A break-glass procedure is a pre-defined emergency access protocol that permits an operator to override standard role-based access controls (RBAC) and authentication mechanisms to gain immediate entry to a critical system. This mechanism is designed for high-stakes scenarios—such as a critical infrastructure failure or a security incident—where following the normal access request workflow would cause unacceptable operational delay or safety risk.
Glossary
Break-Glass Procedure

What is Break-Glass Procedure?
A break-glass procedure is a documented emergency access process that allows authorized operators to bypass standard permission controls to gain immediate access to a locked-down system, with all actions heavily audited post-incident.
The defining characteristic of a break-glass procedure is not the bypass itself, but the immutable forensic audit trail it triggers. Every action taken during the emergency session is automatically and comprehensively logged, often with real-time alerts sent to security operations centers. This ensures that while the operator has temporary, elevated privileges, the activity is fully attributable and reviewable, enforcing non-repudiation and enabling rigorous post-incident analysis.
Core Characteristics of a Break-Glass Procedure
A break-glass procedure is a controlled security mechanism that allows operators to bypass standard access controls during critical incidents, ensuring availability while maintaining non-repudiation through exhaustive post-action auditing.
Just-In-Time Privilege Elevation
The core mechanism that grants temporary, time-bound administrative access to a locked-down system. Unlike standing privileges, break-glass accounts remain disabled until a strict activation workflow is triggered. The elevation is tied to a specific ticket or incident ID, and the credentials are automatically rotated or disabled immediately after the predefined time window expires. This minimizes the attack surface by ensuring no permanent backdoor exists.
Multi-Person Integrity Control
Also known as split-knowledge or M-of-N control, this characteristic requires multiple authorized individuals to simultaneously authenticate or approve the glass-break before access is granted. Common implementations include:
- Dual Key Encryption: Two separate cryptographic keys held by different operators must be combined.
- Out-of-Band Approval: A push notification requiring biometric confirmation from a secondary security officer. This prevents a single compromised insider or rogue administrator from unilaterally accessing sensitive air-gapped systems.
Immutable Forensic Audit Trail
Every action taken during a break-glass session is captured in a tamper-proof, append-only log. This includes keystroke-level logging, screen recording, and API call capture. The audit trail is streamed to a separate, hardened security information and event management (SIEM) system that the break-glass operator cannot access or modify. This ensures non-repudiation, allowing security teams to reconstruct the entire incident timeline and verify that the emergency access was not misused.
Automated Credential Rotation
Immediately upon the expiration or termination of the break-glass session, the system triggers an automated workflow to invalidate and rotate the exposed credentials. This process revokes the temporary certificates, regenerates the compromised private keys, and updates the offline hardware security module (HSM) with new material. The rotation ensures that any credentials potentially observed or exfiltrated during the emergency session become cryptographically useless, restoring the system to its fully hardened state.
Context-Aware Policy Enforcement
The break-glass system integrates with policy as code (PaC) engines to evaluate the context of the emergency before granting access. The admission controller checks dynamic attributes such as:
- Geolocation: Is the request originating from the secure facility?
- System Health: Is there an active P1 incident alert?
- Network State: Is the air-gapped network confirmed to be isolated? If the context does not match a declared emergency, the glass-break is denied even with valid credentials, preventing social engineering exploits.
Physical Presence Verification
In high-assurance air-gapped environments, a logical break-glass must be paired with a physical action to defeat remote exploitation. This often requires an operator to physically press a button on a hardware security module (HSM) or insert a smart card into a reader within the secure perimeter. This air-gap integrity measure ensures that a compromised remote workstation cannot trigger the emergency protocol, binding the digital override to a human physically present at the console.
Frequently Asked Questions
Critical questions about the design, execution, and auditing of break-glass procedures in sovereign and air-gapped AI infrastructure.
A break-glass procedure is a documented emergency access protocol that allows authorized operators to bypass standard identity and access management (IAM) controls to gain immediate administrative access to a locked-down system. The mechanism works by generating a highly privileged, time-limited credential—often a one-time password or short-lived certificate—that is stored in a physically secured or encrypted digital safe. When activated, the procedure logs the operator into the system with maximum privileges, simultaneously triggering a high-priority alert to the security operations center (SOC). All keystrokes, commands, and session data are recorded and streamed to a tamper-proof audit log. The term originates from the physical act of breaking glass to access a fire alarm or emergency key, symbolizing that the action is irreversible and immediately visible to all stakeholders.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core security and access control mechanisms that govern, audit, and secure the break-glass procedure in air-gapped and sovereign infrastructure environments.
Just-In-Time (JIT) Access
A security protocol that grants users elevated privileges to critical air-gapped systems only for a limited time window required to complete a specific task. Unlike standing administrative access, JIT access provisions ephemeral credentials that are automatically revoked after expiration, reducing the attack surface for credential theft. In a break-glass scenario, JIT systems can be configured to issue emergency roles with maximum 15-minute lifetimes, forcing operators to re-authenticate and re-justify access if the incident response extends beyond the window.
Policy as Code (PaC)
The practice of defining security and compliance rules in machine-readable definition files, allowing automated enforcement by an admission controller before any resource is provisioned. For break-glass procedures, PaC ensures that emergency access policies—such as dual-person authorization requirements or mandatory audit logging—are version-controlled, tested, and cannot be bypassed by manual configuration drift. Tools like Open Policy Agent (OPA) evaluate real-time requests against Rego policies to determine if emergency access conditions are met.
Hardware Security Module (HSM)
A dedicated physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. In break-glass workflows, HSMs store the emergency access private keys used to decrypt sealed credentials or sign emergency authorization tokens. The HSM ensures that break-glass keys never leave the tamper-resistant hardware boundary, preventing extraction even if the host system is fully compromised. FIPS 140-2 Level 3 validation is the minimum standard for these modules in defense environments.
Offline Certificate Authority (CA)
A root certificate authority that is kept powered down and physically secured, only brought online in a controlled environment to issue or revoke subordinate certificates. In air-gapped break-glass scenarios, the offline CA issues short-lived emergency authentication certificates that grant temporary administrative access. The physical isolation of the root CA prevents network-based key compromise, while strict ceremonial procedures—including video-recorded multi-person access—govern every certificate issuance event.
Admission Controller
A piece of code that intercepts requests to the Kubernetes API server after authentication and authorization, mutating or validating objects to enforce custom security policies before persistence. During a break-glass event, admission controllers can inject mandatory sidecars—such as audit logging proxies or session recorders—into emergency pods, ensuring that all actions taken during the incident are captured regardless of operator configuration. Mutating webhooks enforce non-bypassable compliance guardrails.
Hardware-Backed Keystore
A secure storage mechanism where cryptographic keys are generated and stored within a tamper-resistant hardware module, ensuring they are never exposed in plaintext to the host operating system memory. Break-glass procedures rely on hardware-backed keystores to protect emergency decryption keys from memory-scraping malware. Technologies like Android StrongBox and Apple Secure Enclave implement this at the edge, while server-grade TPMs and HSMs provide equivalent protection for data center break-glass workflows.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us