ZERO STANDING PRIVILEGE
What is Zero Standing Privilege (ZSP) and how is it anchored in standards?
Privilege without a timer is the real vulnerability, not the person holding it. Zero Standing Privilege (ZSP) means access does not exist between sessions. Every session is requested, evaluated against current policy, opened for a bounded window, and revoked at close. The control surface moves from credential possession to session lifecycle.
ZSP is anchored in two places. NIST SP 800-207 Tenet 3 states that access to individual enterprise resources is granted on a per-session basis. Tenet 6 requires that all resource authentication and authorisation are dynamic and strictly enforced before access is allowed. IEC 62443-3-3 SR 2.6 requires the system to terminate a remote session either by user action or after an inactivity period; SR 2.1 requires authorisation enforcement for all human users to support segregation of duties and least privilege.
Figure 3. Standing privilege (always on) compared to Zero Standing Privilege (a single bounded window with five labelled transitions: Request, Approval, Session open, Session closed, Access revoked). Anchors: NIST SP 800-207 Tenets 3 and 6; IEC 62443-3-3 SR 2.1, SR 2.6.