TL;DR: Just-in-time access works for humans because requests are rare, reviewable, and accountable, but AI agents generate constant, machine-speed access requests that can be manipulated through prompt injection, according to Clutch Security. The real failure is assuming a sentence can safely stand in for governed identity and lineage.
NHIMG editorial — based on content published by Clutch Security: Why JIT Falls Apart for AI Agents
Questions worth separating out
Q: What breaks when just-in-time access is used for AI agents?
A: It breaks because JIT assumes a human request that is deliberate, reviewable, and accountable.
Q: Why do AI agents complicate just-in-time access governance?
A: AI agents complicate JIT because they operate at machine speed and can chain actions inside a very short credential window.
Q: How do security teams know whether JIT access is actually reducing risk?
A: They know it is working only if they can show that the access scope is tightly bounded, the identity owner is known, the action lineage is complete, and the agent cannot use the granted credential to reach unrelated systems.
Practitioner guidance
- Map every agent to a real identity Inventory which non-human identities an agent can assume, who owns them, and which systems each identity can reach before any just-in-time pattern is approved.
- Stop using declared intent as the authorization signal Treat prompt text, generated plans, and natural-language task descriptions as untrusted input.
- Baseline agent behaviour before you review access Capture normal tool usage, data access, and action sequences so deviations can be detected at the identity layer rather than inferred from expired tokens.
What's in the full article
Clutch Security's full blog post covers the operational detail this post intentionally leaves for the source:
- A step-by-step breakdown of why intent-based approval fails under prompt injection and model-generated requests.
- Practical examples of how agents branch across tool calls and sub-agents, making a single access grant harder to reason about.
- A discussion of workload identity federation as a more reliable path to short-lived access than request-driven JIT.
- A closer look at what full lineage should include when an investigation needs to reconstruct person, agent, tool, identity, action, and resource.
👉 Read Clutch Security's analysis of why JIT falls apart for AI agents →
AI agent just-in-time access: what control gap teams miss?
Explore further
Intent-based JIT is a broken control premise for agentic access. JIT was designed for human requests that are rare, deliberate, and reviewable. That assumption fails when the actor is an AI agent because the request can be generated, modified, and retried at machine speed, often under attacker influence. The implication is not that access should be faster. It is that request text cannot be treated as a stable trust boundary.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
A question worth separating out:
Q: Who is accountable when an AI agent abuses short-lived access?
A: Accountability should sit with the human owner of the identity and the team that approved the access path, not with the model that generated the request. If a platform cannot attribute person, agent, tool, identity, action, and resource, accountability has already failed before the incident review starts.
👉 Read our full editorial: Why just-in-time access fails for AI agent identities