By NHI Mgmt Group Editorial TeamPublished 2026-07-06Domain: Workload IdentitySource: Keyfactor

TL;DR: AgileSec 3.6 adds RSA JWT signing, remote token revocation awareness, Tanium Connect ingestion, expanded cloud and source coverage, and improved PQC detection and CBOM export for cryptographic inventory and audit readiness, according to Keyfactor. The release matters because crypto-agility depends on knowing where cryptography exists, not just replacing algorithms later.


At a glance

What this is: AgileSec 3.6 is a cryptographic inventory and control update that expands discovery, revocation awareness, and reporting for enterprise crypto-agility.

Why it matters: For IAM, NHI, and platform teams, the release matters because machine authentication and cryptographic governance now sit on the same operational path as visibility, revocation, and auditability.

By the numbers:

👉 Read Keyfactor's post on AgileSec 3.6 cryptographic visibility and control


Context

Cryptographic visibility is now an identity governance problem as much as a security operations problem. If teams cannot see where keys, tokens, certificates, and signing paths exist, they cannot reliably revoke, rotate, or audit them before exposure turns into persistence.

AgileSec 3.6 is positioned around that gap by widening discovery, tightening access controls, and improving reporting across cloud, development, and search environments. The operational question is no longer whether crypto-agility is needed, but whether organisations can inventory cryptographic assets fast enough to govern them.

That starting point is typical for large enterprises: cryptographic sprawl is rarely contained to one platform, one cloud, or one team. The release reflects a mature problem space where visibility and control have to move together.


Key questions

Q: How should security teams govern cryptographic inventory across multiple platforms?

A: Treat cryptographic inventory as an enterprise control, not a per-tool report. Consolidate findings from cloud, repository, pipeline, and search environments so the organisation can see where keys, tokens, certificates, and signing paths overlap. A fragmented view slows revocation, weakens audit evidence, and hides concentration risk across business units.

Q: Why does revocation matter as much as discovery in crypto-agility programmes?

A: Discovery shows what exists, but revocation determines how long a compromised credential remains useful. If a token, key, or signing trust path can still be honoured after exposure, the organisation has standing cryptographic risk. Crypto-agility depends on being able to remove trust as quickly as it was granted.

Q: What do teams get wrong about post-quantum cryptography readiness?

A: They often start with algorithm migration instead of asset visibility. PQC planning only works when teams know which systems use vulnerable cryptography, where those dependencies live, and what remediation order makes sense. Without that baseline, migration becomes speculative instead of controlled.

Q: How do organisations know if their cryptographic governance is actually working?

A: Look for whether inventory, revocation, and audit reporting all describe the same estate. If search results, CBOM exports, and operational records disagree, the programme has visibility gaps that will surface during incident response or compliance review. Effective governance produces a single defensible view of cryptographic exposure.


Technical breakdown

RSA JWT signing and remote token revocation in machine authentication

Machine-to-machine authentication depends on cryptographic trust objects that are often long-lived and widely reused. RSA JWT signing gives teams a stronger signing mechanism for tokens, while remote token revocation awareness changes how quickly a compromised credential can be invalidated across the platform. In practice, these controls matter because a valid token is often more dangerous than malware when it can be replayed across services, APIs, or admin workflows. The security issue is not only token theft, but token persistence after compromise.

Practical implication: teams should map where token revocation is authoritative and where stale credentials can still be honoured after a control-plane change.

Cross-cluster search and cryptographic inventory at enterprise scale

Crypto inventory fails when data is trapped inside separate clusters, regions, or business units. Cross-cluster search reduces that fragmentation by letting teams query multiple OpenSearch environments through one search layer, which improves the speed and consistency of investigations. This is not just a usability improvement. It changes how cryptographic risk is correlated, because algorithm use, key metadata, and asset location can be assessed together instead of as isolated findings. Without that aggregation, the organisation may know pieces of the risk but not the full blast radius.

Practical implication: organisations should treat distributed search as a control requirement for global crypto governance, not as a convenience feature.

PQC detection, CBOM export, and audit-ready cryptographic governance

Post-quantum readiness starts with accurate discovery of what must eventually be remediated. PQC detection identifies cryptographic assets that may become vulnerable as algorithms age out, while CBOM export turns that inventory into a structured record for audit, reporting, and programme planning. CBOM, or Cryptographic Bill of Materials, helps teams describe cryptographic dependencies with more fidelity than ad hoc spreadsheets or application notes. The operational value is that remediation planning becomes tied to observed assets rather than assumptions about architecture.

Practical implication: teams should use CBOM and PQC reporting to build an authoritative remediation backlog before migration planning begins.


