EVIDENCE TRAIL
Just-in-time tool grants
Verbatim excerpts from the upstream sources cited on the mitigation page, with what each source does and does not prove. The title "just-in-time tool grants — access only when needed" is Helmwart's normalised label. Two upstream sources use the phrase "just-in-time" verbatim in an agentic context: OWASP Top 10 Agentic 2026 §ASI02 (mitigation 6) and OWASP Threats & Mitigations v1.1 Playbook 3.
Last cross-checked against upstream sources: · 7 sources
References
Each entry shows what the source supports and what it does not prove.
OWASP Top 10 for Agentic Applications 2026
§ASI02 Tool Misuse and Exploitation — Prevention and Mitigation Guidelines, item 6 "Just-in-Time and Ephemeral Access"
"Just-in-Time and Ephemeral Access. Grant temporary credentials or API tokens that expire immediately after use. Bind keys to specific user sessions to prevent lateral abuse."
Supports: Verbatim naming of "Just-in-Time" access as a mitigation for tool misuse. Closest upstream source for the title of this control. Specifies short-lived credentials expiring after use and session-binding to prevent lateral abuse — exactly the mechanism this control deploys.
Does not prove: Frames the credential scope as API tokens/keys rather than a policy-broker grant evaluated per task. Does not address the policy-evaluation latency trade-off or the degenerate case of long-lived conversational agents.
OWASP Top 10 for Agentic Applications 2026
§ASI02 Tool Misuse and Exploitation — Prevention and Mitigation Guidelines, item 1 "Least Agency and Least Privilege for Tools"
"Least Agency and Least Privilege for Tools. Define per-tool least-privilege profiles (scopes, maximum rate, and egress allowlists) and restrict agentic tool functionality and each tool's permissions and data scope to those profiles … Where possible, express these profiles as IAM or authorization policy stanzas attached to each tool, rather than relying on ad-hoc conventions."
Supports: Establishes per-tool least-privilege profiles as policy stanzas — the upstream policy-broker pattern this control formalises into a JIT grant model.
Does not prove: Does not specify time-bounding or revocation on completion. The "profiles attached to each tool" pattern is static; JIT adds a dynamic grant / revoke cycle on top.
OWASP Top 10 for Agentic Applications 2026
§ASI03 Identity and Privilege Abuse — Prevention and Mitigation Guidelines, item 1 "Enforce Task-Scoped, Time-Bound Permissions"
"Enforce Task-Scoped, Time-Bound Permissions: Issue short-lived, narrowly scoped tokens per task and cap rights with permission boundaries — using per-agent identities and short-lived credentials (e.g., mTLS certificates or scoped tokens) — to limit blast radius, block delegated-abuse and maintenance-window attacks, and mitigate un-scoped inheritance, orphaned privileges, and reflection-loop elevation."
Supports: Names "task-scoped, time-bound permissions" and "short-lived, narrowly scoped tokens per task" as the core mitigation — the same grant-per-task-then-revoke mechanic this control implements.
Does not prove: ASI03 frames the threat as identity/privilege abuse rather than tool-access misuse. The excerpt targets delegated credential abuse; JIT tool grants apply the same pattern but scoped to the tool-access layer, not the identity layer.
OWASP Agentic AI — Threats & Mitigations v1.1
Playbook 3 "Securing AI Tool Execution & Preventing Unauthorised Actions Across Supply Chains" — Step 1: Restrict AI tool invocation, execution and apply supply-chain safeguards (Proactive phase)
"Implement just-in-time (JIT) access for AI tool usage. Grant tool access only when explicitly required, revoking permissions immediately after use."
Supports: Verbatim statement of the JIT tool-access pattern: grant only when explicitly required, revoke immediately after use. This is the most direct upstream statement of the control.
Does not prove: Appears in a playbook step rather than a named standalone mitigation. Does not specify the policy-broker mechanism (OPA, Cedar) used to evaluate the grant, or how task boundaries are defined.
OWASP Agentic AI — Threats & Mitigations v1.1
§T16 Insecure Inter-Agent Protocol Abuse — Mitigation
"Restrict agent-to-agent delegation to tightly scoped functions. Log all inter-agent communications and tool invocations to detect anomalies and support post-incident analysis."
Supports: Names tightly scoped delegation functions as the defence against inter-agent protocol abuse — directly supporting the MDX claim that JIT grants prevent peer agents from expanding their own tool surface beyond what was granted for the current task.
Does not prove: Does not name JIT or time-bound grants explicitly; "tightly scoped" is a scope constraint, not a temporal one. The logging guidance is complementary, not a substitute for the grant mechanism.
NIST SP 800-53 Rev. 5 — Security and Privacy Controls
AC-6 Least Privilege and control enhancement AC-6(1) Authorize Access to Security Functions
"AC-6: Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. … (1) LEAST PRIVILEGE | AUTHORIZE ACCESS TO SECURITY FUNCTIONS — Authorize access for [Assignment: organization-defined individuals or roles] to: (a) [Assignment: organization-defined security functions (deployed in hardware, software, and firmware)]; and (b) [Assignment: organization-defined security-relevant information]."
Supports: Establishes least privilege as a foundational access-control principle and AC-6(1) as the enhancement that requires explicit authorization for each privileged function. JIT tool grants are an agentic implementation of this enhancement — granting tool access only when the specific task-function requires it.
Does not prove: Does not address AI agents, tool registries, or time-bound grants. The enhancement targets human roles and security functions in traditional IT systems; Helmwart applies the pattern to dynamic agent tool surfaces.
Helmwart Atlas — Playbook P3: Securing AI Tool Execution & Preventing Unauthorised Actions Across Supply Chains
No verbatim excerpt pulled yet — open the original to verify the cited section.
Supports: Internal Helmwart mapping of the T2/T3/T16 mitigations into a deployable playbook step. Identifies m-tool-jit as the control for the action "Grant tool access only at the moment it is needed and revoke it immediately upon completion, never persisting elevated permissions."
Does not prove: Internal mapping page — not the source of the JIT principle itself. The principle originates in the upstream OWASP documents cited above.