This article was originally published on LinkedIn.
Table of contents
Open Table of contents
The New Reality: AI Agents in the CLI
AI coding agents are rapidly moving into the CLI and native developer environments.
These are no longer assistants you simply chat with. They are systems that act. They read files, modify configurations, call APIs, execute scripts, and interact with services directly from the terminal.
Tools like Claude Code and GitHub Copilot CLI allow developers to delegate tasks to agents that can plan and execute multiple steps autonomously.
The agent operates with the permissions of the user who invoked it. In many cases, the developer sets a goal and the agent carries out the steps required to achieve it.
This autonomy is exactly what makes these tools powerful. But it also raises an important question:
What happens when an AI agent attempts a critical action?
The Overlooked Risk: Critical Actions Without a Governor
Not all actions performed by an AI agent carry the same level of risk.
Some operations are relatively harmless, such as retrieving information or reading configuration data. Others may affect systems, policies, or resources in ways that have real consequences.
From the agent’s perspective, however, these are simply tool calls used to complete a task.
Agents do not inherently distinguish between routine operations and sensitive ones. They execute the steps required to achieve the objective they were given.
This creates a natural gap between high-level human intent and the specific operations the agent performs.
Without additional safeguards, an agent may automatically perform actions that a human would normally want to review first.
That gap is where an additional control layer becomes important.
Why Traditional Authorization Is Not Enough
Most existing authorization systems were designed for applications and APIs, not for AI agents executing actions on behalf of a user in real time.
Access is usually defined through roles, scopes, or static permissions. These mechanisms determine what a user or application is allowed to do, but they do not evaluate whether a specific action at a specific moment should require additional approval.
Another challenge is usability. Many authentication flows rely on browser redirects, which do not work well when an agent is running inside a terminal.
For CLI-based agents, authorization needs to happen directly inside the workflow, without breaking the developer experience.
This is where real-time Just-In-Time (JIT) authorization becomes relevant.
Our Approach: Just-In-Time Authorization for AI Agents
To explore this problem, we built a real-time Just-In-Time (JIT) authorization approach designed specifically for AI agent workflows in a Human-to-Agent (H2A) interaction.
Agents can operate autonomously, but certain actions trigger a verification step before they are executed.
Policies determine which operations are considered sensitive. When an agent attempts such an action, execution pauses and a JIT authorization request is triggered.
Instead of redirecting to a browser, the verification happens directly in the CLI. The user can review the request and approve or deny it in context.
If additional authentication is required, the flow continues through OAuth 2.0, allowing the identity provider to issue a new token with the required privileges.
Once the verification step is completed, the agent can continue its task.
Human-in-the-Loop Interaction
A key part of this approach is enabling structured interaction between the agent and the user.
The agent can request authentication input directly using Model Context Protocol Elicitation, which allows the system to ask for specific information or verification steps during the workflow.
This interaction happens entirely inside the assistant or CLI environment, keeping the process seamless for the user.
Cryptographic Proof of Authorization
Another critical aspect is verifiability.
When a user approves a critical action, the decision is not simply logged. The system generates a signed authorization artifact that binds the approval to the specific action and context.
This produces cryptographic proof that a particular user approved a particular operation at a particular time.
The proof is tamper-evident and independently verifiable, making it suitable for auditing and security-sensitive environments.
In other words, the authorization is not just recorded, it becomes a verifiable security artifact tied to the exact operation the agent executes.
Built on Open Standards
This architecture is intentionally built on open standards rather than proprietary mechanisms.
Authorization enforcement is based on OpenID AuthZEN, while authentication and privilege elevation rely on OAuth 2.1 with native interactive workflows following the OAuth 2.0 First-Party Apps model.
Human interaction during the authorization process is enabled through Model Context Protocol, allowing AI assistants to request structured input from users during a workflow.
Together, these technologies make it possible to implement interactive, verifiable authorization patterns that work naturally with AI agents.
Working Demo with CLI Agents (Claude Code, GitHub Copilot)
We implemented this architecture in a working prototype using our AuthZEN MCP gateway and our MCP App Layer (First-Party MCP Layer), which enforces authorization policies based on the definition in the AuthZEN Policy Decision Point. Our custom Keycloak IAM extension supports this native authentication approach.
In the demo, an AI agent attempts to perform a protected administrative action. The gateway detects that the operation requires additional authorization and triggers a JIT verification step.
The user completes the authentication interaction directly in the CLI. Once verified, the identity provider issues an updated token and the action proceeds.
The demo works with agents such as Claude Code and GitHub Copilot CLI, showing how authorization can be integrated into real agent workflows. Here, GitHub Copilot is used to illustrate this integration.
To our knowledge, this is one of the first demonstrations of Just-In-Time authorization with cryptographic proof inside CLI-based AI coding agents.
Looking Ahead
AI agents are quickly becoming part of everyday developer workflows. As these systems gain more autonomy, the security models around them must evolve as well.
Just-In-Time authorization offers one way to introduce meaningful control without breaking the usability that makes these tools powerful.
By combining open standards, human verification, and cryptographic proof, it becomes possible to build agent workflows that are both autonomous and accountable.
We are still exploring this space, but the early results are promising.
An IMPORTANT note: this approach can also be extended at the API security level, the sky is the limit! Whether the agent communicates via MCP or directly through APIs, the same security principles apply.
If you are working on secure AI agents, MCP infrastructure, Zero Trust architectures, or authorization frameworks like AuthZEN, I would be very interested in connecting and exchanging ideas.