diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb
index c28d80ddf6b1913d0db8e5e858f8065deedd628f..8688988122c2cd78c80a9257968c7b3477fd6763 100644
--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -4,6 +4,8 @@ class BasePolicy < DeclarativePolicy::Base
   desc "User is an instance admin"
   with_options scope: :user, score: 0
   condition(:admin) do
+    next false if ::Feature.enabled?(:prevent_job_token_admin_permissions, @user) && @user&.from_ci_job_token?
+
     if Gitlab::CurrentSettings.admin_mode
       Gitlab::Auth::CurrentUserMode.new(@user).admin_mode?
     else
diff --git a/config/feature_flags/development/prevent_job_token_admin_permissions.yml b/config/feature_flags/development/prevent_job_token_admin_permissions.yml
new file mode 100644
index 0000000000000000000000000000000000000000..0ecb9168f56ea80ae5d226791a85ef3db912468f
--- /dev/null
+++ b/config/feature_flags/development/prevent_job_token_admin_permissions.yml
@@ -0,0 +1,9 @@
+---
+name: prevent_job_token_admin_permissions
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/167449
+feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/474775
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/495627
+milestone: '17.5'
+type: development
+group: group::pipeline security
+default_enabled: false
diff --git a/spec/policies/base_policy_spec.rb b/spec/policies/base_policy_spec.rb
index 79ee26e8942e8987ff6261078c70da8fbe452202..4479de40e69dded898091c42871e1897fe981bec 100644
--- a/spec/policies/base_policy_spec.rb
+++ b/spec/policies/base_policy_spec.rb
@@ -43,6 +43,39 @@ def policy
         is_expected.to be_allowed(ability)
       end
 
+      context 'when user from job token' do
+        before do
+          allow(current_user).to receive(:from_ci_job_token?).and_return(true)
+          enable_admin_mode!(current_user)
+        end
+
+        it 'prevents when settings in admin mode' do
+          allow(Gitlab::CurrentSettings).to receive(:admin_mode).and_return(false)
+
+          is_expected.to be_disallowed(ability)
+        end
+
+        it 'prevents when user is admin' do
+          is_expected.to be_disallowed(ability)
+        end
+
+        context 'and feature flag prevent_job_token_admin_permissions is disabled' do
+          before do
+            stub_feature_flags(prevent_job_token_admin_permissions: false)
+          end
+
+          it 'does not prevent settings in admin mode' do
+            allow(Gitlab::CurrentSettings).to receive(:admin_mode).and_return(true)
+
+            is_expected.to be_allowed(ability)
+          end
+
+          it 'allows when user is admin' do
+            is_expected.to be_allowed(ability)
+          end
+        end
+      end
+
       it 'prevented when not in admin mode' do
         is_expected.not_to be_allowed(ability)
       end