JIT Access: Who's Actually Succeeded At This?

Holy crap, JIT access is driving me nuts right now.

Our new CISO has adopted a new mantra: "We could have Fort Knox-level authentication, and bad stuff will STILL find a way in". Based on this, we're trying to blow up the whole concept of standing permissions for our dev team.

The pitch sounds great in theory - no more developers swimming in access they don't need 24/7. But implementing it? I'm not sure how to tackle it.

I'm basically crowdsourcing some sanity right now:

• Who else is in the trenches with this? - How the heck are you managing JIT? Did you go with some fancy external tool, or did your team basically become DIY heroes and build something internal?
• What complete disasters/unexpected landmines did you hit during rollout?
• Devs revolt? Security team losing their minds? I want ALL the drama.
• And what's your overall take? do you think it is actually worth the effort?

Thanks!!