Service Account Model
Agent runs as a dedicated service account with configured permissions. Simple. Limited — all users of the agent share the same effective permissions. Good for internal-only agents with uniform policy.
Delegated Auth
Agent acts on behalf of a user. User’s permissions apply. Better security isolation. More complex token management, especially for long-running agents.
Just-in-Time Tokens
Short-lived tokens issued per task. Minimizes blast radius of leak. Requires token refresh infrastructure. Modern standard for customer-facing agents.
Model Selection
High-security contexts: JIT + delegated auth. Internal ops agents: service account with strict perms. Customer-facing: delegated auth, JIT, continuous monitoring. Match the model to the threat.