Modern identity security is shifting fast, and few companies embody that transformation as clearly as Instacart. During our recent webinar, So Long, Standing Access: How Instacart Cut Standing Access and Streamlined Audits, Instacart’s IAM engineering leaders Dominic Zanardi and Spencer Sheehan walked us through how they built a fully automated, policy-driven, engineering-friendly just-in-time (JIT) access program.
Their results speak for themselves:
- Eliminated standing access for AWS
- Expanded JIT to critical business apps like Stripe
- Completed nearly 70,000 automated IAM tasks with ConductorOne
- Dramatically reduced time spent on user access reviews
Below is a full recap of their journey, learnings, and advice for teams looking to modernize identity governance.
From manual to automated access governance
Before ConductorOne, access governance at Instacart was complex. Their SOX-in-scope environment included more than 50 systems, which meant repeated, time-consuming cycles of manual provisioning checks, hundreds of access review tickets, and senior engineers losing significant time confirming access they barely had context for.
Instacart was also preparing for an IPO, driving urgency to tighten controls. When looking for a tool, the leaders of their security team knew they needed repeatable, auditable workflows, automation as a default state, and less burden on managers and reviewers.
Enter ConductorOne.
When Dom joined Instacart to help engineer the new program, ConductorOne’s Terraform provider was an immediate unlock. “We could build policies, roles, and workflows fully in code,” he shared. “Auditors could jump into GitHub, review change history, and trace exactly how a policy evolved.”
This shift gave Instacart:
- Transparency: Terraform backed by GitHub made every change peer-reviewed and testable.
- Repeatability: Policies could use HR attributes, team structure, geography, job title, or even external API checks for things like training completion.
- Automation: No servers to host. No brittle scripts. Everything driven through policy.
Removing all standing access to AWS
Once their policies were in place, Instacart took a daring step: they removed all standing access to AWS. Instead, they applied expirations to every AWS entitlement. When access expired, users renewed it through ConductorOne using Slack, the ConductorOne UI, or the CLI for engineers.
Engineers who didn’t truly need access simply didn’t renew it. This organic fall-off became one of the biggest unexpected wins.
“Access was cut in half,” Spencer explained. “People had been approving it every quarter, but they didn’t actually need it.”
Scaling JIT beyond engineering
After success in AWS, Instacart expanded the JIT program to other sensitive apps. Stripe was one of the biggest and most delicate additions.
Customer support, accounting, and financial ops teams rely on Stripe for escalations, refunds, and month-end close. These users were skeptical about losing always-on access.
Once they saw that ConductorOne’s Slackbot made access requests easy, approvals were often instantaneous, and that they stayed unblocked during high-pressure workflows, adoption followed quickly.
“It becomes way less work,” Spencer said. “Once people learn the Slack flow, it’s smooth.”
Gadjit: Instacart’s open source entitlement scoring AI bot
Instacart also pioneered early use of AI in identity. They built and open-sourced Gadjit, a JIT-focused entitlement scoring and recommendation AI bot.
Gadjit analyzes JIT access requests for peer adjacency, historical access, role similarity, org structure, and risk profile. It then produces a risk-based access score, not a decision.
“We use it for recommendation, not replacement,” Dom explained. But for low-risk roles, Instacart allows AI-backed auto-approval. Humans then review the audit trail annually.
“So far, it’s never made a decision we disagreed with,” Spencer said.
Gadjit helps Instacart move faster without compromising auditor trust.
The auditor reaction
Reactions ranged from deeply impressed to deeply cautious, but the biggest comfort factor for auditors was Terraform.
Auditors were able to see annual certification of policies, Github change logs, peer-reviewed policy updates, full audit trails for every entitlement, and consistency across the entire access lifecycle.
Instead of quarterly user access reviews, each JIT request became its own micro-review, enforced by code.
Spencer, who was an auditor prior to his current role, put it simply: “This is actually more secure than traditional UARs,” Spencer said. “As an auditor, I would absolutely trust this more.”
The impact: a more secure, more efficient Instacart
Some highlights:
- 70,000+ automated access tasks: From provisioning to renewals to deprovisioning.
- Massive drop in unused access: Users simply stop renewing permissions they don’t need.
- Zero standing AWS access: Everything ephemeral, everything policy-driven.
- Happier engineers, happier IT: ConductorOne became the place teams wanted their apps onboarded.
- Faster onboarding: New hires request and receive access instantly.
- Consistent controls auditors trust: Terraform + policy + audit trails = clean evidence.
“We didn’t expect the volume,” Dom said. “People started asking us to onboard their apps. They saw JIT as self-service, not a barrier.”
Advice for teams starting their own JIT journey
Spencer and Dom provided some advice for teams looking to build similar programs:
1. Offer a dual path at first
Let users request access the old way and the new way. When they naturally gravitate toward the easier path, deprecate the old one.
2. Start with education
Office hours, walk-throughs, recorded demos.
3. Build personas using usage data
Look at logs to determine what each team truly needs.
4. Use analytics to refine policy
If one team always requests the same role, move them to auto-approval.
5. Treat each JIT request like a micro-UAR
It strengthens the control without the quarterly burden.
6. Bring internal stakeholders into the Terraform process
IT can submit PRs themselves, making policy ownership shared.
What’s next for Instacart?
The team at Instacart is now exploring deeper governance for non-human identities and preparing for the rise of AI agents that may need access in seconds-long windows. JIT will only grow in importance.
As Spencer put it: “This is where identity is going. This model addresses risk more effectively than anything we did before.”
Want to learn more about Instacart’s journey with ConductorOne? Watch this video to learn more about their story.
