diff --git a/weed/iam/integration/iam_integration_test.go b/weed/iam/integration/iam_integration_test.go
index 947fc3145..9e51f4313 100644
--- a/weed/iam/integration/iam_integration_test.go
+++ b/weed/iam/integration/iam_integration_test.go
@@ -275,20 +275,21 @@ func TestSessionExpiration(t *testing.T) {
 	assert.True(t, response.Credentials.Expiration.After(time.Now()))
 	assert.True(t, response.Credentials.Expiration.Before(time.Now().Add(16*time.Minute)))
 	
-	// Test actual session expiration
+	// Test session expiration behavior in stateless JWT system
+	// In a stateless system, manual expiration is not supported
 	err = iamManager.ExpireSessionForTesting(ctx, sessionToken)
-	require.NoError(t, err)
+	require.Error(t, err, "Manual session expiration should not be supported in stateless system")
+	assert.Contains(t, err.Error(), "manual session expiration not supported")
 	
-	// Verify session is now expired and access is denied
+	// Verify session is still valid (since it hasn't naturally expired)
 	allowed, err = iamManager.IsActionAllowed(ctx, &ActionRequest{
 		Principal:    response.AssumedRoleUser.Arn,
 		Action:       "s3:GetObject",
 		Resource:     "arn:seaweed:s3:::test-bucket/file.txt",
 		SessionToken: sessionToken,
 	})
-	require.Error(t, err)
-	assert.False(t, allowed)
-	assert.Contains(t, err.Error(), "session has expired")
+	require.NoError(t, err, "Session should still be valid in stateless system")
+	assert.True(t, allowed, "Access should still be allowed since token hasn't naturally expired")
 }
 
 // TestTrustPolicyValidation tests role trust policy validation
diff --git a/weed/iam/integration/role_store.go b/weed/iam/integration/role_store.go
index 3f3d96ee3..1b8ceb3fe 100644
--- a/weed/iam/integration/role_store.go
+++ b/weed/iam/integration/role_store.go
@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"github.com/seaweedfs/seaweedfs/weed/glog"
+	"github.com/seaweedfs/seaweedfs/weed/iam/policy"
 	"github.com/seaweedfs/seaweedfs/weed/pb"
 	"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
 	"google.golang.org/grpc"
@@ -119,9 +120,9 @@ func copyRoleDefinition(original *RoleDefinition) *RoleDefinition {
 	if original.TrustPolicy != nil {
 		// Use JSON marshaling for deep copy of the complex policy structure
 		trustPolicyData, _ := json.Marshal(original.TrustPolicy)
-		var trustPolicyCopy interface{}
+		var trustPolicyCopy policy.PolicyDocument
 		json.Unmarshal(trustPolicyData, &trustPolicyCopy)
-		// Note: This is a simplified copy. In production, implement proper deep copy for PolicyDocument
+		copied.TrustPolicy = &trustPolicyCopy
 	}
 
 	// Copy attached policies slice