AI agent delegation and JWTs: what breaks in access control?

TL;DR: Permit.io argues that JSON Web Tokens break down in AI agent workflows because delegation chains, transitive permissions, and runtime context are dynamic, while JWT claims are fixed at issuance. The static token model cannot keep pace with agentic authorization, where policy decisions need to be evaluated in real time.

NHIMG editorial — based on content published by PermitIO: Why JWTs Can’t Handle AI Agent Access

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: What breaks when JWTs are used for AI agent authorization?

A: JWTs break when an AI agent needs to act on changing context, delegate to other agents, or inherit access across a chain of relationships.

Q: Why do AI agents complicate access control compared with service accounts?

A: AI agents complicate access control because they can initiate actions, choose paths, and create delegation chains during execution rather than simply consuming pre-assigned permissions.

Q: How should security teams evaluate policy-based authorisation for agent workflows?

A: Security teams should test whether policy decisions are made against live relationships and context, not against stale token claims.

Practitioner guidance

• Audit static token dependencies in agent flows Map every AI agent workflow that still relies on JWTs for delegated action, then identify where claims, scopes, or expiry values are being used as a proxy for current authorisation.
• Move delegated access into policy decisions Use a policy decision point to evaluate current relationships, context, and resource sensitivity before the agent acts.
• Represent agents and services as relationship graphs Model users, agents, and workloads as nodes with explicit delegation edges so access can be recalculated when roles change or access must be revoked.

What's in the full article

PermitIO's full analysis covers the operational detail this post intentionally leaves for the source:

• Examples of how the vendor models delegated access in policy using relationship edges
• Implementation detail on policy decision points, including how live context is evaluated at request time
• Discussion of token chaining limits, header size concerns, and refresh overhead in multi-agent flows
• Operational notes on tracing accountability back through delegation chains when roles or ownership change

👉 Read PermitIO's analysis of JWT limits for AI agent authorization →

AI agent delegation and JWTs: what breaks in access control?

Explore further

View Full Forum →  |  NHI Foundation Course →