Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI agent delegation and JWTs: what breaks in access control?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Permit.io argues that JSON Web Tokens break down in AI agent workflows because delegation chains, transitive permissions, and runtime context are dynamic, while JWT claims are fixed at issuance. The static token model cannot keep pace with agentic authorization, where policy decisions need to be evaluated in real time.

NHIMG editorial — based on content published by PermitIO: Why JWTs Can’t Handle AI Agent Access

By the numbers:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: What breaks when JWTs are used for AI agent authorization?

A: JWTs break when an AI agent needs to act on changing context, delegate to other agents, or inherit access across a chain of relationships.

Q: Why do AI agents complicate access control compared with service accounts?

A: AI agents complicate access control because they can initiate actions, choose paths, and create delegation chains during execution rather than simply consuming pre-assigned permissions.

Q: How should security teams evaluate policy-based authorisation for agent workflows?

A: Security teams should test whether policy decisions are made against live relationships and context, not against stale token claims.

Practitioner guidance

  • Audit static token dependencies in agent flows Map every AI agent workflow that still relies on JWTs for delegated action, then identify where claims, scopes, or expiry values are being used as a proxy for current authorisation.
  • Move delegated access into policy decisions Use a policy decision point to evaluate current relationships, context, and resource sensitivity before the agent acts.
  • Represent agents and services as relationship graphs Model users, agents, and workloads as nodes with explicit delegation edges so access can be recalculated when roles change or access must be revoked.

What's in the full article

PermitIO's full analysis covers the operational detail this post intentionally leaves for the source:

  • Examples of how the vendor models delegated access in policy using relationship edges
  • Implementation detail on policy decision points, including how live context is evaluated at request time
  • Discussion of token chaining limits, header size concerns, and refresh overhead in multi-agent flows
  • Operational notes on tracing accountability back through delegation chains when roles or ownership change

👉 Read PermitIO's analysis of JWT limits for AI agent authorization →

AI agent delegation and JWTs: what breaks in access control?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Static bearer tokens are the wrong mental model for agentic identity. JWTs assume access can be captured as a fixed set of claims, then replayed safely until expiry. That assumption was designed for human and service flows where the subject is relatively stable. It fails when the actor is an AI agent because the access path is created, combined, and sometimes delegated during execution. The implication is that authorisation design has to move from precomputed entitlement to live relationship evaluation.

A few things that frame the scale:

  • 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.

A question worth separating out:

Q: What is the difference between JWT-based access and relationship-based access control?

A: JWT-based access encodes permission claims into a bearer token, while relationship-based access control resolves access from current relationships such as ownership, delegation, and group membership. In dynamic agent workflows, ReBAC is better suited because the authorisation decision can change when the relationship changes. JWTs describe; ReBAC decides.

👉 Read our full editorial: JWTs fail for AI agent access because authorization is static



   
ReplyQuote
Share: