Because by the time a token is already live, the risky decision has been made. Issuance-time policy lets teams evaluate user context, tenant, and requested scope before access exists. That reduces privilege creep, prevents accidental delegation, and aligns agent control with Zero Trust principles.
Why This Matters for Security Teams
Issuance-time policy matters because agentic ai does not behave like a normal human user with stable roles and predictable workflows. An agent can chain tools, expand scope, and act on incomplete intent in seconds, so a token that looks harmless at login can become overpowered by the time it is used. That is why static IAM, long-lived secrets, and broad delegated access routinely fail against autonomous workloads.
Current guidance from OWASP Agentic AI Top 10 and NIST AI Risk Management Framework points toward runtime evaluation, contextual authorisation, and bounded delegation rather than pre-approved standing access. NHIMG research on OWASP NHI Top 10 also shows why agent behaviour must be controlled at the moment access is requested, not after credentials have already been minted.
SailPoint reports that 80% of organisations have already seen AI agents act beyond intended scope, while only 44% have policies in place to govern them. In practice, many security teams discover over-privileged agent behaviour only after unauthorised data movement or tool abuse has already occurred, rather than through intentional policy design.
How It Works in Practice
Issuance-time policy evaluates the request before a credential, token, or capability is created. Instead of asking only whether an agent belongs to a role, teams ask what the agent is trying to do, who initiated the task, which tenant or dataset is in scope, and whether the action fits the approved purpose. This aligns with Zero Trust principles because trust is not granted once and reused indefinitely; it is re-checked at the moment of issuance.
In practical terms, this usually means combining workload identity with policy-as-code and short-lived credentials. The identity primitive should describe what the agent is, not just what token it holds, which is why standards such as SPIFFE and request-time policy engines are becoming central to agent governance. Teams also rely on runtime controls described in CSA MAESTRO agentic AI threat modeling framework and NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs, which both reinforce ephemeral access and explicit lifecycle controls.
- Issue tokens just in time, with a narrow scope and a short TTL tied to the task.
- Evaluate policy at issuance using context such as user approval, tenant boundaries, data sensitivity, and destination system.
- Revoke or expire access automatically when the task completes or context changes.
- Prefer workload identity and attested execution over static API keys or shared service accounts.
This guidance tends to break down in legacy environments that depend on shared service principals, long-running batch jobs, or tools that cannot perform request-time policy evaluation.
Common Variations and Edge Cases
Tighter issuance controls often increase operational overhead, requiring organisations to balance safety against developer friction and latency. That tradeoff is real, especially when agents need to call many tools in a single workflow or when human approval would slow down time-sensitive operations.
There is no universal standard for agent issuance policy yet, so current guidance suggests starting with high-risk scopes first: production systems, customer data, secrets access, and cross-tenant operations. For lower-risk tasks, best practice is evolving toward policy that is still contextual but less restrictive, such as read-only access with narrow TTLs. NHIMG’s Top 10 NHI Issues is useful here because it shows how credential sprawl and weak lifecycle discipline quickly undermine even well-written policy.
Issuance-time policy is also more effective when paired with broader agent governance from NIST AI Risk Management Framework and OWASP Top 10 for Agentic Applications 2026, because policy alone cannot compensate for poorly bounded tools, weak logging, or unrestricted data connectors. The approach is strongest when agents are well-scoped, but it becomes much less reliable when a single agent can pivot across many systems through chained tool calls.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A01 | Agentic access should be checked at runtime, not after token issuance. |
| CSA MAESTRO | GOV-1 | MAESTRO covers governance patterns for agentic approval and bounded delegation. |
| NIST AI RMF | AI RMF supports contextual controls for dynamic AI risk decisions. |
Evaluate agent scope and tool use before issuing any credential or action grant.
Related resources from NHI Mgmt Group
- When does just-in-time access reduce risk for agentic AI, and when does it fall short?
- Why do AI agents increase non-human identity risk in existing IAM programmes?
- How should security teams govern machine identity credentials in agentic AI environments?
- Why do agentic AI systems challenge least privilege?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
