diff --git a/blueprints/data-solutions/data-platform-foundations/README.md b/blueprints/data-solutions/data-platform-foundations/README.md
index 6cdfdec9..c73b0a31 100644
--- a/blueprints/data-solutions/data-platform-foundations/README.md
+++ b/blueprints/data-solutions/data-platform-foundations/README.md
@@ -228,7 +228,7 @@ module "data-platform" {
   }
   prefix = "myprefix"
 }
-# tftest modules=43 resources=290
+# tftest modules=43 resources=293
 ```
 
 ## Customizations
diff --git a/blueprints/data-solutions/data-platform-minimal/README.md b/blueprints/data-solutions/data-platform-minimal/README.md
index 5559d986..a415b00f 100644
--- a/blueprints/data-solutions/data-platform-minimal/README.md
+++ b/blueprints/data-solutions/data-platform-minimal/README.md
@@ -229,7 +229,7 @@ module "data-platform" {
   prefix = "myprefix"
 }
 
-# tftest modules=23 resources=137
+# tftest modules=23 resources=138
 ```
 
 ## Customizations
diff --git a/modules/project/README.md b/modules/project/README.md
index 9d94d9f2..13f142af 100644
--- a/modules/project/README.md
+++ b/modules/project/README.md
@@ -219,6 +219,7 @@ This table lists all affected services and roles that you need to grant to servi
 | cloudasset.googleapis.com | cloudasset | roles/cloudasset.serviceAgent |
 | cloudbuild.googleapis.com | cloudbuild | roles/cloudbuild.builds.builder |
 | dataplex.googleapis.com | dataplex | roles/dataplex.serviceAgent |
+| dlp.googleapis.com | dlp | roles/dlp.serviceAgent |
 | gkehub.googleapis.com | fleet | roles/gkehub.serviceAgent |
 | meshconfig.googleapis.com | servicemesh | roles/anthosservicemesh.serviceAgent |
 | multiclusteringress.googleapis.com | multicluster-ingress | roles/multiclusteringress.serviceAgent |
diff --git a/modules/project/service-agents.yaml b/modules/project/service-agents.yaml
index eb38dc4c..34819710 100644
--- a/modules/project/service-agents.yaml
+++ b/modules/project/service-agents.yaml
@@ -169,6 +169,7 @@
   # dlp                          ="organizations-ORGANIZATION_NUMBER@gcp-sa-riskmanager"
 - name: "dlp"
   service_agent: "service-%s@dlp-api.iam.gserviceaccount.com"
+  jit: true
 - name: "documentai"
   service_agent: "service-%s@gcp-sa-prod-dai-core.iam.gserviceaccount.com"
 - name: "edgecontainer"