Time-of-check to time-of-use (TOCTOU) is a class of vulnerability that has existed in operating systems and access control systems since at least the 1970s. The mechanism is simple: a permission check occurs at one moment in time; the actual action occurs at a later moment. In the window between check and action, the conditions that justified the permission may have changed. The permission is stale.
In AI governance systems, TOCTOU vulnerabilities emerge at the boundary between the governance evaluation layer and the action execution layer. They are easy to miss because everything in the audit record appears correct — the permission check passed, the action was taken, the audit record shows authorization. What the record does not show is that the authorization was no longer valid at the time the action was taken.
The Structure of a TOCTOU Window
An AI agent operating under a governance framework follows a sequence: evaluate, authorize, act. The governance evaluation checks the proposed action against policy. If evaluation passes, authorization is granted. The agent then executes the authorized action.
The TOCTOU window is the interval between authorization grant and action execution. In a single-threaded, single-request system with no latency, this window approaches zero. In practice, it is never zero, and it can be substantial:
- Network round-trip latency. The governance evaluation happens in one service. The action execution happens in another. Authorization must travel from evaluation to execution. In that interval, policy can change.
- Queue-based execution. Authorized actions are placed in an execution queue. They execute when the queue processes them. Policy may change while the action waits in queue.
- Multi-step agentic tasks. An agent plans a multi-step task and receives authorization for the full plan. It executes steps sequentially. By the time it reaches Step 4, the policy has changed in a way that would have blocked the plan — but Step 4 executes under the authorization granted before the change.
- User privilege changes. A user requests an action while at their current privilege level. Between authorization and execution, the user is downgraded — terminated, demoted, or suspended. The action executes under the authorization of their former privilege level.
How Attackers Exploit TOCTOU Windows
A targeted TOCTOU attack in an AI governance context looks like this:
- The attacker requests an action that is currently within policy — perhaps just barely, at the edge of the permitted envelope.
- The governance evaluation passes. Authorization is granted.
- Between authorization and execution, the attacker triggers a condition that would have blocked the original request — changing their claimed context, modifying a shared resource the authorization depended on, or exploiting a race to alter the policy state.
- The action executes under the stale authorization.
- The audit record shows a valid authorization and a legitimate execution. The TOCTOU gap is invisible in the record.
Closing the TOCTOU Window
There are three complementary approaches to TOCTOU resistance in AI governance systems.
Policy-Version Binding. Every authorization decision embeds the hash of the policy version that produced it. At execution time, the executing system checks whether the policy version embedded in the authorization matches the current active policy. If the policy has changed between authorization and execution, the authorization is expired and execution is blocked.
This approach adds execution-time overhead — the policy version check must happen at execution, not just at authorization. The overhead is a hash comparison, which is computationally negligible. The compliance benefit is that policy changes take effect immediately: any authorization granted under a superseded policy version is automatically expired.
Authorization Expiry with Short TTL. Authorizations carry an explicit expiry timestamp. If an authorization is not consumed within its TTL, it is expired. The TTL is set based on the expected execution latency: short enough that meaningful policy changes during normal execution are unlikely, short enough that queue backlogs do not accumulate large numbers of stale authorizations.
Short-TTL authorizations force re-evaluation of timed-out actions under current policy rather than stale policy. They also prevent authorization hoarding: an attacker who captures a large number of authorizations during a permissive policy window cannot execute them all after the policy tightens.
Context-Snapshot Comparison. For complex authorizations that depend on multiple context factors — user privilege level, resource state, current usage budget — the authorization embeds a snapshot hash of the relevant context at authorization time. At execution time, the system computes the current context hash and compares it to the snapshot. A mismatch indicates that conditions have changed since authorization and triggers re-evaluation.
The Audit Implication
TOCTOU vulnerability detection requires that the audit record contain more than the authorization decision and execution result. It must contain the policy version, the authorization TTL, and the context conditions that were present at authorization time. Without this data, post-hoc detection of TOCTOU exploitation is not possible.
For regulated deployments, this means requiring that governance logs capture authorization context, not just authorization decisions. A governance system that records "authorized" without recording "authorized under these conditions at this moment" is compliant in form but not in substance. It cannot support the investigation of TOCTOU-class incidents and cannot be used to verify that exploited TOCTOU gaps existed.
A policy document stating "AI systems must prevent stale authorizations from executing" provides no TOCTOU resistance. The resistance is policy-version binding at execution time, short-TTL authorization expiry, and context-snapshot comparison — each a verifiable property of the infrastructure, not an intent expressed in prose.
Enterprise buyers should ask AI governance vendors directly: does your authorization record include the policy version hash and context snapshot at authorization time? Can you demonstrate that your execution layer validates these against the current state before executing? A vendor that cannot answer affirmatively has a TOCTOU gap, whether or not they have encountered it in the field.
The governance audit record for a regulated AI deployment must contain the conditions of authorization, not just the authorization decision. Without the policy version hash, the context snapshot, and the authorization timestamp embedded in the execution record, post-hoc verification that TOCTOU controls were active is impossible. The audit log shows that something was authorized; it cannot show that the authorization was valid at execution time.