It breaks because JIT assumes a human request that is deliberate, reviewable, and accountable. AI agents can generate requests continuously, and attackers can influence those requests through prompt injection. The result is a control that may grant access correctly but still authorise attacker-shaped intent. The problem is not timing alone, it is trust in the request itself.
Why This Matters for Security Teams
Just-in-time access was designed to reduce standing privilege, but AI agents change the control problem. Agents do not wait for a manager approval moment, and they do not express intent in a stable, human-readable way. They can generate repeated requests, chain tools, and retry until a policy grants access. That means the real risk is not only whether access expires quickly, but whether the request itself is trustworthy at the moment it is evaluated. Current guidance from the OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework both point to runtime context and governance, not static approval alone.
This is why NHI security has become central to agentic AI governance. A compromised agent identity can turn short-lived access into a rapid path to secrets, data exfiltration, or destructive actions, as highlighted in NHIMG analysis of Amazon Q AI Coding Agent Compromised and CoPhish OAuth Token Theft via Copilot Studio. In practice, many security teams discover that JIT is working exactly as designed, only after an attacker has already shaped the request path.
How It Works in Practice
For AI agents, JIT should be treated as a runtime authorisation pattern, not a human convenience feature. The safer model is to bind each task to a workload identity, evaluate policy at request time, and issue narrowly scoped credentials only when the agent can prove what it is, what it is trying to do, and which context triggered the action. That is why workload identity mechanisms such as SPIFFE, OIDC token exchange, and short-lived secrets matter: they make the agent’s identity cryptographically verifiable without turning it into a long-lived bearer of privilege.
In mature implementations, the control flow usually looks like this:
- The agent authenticates with a workload identity, not a reusable password or static API key.
- A policy engine evaluates the request against context such as task, tool, data sensitivity, and environment state.
- Credentials are issued just in time, with a minimal scope and short TTL.
- Completion or timeout triggers automatic revocation, logging, and post-action review.
This aligns with the direction described by the CSA MAESTRO agentic AI threat modeling framework and the OWASP Non-Human Identity Top 10. It also fits NHIMG reporting on credential abuse, including the Moltbook AI agent keys breach, where exposed agent credentials became an immediate attack surface. The practical lesson is simple: JIT is useful only when the policy decision is made from agent context, not from a blind assumption that every request is benign. These controls tend to break down in high-autonomy pipelines that let agents self-retry and self-compose tool calls because request volume outpaces meaningful human review.
Common Variations and Edge Cases
Tighter JIT controls often increase orchestration overhead, so organisations have to balance response speed against the cost of additional policy checks, token exchange steps, and audit logic. That tradeoff becomes more visible in production systems where agents need to act across multiple tools or services in a single workflow.
There is no universal standard for this yet, but current guidance suggests three common patterns. First, use very short-lived secrets for routine actions and reserve stronger approval gates for sensitive operations. Second, separate read-only agent tasks from write or delete operations, since destructive actions deserve a different trust threshold. Third, treat prompt injection as an access-control issue, not only a content-safety issue, because attacker-shaped prompts can influence what the agent asks for next. NHIMG’s coverage of Gemini AI Breach — Google Calendar Prompt Injection shows how easily context poisoning can distort downstream authorisation.
For organisations measuring maturity, the right question is not whether JIT exists, but whether the agent can be constrained when it is uncertain, novel, or externally influenced. The Anthropic report on AI-orchestrated cyber espionage reinforces that autonomous workflows can accelerate abuse once a trust boundary is crossed. JIT breaks down most often in multi-agent systems with shared credentials and loosely scoped tool permissions, because one compromised agent can inherit or trigger the access path of another.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10, CSA MAESTRO and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | JIT fails when agents can shape requests and bypass intended trust boundaries. |
| CSA MAESTRO | M4 | MAESTRO covers runtime policy and tool-use controls for autonomous agents. |
| NIST AI RMF | AI RMF governance is needed to manage autonomous request risk and accountability. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Short-lived credentials and rotation are central when agents receive ephemeral access. |
| NIST Zero Trust (SP 800-207) | AC-5 | Zero Trust requires continuous verification, not trust based on a prior JIT grant. |
Re-evaluate agent access at each request and deny by default outside approved context.
Related resources from NHI Mgmt Group
- When is it crucial to implement least-privilege access for AI agents?
- When does just-in-time access reduce risk for agentic AI, and when does it fall short?
- How should security teams govern AI agents that use OAuth access?
- How should security teams limit the risk from AI agents that have access to production systems?