JWT-based access encodes permission claims into a bearer token, while relationship-based access control resolves access from current relationships such as ownership, delegation, and group membership. In dynamic agent workflows, ReBAC is better suited because the authorisation decision can change when the relationship changes. JWTs describe; ReBAC decides.
Why This Matters for Security Teams
JWT-based access and relationship-based access control solve different problems. JWTs are useful when a service needs a signed, portable snapshot of claims, but those claims can go stale the moment a delegation changes, an account is offboarded, or a privilege is revoked. ReBAC evaluates the live relationship graph at request time, which is a better fit for NHI governance when access depends on ownership, trust chains, or task-specific delegation.
This distinction matters because NHI risk is usually not about one token format. It is about whether authorisation can keep pace with change across service accounts, API keys, and automation. NHI Mgmt Group notes that 97% of NHIs carry excessive privileges, and 71% are not rotated within recommended time frames in the Ultimate Guide to NHIs. Static claim sets amplify that problem when they outlive the relationships they were meant to represent. OWASP's Non-Human Identity Top 10 similarly treats over-privileged, long-lived machine access as a core control gap.
In practice, many security teams discover token staleness only after a delegation has already changed and access was still being granted.
How It Works in Practice
JWT-based access works by issuing a signed token that carries claims such as subject, audience, scopes, or roles. The resource server verifies the signature and accepts or rejects the request based on what the token says. That model is efficient, but it assumes the claim set remains trustworthy for the token lifetime. For machine-to-machine systems, that assumption often breaks when ownership changes, a workflow is re-routed, or a third-party integration is removed.
ReBAC uses relationships as the source of truth. Instead of asking, "What did this token say at issuance time?" the system asks, "Does this actor currently have a valid relationship to this resource?" That can include direct ownership, delegated authority, parent-child service relationships, membership in a dynamic group, or a policy edge created for a single task. In well-designed systems, JWTs may still be used as proof of identity or as a transport mechanism, but the final authorisation decision is resolved from live relationship data rather than from embedded claims alone.
- Use JWTs for authentication and portable assertions, not as the only authorisation control.
- Use ReBAC when access depends on changing business relationships or delegated trust.
- Combine short-lived tokens with runtime policy evaluation so revocation takes effect quickly.
- Prefer explicit relationship updates over broad role expansion for automation and NHI access.
This aligns with the control emphasis in the Ultimate Guide to NHIs — Key Challenges and Risks, where excessive privilege and poor lifecycle hygiene drive most exposure. It also matches the implementation direction in the OWASP Non-Human Identity Top 10, which pushes teams toward time-bound, context-aware machine access. These controls tend to break down in flat service meshes with no authoritative relationship graph because the system has nothing reliable to evaluate at request time.
Common Variations and Edge Cases
Tighter relationship-based controls often increase integration overhead, so teams must balance authorisation precision against operational complexity. There is no universal standard for ReBAC schema design yet, and current guidance suggests treating it as a policy architecture choice rather than a single product feature.
Some organisations use JWTs plus embedded entitlements for low-risk internal APIs, then reserve ReBAC for sensitive resources such as production secrets, payment workflows, or delegated admin actions. That is a reasonable transition pattern when relationship data is incomplete. Others layer ReBAC on top of JWT identity proofing, which works well if token lifetimes are short and revocation is enforced through the policy engine rather than the token itself.
Edge cases appear when relationships are hard to model, such as ephemeral CI/CD jobs, cross-tenant automation, or partner access that changes by ticket or incident. In those environments, a pure JWT model can be too static, while a pure graph model can be too slow if the relationship store is stale or poorly indexed. The practical answer is usually a hybrid: signed identity assertion, live relationship lookup, and a narrow policy decision. For regulated environments, mapping this design to PCI DSS v4.0 access requirements can help show that machine access is both least-privilege and revocable.
Best practice is evolving, but the clearest rule is simple: if access should change when the relationship changes, JWT claims alone are not enough.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses over-long credential validity and stale machine access. |
| NIST CSF 2.0 | PR.AC-4 | Covers access enforcement based on least privilege and identity context. |
| NIST AI RMF | Relevant where autonomous agents need runtime authorisation decisions. |
Bind machine access to current context and remove entitlements when they are no longer needed.
Related resources from NHI Mgmt Group
- What is the difference between just-in-time access and role-based access control?
- What is the difference between CSPM and policy-based access control?
- What is the difference between role-based access control and AI-assisted access governance?
- What is the difference between context-based authentication and static access control?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
