Subscribe to the Non-Human & AI Identity Journal

Who is accountable when JWTs remain valid after logout?

Accountability sits with the teams that defined the authentication design and the application owners who accepted the revocation trade-off. If a workflow requires immediate access termination, the architecture should include revocation state or secondary validation. Standards such as Zero Trust and identity lifecycle governance make that ownership expectation clear.

Why This Matters for Security Teams

JWTs that stay valid after logout are not a token bug in isolation. They are an accountability problem across authentication design, session management, and application ownership. When teams choose self-contained tokens without a revocation path, they accept that logout is often only a client-side signal, not a security boundary. That is acceptable for low-risk workflows, but it is not acceptable where immediate termination is required.

This is why identity lifecycle governance and Zero Trust thinking matter. The NIST Cybersecurity Framework 2.0 frames access control as an ongoing responsibility, not a one-time login event. In NHI and machine identity incidents, the same pattern appears when secrets or credentials outlive the trust decision that created them. NHIMG research on the DeepSeek breach shows how exposed identity material can remain actionable long after the original control point failed.

In practice, many security teams discover the cost of invalid JWTs only after a user, service account, or automation path has already retained access longer than intended.

How It Works in Practice

Accountability should be split by control plane. Security architecture teams are accountable for choosing whether JWTs are short-lived, introspectable, or backed by revocation state. Application owners are accountable for deciding whether their workflows can tolerate delayed logout semantics. If immediate termination is a business requirement, then “stateless by default” is not enough; the design must add a validation layer that can reject a token even before its expiry.

Common implementation patterns include token introspection, server-side session state, revocation lists, short access token lifetimes paired with refresh token controls, and secondary checks against user status, device posture, or risk signals. The NIST Cybersecurity Framework 2.0 aligns with this approach because access should be continuously governed rather than assumed to remain valid until expiry. For secrets-heavy environments, NHIMG’s DeepSeek breach analysis is a useful reminder that long-lived identity artifacts create long-lived exposure.

  • Use short TTLs for access tokens when logout must have practical effect.
  • Keep refresh tokens and session state server-side so access can be cut off centrally.
  • Define who owns revocation logic before production, not after an incident.
  • Document where the system accepts eventual consistency and where it does not.

JWTs are not wrong by design, but they become a liability when distributed systems rely on them for immediate access termination without a compensating control. These controls tend to break down in offline-first, edge, and high-latency environments because revocation cannot be verified reliably at request time.

Common Variations and Edge Cases

Tighter logout semantics often increase operational overhead, requiring organisations to balance immediate revocation against latency, availability, and implementation complexity. Current guidance suggests the right answer depends on the risk of the protected action. A customer dashboard may tolerate a token that remains valid for a few minutes. An admin console, payment system, or NHI control plane usually should not.

There is no universal standard for this yet, but best practice is evolving toward context-aware validation. That may include forcing re-authentication for sensitive actions, checking a central session record, or using claims that can be invalidated through policy rather than waiting for token expiry. The NIST Cybersecurity Framework 2.0 supports this risk-based approach, while the DeepSeek breach underscores how identity failures persist when teams assume expiry alone is enough.

Edge cases also matter when logout is triggered by insider risk, account takeover, or delegated admin abuse. In those scenarios, the accountable party is not just the application owner but also the platform team that set the revocation model and the governance function that approved the exception. If a product team cannot revoke access immediately, that limitation should be explicitly documented as an accepted residual risk, not treated as a hidden design assumption.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC-1 Highlights that access should be governed continuously, not assumed valid after logout.
OWASP Non-Human Identity Top 10 NHI-03 Relevant to credential lifecycle and the risk of long-lived identity artifacts remaining usable.
NIST AI RMF Supports accountability for system behaviour and residual risk decisions in identity design.

Assign explicit ownership for token validity, revocation, and exception handling across the AI system lifecycle.