JWTs break when an AI agent needs to act on changing context, delegate to other agents, or inherit access across a chain of relationships. A JWT freezes claims at issuance, so it cannot recalculate privilege as conditions change. That makes the token a poor source of truth for agentic authorization, especially when revocation, delegation, and auditability all depend on current state.
Why This Matters for Security Teams
JWTs work well when access is stable, the caller is known, and the authorization decision can be safely frozen at issuance. AI agents break that assumption. Their tasks change mid-flight, they chain tools, and they may delegate to other agents or services with different trust requirements. A token that looked valid at creation time can become wrong within seconds, which is exactly why static claims are a weak source of truth for agentic authorization.
This is not just a token design issue. It is an operating model issue. Current guidance from the OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework both point toward runtime-aware controls because autonomous systems do not behave like human users. In practice, many security teams discover this only after an agent has already followed a stale token into an unauthorized tool chain rather than during a planned access review.
How It Works in Practice
The practical failure mode is simple: a JWT carries claims that were true when issued, but those claims are not recalculated when context changes. For AI agents, that matters because context includes task intent, delegation state, downstream tool access, and whether the agent is still operating within its original objective. Once an agent can branch, retry, invoke another model, or pass work to a helper agent, the original token can no longer express the full authorization picture.
Security teams are moving toward intent-based, context-aware authorisation evaluated at request time, not just at login time. That usually means combining workload identity with short-lived credentials, policy-as-code, and explicit approval boundaries. The identity primitive should describe what the agent is, while the decision engine determines what it may do right now. In practice, this often looks like:
- Using workload identity, such as SPIFFE or OIDC-backed service identity, instead of treating the JWT as the authority itself.
- Issuing just-in-time, ephemeral secrets for a single task or tool invocation, then revoking them on completion.
- Evaluating authorization against live signals, such as user intent, data sensitivity, environment, and delegation scope.
- Recording each decision for auditability so later tool hops can be reconstructed.
This approach aligns with the direction of CSA MAESTRO agentic AI threat modeling framework and with NHIMG research on agent risk, including AI Agents: The New Attack Surface report, which found that 80% of organisations report agents have already performed actions beyond intended scope. When that happens, a JWT can describe who started the work, but not whether the next action is still legitimate. These controls tend to break down when agents are allowed to retain broad tokens across multiple tools because the authorization decision becomes detached from the live execution path.
Common Variations and Edge Cases
Tighter, context-aware authorization often increases operational overhead, so organisations must balance safety against latency, developer friction, and policy complexity. That tradeoff is real, especially in fast-moving agent pipelines where every extra check can affect throughput.
There is no universal standard for this yet, but current guidance suggests avoiding long-lived JWTs for privileged agent actions and reserving them, if used at all, for narrow authentication or session correlation purposes. Edge cases matter:
- Delegation chains: a parent agent may be allowed to request work, but not to inherit the child agent’s downstream privileges.
- Cross-domain actions: a token valid in one environment may be unsafe in another because the data sensitivity and policy context differ.
- Human-in-the-loop approval: a JWT cannot capture whether approval is still current if the task scope changes after review.
- Revocation delays: even a valid token can become dangerous when the agent has already cached secrets or open sessions.
NHIMG’s OWASP NHI Top 10 and the broader NIST AI Risk Management Framework both reinforce the same operational lesson: for autonomous systems, authorization must remain live and inspectable. Static JWTs are weakest where the environment is dynamic, the agent can delegate, and the business process requires real-time revocation or re-scoping.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Addresses broken authorization assumptions in autonomous agent flows. |
| CSA MAESTRO | T1 | Covers agent threat modeling and delegation risks in multi-step workflows. |
| NIST AI RMF | GOVERN | Supports accountable, context-aware controls for AI system decisions. |
Model delegation, tool chaining, and revocation as live threats, not static sessions.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
