I Think. Therefore, IAM — Part 2 of a series on Identity, Access, and the Architecture of Trust.
Permissions Are Not Property
We speak of access as if it were something owned. We say a user has permissions, holds a role, possesses entitlements. But this language betrays us. Permissions are not property; they are leases. They are granted against a context that is always changing, and the moment that context shifts, the lease should lapse.
Standing access — the permission that persists simply because no one has gotten around to revoking it — is the quiet enemy of security. It is the residue of decisions made for conditions that no longer exist. The architecture of impermanence treats every grant as temporary by design.
Standing access rarely accumulates through malice. It accumulates through inertia. A contractor finishes a project but keeps their console role. An engineer is granted elevated rights to debug an incident and never hands them back. A service account is provisioned for a migration that ended months ago. Each individual grant seemed reasonable in its moment, yet together they form an ever-widening attack surface that no one is actively watching. Every credential that outlives its purpose is a door left unlocked in a building whose occupants have long since moved on.
Just-in-Time as a First Principle
Just-in-Time access inverts the default of standing access. Instead of provisioning broadly and revoking reactively, it grants narrowly and expires automatically. Access exists only for the duration of the need that justifies it. When the task is done, the permission dissolves without anyone having to remember to take it away.
This is not merely an operational convenience. It is a philosophical stance: that the natural state of access is its absence, and that every grant is a deliberate, time-bounded exception to that default.
In practice, this stance reshapes the machinery of access. Long-lived keys give way to short-lived tokens that expire on their own. Broad role assignments give way to scoped, request-based elevation that a human or policy must approve and that the system rescinds the moment the work is finished. The question shifts from “who should have this permission?” to “who needs this permission right now, and for how long?” That second question has an answer that changes by the hour, and a well-designed system answers it continuously rather than once.
The Philosophical Parallel
The doctrine of anicca — impermanence — holds that clinging to what is transient is the root of suffering. Everything arises, persists for a moment, and passes. To build a system that pretends permissions are permanent is to build on a foundation that the world itself will not honor.
There is a strange comfort in this. A system built on impermanence carries less to defend, because it holds less at any given moment. What is never accumulated cannot be stolen; what has already expired cannot be abused. Security, in this light, is not a fortress of permanent walls but a discipline of continual release — a willingness to let access return to nothing the instant it is no longer earned.
An architecture that embraces impermanence does not fight this truth; it designs for it. Access flickers into being when needed and returns to nothing when its purpose is served. The system holds nothing it does not currently require.
Closing Thought
To secure a system is, paradoxically, to let go of access rather than to accumulate it. The architecture of impermanence is the practice of holding power lightly — granting it freely when needed, releasing it completely when not.
Previous: ← Part 1 — The Zero Trust Invariant | ↑ Series overview | Next: Part 3 — Friction as Systemic Mindfulness →