By NHI Mgmt Group Editorial TeamPublished 2026-07-02Domain: Agentic AI & NHIsSource: Clutch Security

TL;DR: Just-in-time access works for humans because requests are rare, reviewable, and accountable, but AI agents generate constant, machine-speed access requests that can be manipulated through prompt injection, according to Clutch Security. The real failure is assuming a sentence can safely stand in for governed identity and lineage.


At a glance

What this is: This article argues that just-in-time access is a poor control pattern for AI agents because it turns a declared intent string into an authorization signal that can be manipulated and outpaced by machine-speed execution.

Why it matters: IAM, PAM, and NHI teams need to recognise that ephemeral access alone does not solve agent governance if identity ownership, lineage, and behavioural controls are still missing.

👉 Read Clutch Security's analysis of why JIT falls apart for AI agents


Context

Just-in-time access for AI agents sounds safe because it reduces the time credentials exist, but it does not solve the deeper problem of who or what is actually being authorised. In identity governance terms, the issue is not only privilege duration. It is whether the access decision rests on a trustworthy identity, a verifiable workflow, and a controllable execution path.

For agents, the request itself can be generated, reshaped, or poisoned at runtime, which means the access grant may be based on untrusted text rather than a stable operator intent. That creates a governance gap for NHI programmes that already struggle with ownership, lineage, and auditability. The article is typical of the current market debate: teams want human-style control patterns for non-human behaviour.


Key questions

Q: What breaks when just-in-time access is used for AI agents?

A: It breaks because JIT assumes a human request that is deliberate, reviewable, and accountable. AI agents can generate requests continuously, and attackers can influence those requests through prompt injection. The result is a control that may grant access correctly but still authorise attacker-shaped intent. The problem is not timing alone, it is trust in the request itself.

Q: Why do AI agents complicate just-in-time access governance?

A: AI agents complicate JIT because they operate at machine speed and can chain actions inside a very short credential window. That means ephemeral access does not automatically reduce exposure. Teams must govern the identity, the scope, and the lineage of every action, not just the duration of the token.

Q: How do security teams know whether JIT access is actually reducing risk?

A: They know it is working only if they can show that the access scope is tightly bounded, the identity owner is known, the action lineage is complete, and the agent cannot use the granted credential to reach unrelated systems. If those conditions are missing, JIT is mostly shortening audit evidence rather than reducing exposure.

Q: Who is accountable when an AI agent abuses short-lived access?

A: Accountability should sit with the human owner of the identity and the team that approved the access path, not with the model that generated the request. If a platform cannot attribute person, agent, tool, identity, action, and resource, accountability has already failed before the incident review starts.


Technical breakdown

Why intent-based just-in-time access breaks for AI agents

Intent-based JIT assumes the request expresses a deliberate human need that can be reviewed before access is granted. AI agents do not work that way. Their task description is often produced by an LLM, influenced by prompt context, and exposed to injection or manipulation. If the authorization engine trusts that string, it is not validating policy intent. It is validating attacker-controlled input. The control can function exactly as designed and still serve the wrong party, which is why the model collapses as soon as the actor is agentic rather than human.

Practical implication: do not treat agent intent text as an authorization input unless the identity and request lineage are independently verified.

Why ephemeral access does not equal reduced blast radius

JIT shortens credential lifespan, but it does not change what the credential can do while active. For agents, that distinction matters because execution happens in milliseconds, not hours. An agent can chain tool calls, move data, and complete an entire task before a short-lived token expires. The real control question is not how long the token lives, but whether the access scope is bounded to the actual identity and action set. Ephemerality helps only when the actor is slower than the expiry window.

Practical implication: measure agent privilege by reachable systems and task scope, not by token lifetime alone.

Who approves access when a model requests access for a model

Traditional JIT depends on either human approval or a policy engine backed by human governance. That pattern becomes brittle when an agent requests access frequently and at machine speed. Human approval does not scale, so teams drift toward auto-approve. If another model makes the decision, the access gate becomes model-vs-model guessing with shared exposure to injection, hallucination, and context drift. The result is approval theatre, not governance. This is the core reason micro-approval loops fail in agentic environments.

Practical implication: replace approval-centric designs with identity ownership, policy-bound scopes, and observable execution lineage.


Threat narrative

Attacker objective: The attacker wants the agent to obtain and use access on the attacker's behalf, turning the authorization workflow into a controlled path to unauthorized systems or data.

  1. Entry begins when a malicious prompt or poisoned content reshapes the agent's declared intent into a request that appears valid to the access engine. Escalation follows when the agent receives a scoped but live credential that can be used immediately across connected tools and data sources. Impact occurs when the agent completes unauthorized actions before the credential expires, leaving a shallow grant record but little forensic lineage.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Intent-based JIT is a broken control premise for agentic access. JIT was designed for human requests that are rare, deliberate, and reviewable. That assumption fails when the actor is an AI agent because the request can be generated, modified, and retried at machine speed, often under attacker influence. The implication is not that access should be faster. It is that request text cannot be treated as a stable trust boundary.

