP, phishing-resistant, hardware token. | At least one such statement found. |
| Break-glass | Emergency access documented. | Reported for audit completeness; does not affect PASS. |
| Result | PASS only when JIT, duration/approval, and MFA are present. | FAIL if any of the three is missing; the report suggests adding or strengthening language. |
Run this tool after drafting or editing the JIT PAM document; iterate until the report shows PASS before finalizing.
Getting Started
Add your technical stack (AWS, Azure, on-prem) and any existing PAM or IAM docs to the project workspace, then activate the JIT PAM Zero Trust (NIST 800-207) skill. The agent will draft the document from the template and run jit_pam_validator until the validation passes before sending for review.