Security teams should authorize every tool call at runtime using identity, delegation, resource, and context data. The decision must block execution, not just record it. That means central policy, deterministic deny rules for dangerous actions, and explicit human approval for high-impact branches. Local hooks can help, but they are not the final control.
Why This Matters for Security Teams
Action-time authorization is the control that decides whether a coding agent can actually perform a tool call, write to a repository, open a shell, or invoke a deployment workflow. That is materially different from granting the agent a broad role and hoping logs will catch misuse later. Coding agents are goal-driven, can chain tools, and can branch into unexpected workflows, which makes static permissions a poor fit for real-time execution risk. Guidance from the OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework both point toward runtime controls, not just policy documents, because the risky moment is the action itself. NHI Management Group research also shows how fragile identity control remains in practice: only 1.5 out of 10 organisations are highly confident in securing NHIs, according to The State of Non-Human Identity Security. In practice, many security teams encounter dangerous agent behaviour only after a tool call has already modified code, secrets, or infrastructure, rather than through intentional testing.How It Works in Practice
Effective action-time authorization treats each tool invocation as a separate policy decision. The agent does not receive permanent permission to “be a developer”; it presents identity, task context, delegation scope, and the requested resource, and a policy engine decides whether that specific action is allowed. Current guidance suggests combining central policy with deterministic deny rules for high-risk actions and explicit human approval for sensitive branches, especially when an agent wants to change IAM, exfiltrate data, or push to protected environments. The operational model is closer to just-in-time authorization than to traditional RBAC. A practical implementation usually includes:- Workload identity for the agent, so the system knows what the agent is cryptographically, not just what credentials it holds.
- Short-lived credentials or delegation tokens, issued per task and revoked when the task ends.
- Real-time policy evaluation using policy-as-code, with context such as repo, branch, file path, ticket, user intent, and risk level.
- Hard deny lists for actions that should never execute without escalation, such as secret export, privilege escalation, or destructive deployment steps.
- Human-in-the-loop approval for high-impact branches, with the approval attached to the exact action, not the whole session.
Common Variations and Edge Cases
Tighter action-time authorization often increases latency, approval volume, and developer friction, so organisations have to balance safety against delivery speed. Best practice is evolving, but there is no universal standard for how many actions should be auto-approved versus escalated, especially for code-generation workflows that vary by team and repository sensitivity. Edge cases matter. A low-risk read action can become high-risk if it exposes secrets, touches production configuration, or enables lateral movement into a CI/CD pipeline. Likewise, a coding agent that is safe in one repo may be unsafe in another if the destination contains deployment keys or protected branches. Security teams should also avoid treating local IDE hooks as the final control, because they can be bypassed by alternate tool routes, remote executors, or agent chaining. For that reason, runtime enforcement should sit at the tool boundary, not just inside the editor. The most reliable pattern is to pair least privilege with time-bounded delegation and explicit context checks, then review exceptions as part of operational telemetry. That approach reflects the current guidance from NIST AI Risk Management Framework and the NHI lifecycle concerns documented in Ultimate Guide to NHIs. Organisations still struggle when coding agents are granted broad repo-wide authority because the same token can be used to inspect, modify, and publish in ways that are impossible to safely pre-approve.Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A01 | Agentic tool use needs runtime controls over each action. |
| CSA MAESTRO | MAESTRO addresses threat modeling for autonomous agent actions. | |
| NIST AI RMF | GOV | AIRMF governance supports accountable runtime authorization decisions. |
Assign ownership for agent actions and review policy exceptions continuously.
Related resources from NHI Mgmt Group
- How should security teams manage permissions for AI agents?
- How should security teams govern AI agents that use OAuth access?
- How should security teams limit the risk from AI agents that have access to production systems?
- How should security teams govern AI agents that can access enterprise systems?
Deepen Your Knowledge
NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on June 27, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
Reviewed and updated by the NHIMG editorial team on June 27, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
