Double agents and Just-In-Time eligibility: stateless permissioning for AI agents

Microsoft Cyber Pulse and the Double Agent warning

Microsoft's Cyber Pulse briefing has been trending this morning with a sharp focus on "Double Agents": sanctioned AI agents that are officially part of your environment but that act against the organization because they have excessive permissions. These are not necessarily rogue or external attackers; they are agents you have authorized, but with permissions that are too broad or too static. Given the right trigger (e.g. prompt injection, compromise, or misuse), they can exfiltrate data, run unauthorized transactions, or otherwise harm the organization. The risk is structural: static permission models give agents standing access that is hard to revoke in real time and that becomes a single point of failure (or exfiltration) if the agent is turned against you.

The problem: static permissions and the hackable database

Most agents today have static permissions. They are granted a list of what they can do (read this, write that, call this API), and that list lives in a permissions database or IAM system. The problems: (1) that database is a high-value target: if an attacker or a Double Agent gets access, they see everything the agent can do. (2) Revoking or narrowing permissions often takes time and manual change. (3) There is no per-action, per-context check: either the agent has permission or it does not, for whole categories of actions. So when Microsoft warns of Double Agents, the mitigation is not "add more agents" but reduce standing permission and verify each action in context.

The AffixIO play: Just-In-Time eligibility and stateless permissioning

AffixIO's rules-based decision engine allows for stateless permissioning. The angle: instead of storing a massive, long-lived permissions database that says "Agent X can do A, B, C," you ask at the moment of the action: "Is this agent eligible to do this thing, right now, in this context?" That is Just-In-Time (JIT) eligibility. No standing permission; only a binary verdict at request time.

The implementation

Every time an agent makes a move (e.g. access a resource, run a transaction, call an API), the agent (or the gateway or policy enforcement point in front of it) queries AffixIO. The request includes the agent reference and the action context: what is being requested, and any relevant signals (time, amount, resource type, etc.). AffixIO checks the current context against your rules. Examples: "Is it during business hours?" "Is the transaction under $5k?" "Is this agent on the authorized list for this action?" "Has the daily limit been exceeded?" The rules-based decision engine evaluates in real time against live data (e.g. time, registries, limits) and returns a binary YES or NO. No session state; no standing permission stored. The agent gets to proceed only if the answer is YES for this specific request.

The value: stop a Double Agent without a hackable permissions database

You stop a Double Agent in its tracks before it can exfiltrate data or run an unauthorized transaction, because every move is gated by a fresh eligibility check. If the context is wrong (e.g. after hours, over limit, or the agent is no longer authorized), the answer is NO. There is no massive, central permissions database for an attacker or a compromised agent to steal or abuse: the "permission" exists only as the outcome of a stateless query at the time of the request. That is the value of JIT eligibility and stateless permissioning.

This is the same stateless proof flow we use for NHI and M2M trust, A2A Agent Cards, and MCP zero-egress: one question, one binary answer, no standing state. See agentic payments for payment-specific JIT checks.

Context examples for JIT checks

Your rules can use any context that AffixIO can evaluate in real time. Common examples for stopping Double Agents and constraining sanctioned agents:

• Time: Is it during business hours? Is the request within the allowed window?
• Amount or scope: Is the transaction under $5k? Is the data access within the allowed scope?
• Registry: Is this agent still on the authorized list for this action? (Checked live, not from a cached list on the agent.)
• Rate or limit: Has the daily or per-agent limit been exceeded?
• Resource: Is this agent allowed to touch this specific resource or dataset? (Binary check against your policy.)

Each of these is a rule in your decision engine. AffixIO returns YES only if all applicable rules pass. That is JIT eligibility: permission only for this request, in this context.

Circuits for this trend

Use these circuit IDs with the AffixIO API. List all circuits: GET https://api.affix-io.com/v1/circuits (see openapi.json). Run a check: POST /v1/verify with identifier and circuit_id.

• token-validation (Token Validation)
• composite (Composite Circuit)
• consent-verification (Consent Verification)

How AffixIO fits in

AffixIO provides the verification layer for agent actions: stateless, rules-based eligibility checks at the time of each request. Your agent or gateway sends the agent reference and the action context; AffixIO evaluates against your rules and live data and returns YES or NO. Integration with your agent framework, API gateway, or policy engine is part of the implementation. If you are responding to the Double Agent warning and want JIT eligibility and stateless permissioning instead of static permission lists, we would be glad to discuss. Contact hello@affix-io.com or use our contact page for API access and integration options.

Frequently asked questions

What are Double Agents in cybersecurity?

Microsoft's Cyber Pulse briefing uses the term Double Agents to describe sanctioned AI agents that act against an organization because they have excessive permissions. These are agents that are officially allowed to run inside your environment but, due to static or over-broad permissions, can be exploited or can misuse their access (e.g. exfiltrating data, making unauthorized transactions). The risk is that static permission models give agents more access than they need for each specific action.

What is Just-In-Time (JIT) eligibility for AI agents?

Just-In-Time (JIT) eligibility means that an agent's permission to perform an action is decided at the moment of the action, not from a pre-stored list of static permissions. Every time an agent makes a move (e.g. access data, execute a transaction), it queries a verification layer. The layer checks the current context (e.g. business hours, transaction amount, resource type) and returns a binary YES or NO. No standing permission; only eligibility at the time of the request. That limits the damage a Double Agent can do because it never has "permission until revoked"; it has permission only for the current, context-checked request.

What is stateless permissioning?

Stateless permissioning means that the system that decides whether an agent is allowed to do something does not maintain a massive, long-lived permissions database. AffixIO's rules-based decision engine evaluates each request in real time against current context and external data (e.g. time, amount, registry). The result is a binary YES or NO. No central store of "agent X has permissions A, B, C" that could be stolen or abused. You stop a Double Agent in its tracks before it can exfiltrate data, without needing to maintain a massive, hackable permissions database.

How does AffixIO implement JIT eligibility for agents?

Every time an agent makes a move, it (or the gateway in front of it) queries AffixIO with the agent reference and the action context (e.g. resource, amount, time). AffixIO checks the current context against your rules: Is it during business hours? Is the transaction under $5k? Is this agent on the authorized list for this action? The rules-based decision engine returns a binary YES or NO. No session state; no standing permissions. That is JIT eligibility: permission only for this request, in this context, at this time.