Access policies should sit after token verification, not inside it. Once the token is authenticated, services should apply role, department, or custom-claim checks to decide what the caller can do in that specific context. That keeps cryptographic trust separate from business authorisation and reduces over-permissioned token use.
Why This Matters for Security Teams
JWT verification answers one question only: is this token authentic and intact? It does not, by itself, answer whether the caller should be allowed to read a record, invoke a payment API, or impersonate a service role. That separation matters because modern service-to-service traffic is full of long-lived secrets, overbroad claims, and identities that outlive the people who created them. NHI Management Group notes that 97% of NHIs carry excessive privileges, which makes token trust without policy enforcement a common path to overexposure.
Access policies belong after signature, issuer, audience, and expiration checks, where the service can evaluate context such as tenant, environment, operation, and claims. That pattern aligns with the OWASP Non-Human Identity Top 10 and with the governance approach in the Ultimate Guide to NHIs. In practice, many security teams discover policy gaps only after a valid token has already been reused in a broader context than intended, rather than through deliberate authorization design.
How It Works in Practice
A service should treat jwt validation as authentication plumbing and policy evaluation as an authorization decision. First, verify the token cryptographically: check the issuer, signing key, algorithm, audience, expiry, and any mandatory token constraints. Only after that should the service or gateway apply access rules based on claims and request context. That usually means mapping claims like sub, scope, role, department, tenant, or custom application claims to business permissions.
This model works best when the policy engine is externalised or centralised. Current best practice is to define policies as code and evaluate them at request time, rather than hardcoding decisions into token parsing logic. Tools and models like NIST guidance and the NIST Cybersecurity Framework 2.0 support that separation of duties, while NHI lifecycle guidance from Ultimate Guide to NHIs emphasizes rotation, offboarding, and visibility around service identities.
- Use JWT claims to identify the caller and its intended scope, not to embed permanent entitlement logic.
- Check token validity before any business decision, so forged or expired tokens fail fast.
- Apply contextual rules after verification, including service, tenant, environment, and API verb.
- Keep privilege decisions independent from token issuance so a single token format can serve multiple services safely.
This approach reduces over-permissioned token use, but it depends on accurate claim design and consistent policy enforcement across every service boundary. These controls tend to break down when teams trust embedded claims as if they were approvals, especially in mixed environments where gateways, microservices, and legacy apps all enforce policy differently.
Common Variations and Edge Cases
Tighter token-policy separation often increases implementation overhead, requiring organisations to balance cleaner security boundaries against developer convenience. There is no universal standard for exactly which claims should be authoritative, so current guidance suggests keeping token content minimal and using policies to interpret it in context. For simple internal services, a compact role check may be enough; for shared platforms, multi-tenant APIs, or delegated service accounts, claim-based rules usually need a richer policy layer.
Edge cases show up when teams overload JWTs with business state, or when tokens are accepted across multiple trust domains without re-evaluating access. That is especially risky for service accounts, where visibility is often weak and secrets sprawl is common. NHI Management Group reports that only 5.7% of organisations have full visibility into their service accounts, which makes hidden privilege difficult to audit. For deeper context on the risk landscape, see the Top 10 NHI Issues and the 52 NHI Breaches Analysis.
Policy checks also become fragile when services rely on token contents that are not refreshed frequently enough for the risk level of the operation. In those environments, re-authorisation at the time of use is safer than assuming the original token decision still applies.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | JWTs for services often fail when identity and authorization are conflated. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions must be managed separately from authentication. |
| NIST AI RMF | Policy separation supports govern and manage functions for automated decisioning. |
Verify token integrity first, then enforce least-privilege policy checks on every request.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 7, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
