AI Agents Require Runtime Authorization: Just-In-Time Passkey Approval for Sensitive Actions

This post was originally shared on LinkedIn.

Open Table of contents

The Problem with Standing Privilege in AI Agents
Just-In-Time Authorization: A Better Model
How the Agent Native Authorization (ANA) Framework Works
Built on Open Standards
Works Across AI Coding Agents
What’s Next

The Problem with Standing Privilege in AI Agents

AI agents are increasingly powerful. They can write code, manage infrastructure, modify IAM policies, and take administrative actions — often under a single authenticated session.

The standard model today looks like this:

The user authenticates once.
The agent receives that session token.
The agent acts freely within the granted scope.

This is a regression. We spent years improving human authentication — replacing passwords with passkeys, eliminating phishing vectors — and then handed that access to agents with standing privilege.

Standing privilege is the wrong model for agentic systems.

Just-In-Time Authorization: A Better Model

Just-In-Time (JIT) Authorization changes the relationship between agents and access. The principle is simple:

Do not grant standing access. Require approval at the moment of action.

When an agent attempts a sensitive operation, the workflow pauses. A fresh authorization challenge is issued. The user approves using a device-bound Passkey. The action proceeds only after cryptographic verification.

This shifts the security model from session-based trust to action-level verification. It is no longer enough that a user authenticated earlier — each sensitive action requires explicit, real-time approval.

How the Agent Native Authorization (ANA) Framework Works

The Agent Native Authorization (ANA) framework, built at TwoGenIdentity, implements JIT authorization across the full agent execution stack.

Policy Enforcement Points Across the Agent Journey

Rather than a single authorization gate, the ANA framework places Policy Enforcement Points (PEPs) at multiple layers:

Coarse-Grained Authorization (CGA) — at the API and MCP gateway level, enforcing baseline access policies
Fine-Grained Authorization (FGA) — at the resource and action level, using PBAC and ReBAC models
Runtime Step-Up — triggered for sensitive operations, requiring inline Passkey approval

Workload Identity: Eliminating Static Secrets

A key component of the framework is workload identity. Rather than relying on static API keys or long-lived tokens, agents receive short-lived, cryptographically bound credentials — eliminating credential leakage and replay attack risk.

SPIFFE JWT-SVIDs provide a standards-based mechanism for this, integrated with Keycloak as the Identity Provider.

The Passkey Approval Flow

When a sensitive action is triggered:

The agent runtime detects the operation requires step-up authorization
A JIT challenge is issued inline — no browser redirect
The user approves via a device-bound Passkey
A signed assertion is generated on-device, cryptographically tied to that specific action
The action is verified and proceeds

From the user’s perspective: a single gesture, inline in the CLI or AI assistant. No codes to copy, no context switching.

From a security perspective, the guarantees are stronger than traditional MFA:

Phishing-resistant by design — Passkeys cannot be phished
Device-bound credentials — The private key never leaves the device
Non-replayable assertions — Each approval is unique and tied to the specific action

Built on Open Standards

The ANA framework does not introduce proprietary protocols. It is built on:

OAuth 2.1 and OpenID Connect for identity and token management
WebAuthn / FIDO2 for Passkey-based approval
OpenID AuthZEN for standardized PEP-to-PDP communication
OAuth Rich Authorization Requests (RAR) for embedding intent context in authorization tokens

This composable approach means the framework works across different AI assistants (Claude, Copilot, others), MCP servers, and MCP Apps — and can integrate with your existing IAM infrastructure.

Works Across AI Coding Agents

The same authorization pattern applies regardless of which agent is running:

Claude Code — via hooks that intercept sensitive tool calls
GitHub Copilot CLI — intercepting operations like infrastructure changes or permission modifications
Any MCP-compatible agent runtime

The demo above shows this in action: a real-time JIT approval flow, triggered inline, approved with a Passkey, producing a cryptographic proof of human intent bound to the exact operation.

What’s Next

Building on this runtime authorization layer, the next step is Agent Intent Authorization — a plan-before-execute model where the agent declares its full execution plan upfront, and the user approves the entire scope with a single Passkey gesture before any action begins.

If you are working on secure AI agents, MCP infrastructure, Zero Trust architectures, or authorization frameworks like AuthZEN, I would welcome the opportunity to connect and exchange ideas.