Ephemeral credentials do not reduce blast radius if the actor outpaces the expiry window. JIT changes credential duration, not privilege reach. Agents can call tools, chain actions, and complete harmful work before a short-lived token expires, so the real issue is the scope of what the identity can touch while active. Practitioners need to treat blast radius as a function of reachable systems, not token life.

Approval workflows built for humans become theatre when models approve models. A person cannot sit in a microsecond approval loop, so teams tend to automate the approver. That creates a second model vouching for the first, with no stronger assurance than the input itself. The governance lesson is that approval is not the same as authorization when the requester can rewrite the evidence.

Agentic identity needs lineage, not just revocation. The article correctly points to the investigative gap: a grant log is not a full story. If a team cannot tie person, agent, tool, identity, action, and resource together, it cannot prove what happened after the fact. That is a governance failure in lineage, ownership, and observability, and it should be treated as such.

Workload-bound ephemerality is a better model than request-based ephemerality. Short-lived credentials anchored to a verified workload are fundamentally different from short-lived credentials issued because a sentence sounded plausible. The first is enforced by platform identity. The second is trust in narrative. Practitioners should prefer architecture that makes identity verifiable before execution begins.

From our research:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
  • From our research: Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
  • For deeper context, see OWASP Agentic AI Top 10 for the current threat taxonomy around agent goal hijacking, tool misuse, and identity abuse.

What this signals

Ephemeral access is not the same as governed access. As AI agents move from experiment to production, IAM and PAM teams will need to shift from approval choreography to identity lineage, workload binding, and action-level observability. The strongest signal here is not shorter-lived credentials, but whether the programme can still explain who or what did what after the token is gone.

Intent-based authorisation will become a governance anti-pattern. Once teams accept that generated text can be manipulated, they will have to treat agent requests as untrusted inputs and move the control point back to the identity layer. For broader framing on agentic risk, compare this debate with the OWASP Top 10 for Agentic Applications 2026.

The programme implication is straightforward: recertification, access review, and offboarding processes must be able to follow the agent, not just the credential. Where ownership and lineage are missing, JIT simply hides the blast radius behind a short audit trail.


For practitioners

  • Map every agent to a real identity Inventory which non-human identities an agent can assume, who owns them, and which systems each identity can reach before any just-in-time pattern is approved. This gives security teams a baseline for access governance and incident response lineage.
  • Stop using declared intent as the authorization signal Treat prompt text, generated plans, and natural-language task descriptions as untrusted input. Authorize only when the underlying workload identity, policy scope, and execution context are independently verifiable.
  • Baseline agent behaviour before you review access Capture normal tool usage, data access, and action sequences so deviations can be detected at the identity layer rather than inferred from expired tokens. This is where lineage and behavioural controls become more useful than JIT ceremony.
  • Prefer workload-bound short-lived credentials Use federated, workload-bound credentials that are minted from platform identity rather than from a request string. That gives you short-lived access without making the authorization decision depend on agent-generated language.
  • Demand full lineage from identity to action Require tools to reconstruct person to agent to tool to identity to action to resource. If the platform cannot produce that chain, it cannot support effective investigation, recertification, or accountability.

Key takeaways

  • JIT access works for humans because human requests are rare and reviewable, but that assumption does not hold for AI agents.
  • Short-lived credentials reduce credential lifespan, not the effective blast radius of an agent that can execute at machine speed.
  • Governance for agentic access has to centre on identity lineage, workload binding, and observability, not on trusting declared intent.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10Agent intent manipulation and tool misuse are central to this article.
OWASP Non-Human Identity Top 10NHI-01The article is about non-human identity governance and access misuse.
NIST CSF 2.0PR.AC-4The post focuses on access permissions and least-privilege governance.
NIST Zero Trust (SP 800-207)The argument centres on identity-bound access and continuous verification.
NIST AI RMFGOVERNAgent accountability and governance ownership are core themes here.

Treat model-generated requests as untrusted and bind authorization to verified identity and scope.


Key terms

  • Intent-Based Authorization: An access model that grants permissions based on what a requester says it wants to do. For AI agents, that is fragile because the request can be generated, altered, or poisoned at runtime. The trust problem is not intent as a concept, but whether intent can be verified independently of the text that describes it.
  • Identity Lineage: The trace that links a person, agent, tool, credential, action, and target resource into one accountable chain. In agentic environments, lineage matters more than a grant record because short-lived credentials can disappear before investigators understand what happened. Without lineage, recertification and incident response become guesswork.
  • Workload Identity Federation: A method of issuing short-lived credentials to a verified workload without relying on a long-lived secret or a self-declared request. For AI agents, it is a stronger pattern than request-driven JIT because the platform asserts identity before access is minted. The control is architectural, not conversational.

What's in the full article

Clutch Security's full blog post covers the operational detail this post intentionally leaves for the source:

  • A step-by-step breakdown of why intent-based approval fails under prompt injection and model-generated requests.
  • Practical examples of how agents branch across tool calls and sub-agents, making a single access grant harder to reason about.
  • A discussion of workload identity federation as a more reliable path to short-lived access than request-driven JIT.
  • A closer look at what full lineage should include when an investigation needs to reconstruct person, agent, tool, identity, action, and resource.

👉 Clutch Security's full post covers the intent failure mode, approval loop collapse, and lineage gap in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-07-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org