EVIDENCE TRAIL
Time-bounded privilege elevation
Verbatim excerpts from the upstream sources cited on the mitigation page, with what each source does and does not prove. The phrase "time-bounded privilege elevation" is Helmwart's normalised label. The closest upstream verbatim match is OWASP Top 10 Agentic 2026 (§ASI03): "Task-Scoped, Time-Bound Permissions." The NSA/CISA Careful Adoption document (Apr 2026) is cited in the MDX but returned HTTP 403 at time of cross-check; that entry is omitted pending direct access.
Last cross-checked against upstream sources: · 7 sources
References
Each entry shows what the source supports and what it does not prove.
OWASP Top 10 for Agentic Applications 2026
§ASI03 Identity and Privilege Abuse — Prevention and Mitigation Guidelines, item 1
"Enforce Task-Scoped, Time-Bound Permissions: Issue short-lived, narrowly scoped tokens per task and cap rights with permission boundaries — using per-agent identities and short-lived credentials (e.g., mTLS certificates or scoped tokens) — to limit blast radius, block delegated-abuse and maintenance-window attacks, and mitigate un-scoped inheritance, orphaned privileges, and reflection-loop elevation."
Supports: Verbatim use of "Task-Scoped, Time-Bound Permissions" as a named mitigation pattern in an agentic context. Directly ties time-bounded elevation to blast-radius control and orphaned-privilege prevention — the same rationale as this control.
Does not prove: Does not specify a maximum window duration or tie the expiry mechanism to a particular PAM primitive. Helmwart generalises across cloud IAM session policies, PAM brokers, and OPA/Cedar policy predicates.
OWASP Agentic AI — Threats & Mitigations v1.1
Playbook 4 — Strengthening Authentication, Identity & Privilege Controls — Step 2: Restrict Privilege Escalation & Identity Inheritance
"Apply time-based restrictions on privilege elevation. Ensure that AI agents with elevated privileges can only retain them for preapproved durations before automatic downgrade."
Supports: Verbatim statement of the auto-expiry pattern applied to agent privilege elevation. "Preapproved durations before automatic downgrade" is the closest upstream wording match for this control's core mechanic.
Does not prove: Playbook 4 is a high-level implementation checklist; it does not specify concrete window values, elevation-broker primitives, or cloud-IAM equivalents. T3 mitigation text in the threat table names only "granular permission controls, dynamic access validation" — time-bounding is elaborated only in Playbook 4.
OWASP Agentic AI — Threats & Mitigations v1.1
Playbook 3 — Securing AI Tool Execution & Preventing Unauthorized Actions — Step 1: Reduce attack surface (Proactive)
"Implement just-in-time (JIT) access for AI tool usage. Grant tool access only when explicitly required, revoking permissions immediately after use."
Supports: Names JIT access and immediate revocation as a proactive control for agentic tool access — the same primitive this control applies to agent identities at the role/privilege level.
Does not prove: Scoped to tool-level access, not to role or privilege elevation. The JIT pattern is the same, but the granularity is per-tool call rather than per-action-class elevation window.
OWASP AI Exchange — General Controls
#LEAST MODEL PRIVILEGE — Strategies for task-based minimization — "Ephemeral permissions"
"Ephemeral permissions: if an assigned task is expected to be done in a certain amount of time, then certain permissions can be set as temporary, to prevent manipulated agents making use of these permissions to cause harm. This can be seen as temporal blast radius control."
Supports: Introduces "temporal blast radius control" as the rationale for time-bounded permissions on agent tasks. Directly frames ephemeral/temporary permissions as a distinct strategy within least-privilege applied to models.
Does not prove: Does not specify how expiry is enforced (policy engine, IAM session, broker) or prescribe window durations. The OWASP AI Exchange entry names the pattern; Helmwart operationalises the enforcement mechanisms.
NIST SP 800-53 Rev 5 — AC-2(2) Automated Temporary and Emergency Account Management
AC-2(2) ACCOUNT MANAGEMENT | AUTOMATED TEMPORARY AND EMERGENCY ACCOUNT MANAGEMENT
"Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. Discussion: Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time period rather than at the convenience of the system administrator. Automatic removal or disabling of accounts provides a more consistent implementation."
Supports: Establishes the canonical NIST control for automated time-based removal of temporary accounts — the direct precedent for auto-expiry of elevated agent permissions. "Predefined time period" is the same mechanism applied to agent elevation windows.
Does not prove: Addresses human temporary/emergency accounts, not AI agent identities. Does not prescribe window durations or mention agentic systems. Helmwart applies the same auto-expiry principle to agent elevation events.
NIST SP 800-53 Rev 5 — AC-6(5) Least Privilege | Privileged Accounts
AC-6(5) LEAST PRIVILEGE | PRIVILEGED ACCOUNTS
"Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles]. Discussion: Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions."
Supports: Establishes the NIST least-privilege baseline for privileged accounts — the authorization layer this control builds on. Time-bounding is the dynamic enforcement of AC-6(5): privileges restricted not just by role but by a time predicate.
Does not prove: AC-6(5) does not specify time-bounded elevation or auto-expiry; it is a static role restriction. The temporal dimension is contributed by AC-2(2) and by Helmwart's own operationalisation. Does not address AI agents.
NIST SP 800-207 Zero Trust Architecture
§2.1 Zero Trust Tenets — Tenet 6
"All resource authentication and authorization are dynamic and strictly enforced before access is allowed. This is a constant cycle of obtaining access, scanning and assessing threats, adapting, and continually reevaluating trust in ongoing communication. … Continual monitoring with possible reauthentication and reauthorization occurs throughout user transactions, as defined and enforced by policy (e.g., time-based, new resource requested, resource modification, anomalous subject activity detected)."
Supports: Names "time-based" as an explicit trigger for reauthentication and reauthorization — the ZTA grounding for the auto-expiry pattern. "Dynamic and strictly enforced" directly supports treating every elevation as ephemeral.
Does not prove: Section 3.4 of 800-207 covers network/environment components, not continuous re-evaluation. The MDX cites "§3.4 — continuous re-evaluation of access"; the verbatim text for that rationale is in Tenet 6 (§2.1). Corrected location used here. Does not address AI agents.