NHI Mgmt Group analysis

Cryptographic visibility debt is now the core governance problem. The article makes clear that organisations cannot govern what they cannot enumerate, and that applies to keys, signing paths, token controls, and cloud-native crypto assets alike. That is a governance failure before it is a tooling issue. The practitioner implication is that inventory quality has become a prerequisite for control effectiveness.

Remote revocation closes one of the most stubborn machine-identity blind spots. Compromised tokens remain valuable precisely because they often outlive the event that exposed them. When revocation is only local, delayed, or inconsistent across platforms, the organisation is left with standing cryptographic trust that should no longer exist. The practitioner implication is to measure whether revocation actually reaches every enforcement point.

CBOM is emerging as the missing language for cryptographic accountability. A Cryptographic Bill of Materials lets teams express what crypto exists, where it is used, and what may break during migration or audit review. That matters because crypto-agility is not only about algorithm replacement, but about dependency visibility across applications, cloud services, and development pipelines. The practitioner implication is to move from inventory fragments to an auditable cryptographic register.

Cross-cluster visibility turns crypto governance from local administration into enterprise control. Distributed environments create governance drift when each team sees only its own slice of the cryptographic estate. The result is inconsistent detection, delayed revocation, and uneven audit evidence across business units. The practitioner implication is to align crypto visibility with enterprise identity and access governance, not with individual platform boundaries.

From our research:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
  • That visibility gap is why teams should also read NHI Lifecycle Management Guide for a control view of provisioning, rotation, and offboarding.

What this signals

Cryptographic inventory is becoming the control plane for machine trust. As crypto sprawl moves across cloud, repositories, and search clusters, teams need one operating picture that links discovery to revocation and audit evidence. The practical shift is toward governed inventories that can survive platform changes and organisational boundaries.

With 1 in 4 organisations already investing in dedicated NHI security capabilities, according to our research, the market is signalling that visibility problems are no longer edge cases. The same pressure is now showing up in cryptographic governance, where fragmented discovery creates the conditions for delayed response and incomplete remediation.

CBOM will matter more as PQC programmes mature. Once teams have a structured cryptographic register, they can connect inventory, ownership, and migration planning instead of treating post-quantum work as a separate technical stream. That is the difference between a reporting exercise and a usable governance model.


For practitioners

  • Inventory all token signing and revocation paths Map where JWT signing occurs, where revocation is enforced, and which services still trust stale credentials after a change. Focus on the systems that can continue accepting a token after the originating control has been updated.
  • Consolidate cryptographic findings into one search workflow Use cross-cluster search or an equivalent inventory layer so cloud, development, and search findings can be reviewed together. The goal is to reduce the time between discovery and action across regions and business units.
  • Build a Cryptographic Bill of Materials for critical systems Document the cryptographic assets, dependencies, and algorithms used by key applications so PQC migration planning is based on evidence rather than assumptions. Use CBOM export as the baseline for audit and remediation tracking.
  • Validate SAML and role-mapping edge cases in identity integrations Test group claims, role mappings, and identity-based segmentation rules where enterprise identity providers feed OpenSearch or similar platforms. Misparsed claims can create silent access drift even when authentication succeeds.

Key takeaways

  • AgileSec 3.6 frames cryptographic visibility as a governance issue, not just a discovery feature.
  • Enterprise crypto-agility depends on revocation, inventory, and audit records that all describe the same trust estate.
  • Teams preparing for post-quantum change need a cryptographic baseline before migration planning can be trusted.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Token exposure and revocation gaps map to NHI credential lifecycle control.
NIST CSF 2.0PR.AC-1Access and credential control are central to machine authentication governance.
NIST SP 800-53 Rev 5IA-5Authenticator management fits the release's token signing and revocation changes.
NIST Zero Trust (SP 800-207)The release supports reduced trust in machine authentication and distributed search.
CIS Controls v8CIS-5 , Account ManagementCredential and account lifecycle controls underlie token and identity governance.

Use zero-trust principles to limit implicit trust in tokens, clusters, and search outputs.


Key terms

  • Cryptographic Bill of Materials: A Cryptographic Bill of Materials is a structured inventory of the cryptographic components used by systems, applications, and services. It helps teams see algorithms, keys, certificates, and dependencies in one place so migration, audit, and remediation work can be planned against evidence rather than assumptions.
  • Crypto-agility: Crypto-agility is the ability to change cryptographic algorithms, keys, and supporting controls without redesigning the whole environment. In practice, it depends on inventory, dependency mapping, and operational visibility, because organisations cannot replace what they cannot locate or understand.
  • Remote Token Revocation: Remote token revocation is the ability to invalidate a credential or token from a central control point even when it is used across multiple systems. It reduces the lifespan of compromised trust, but only if every enforcement point actually honours the revocation signal.
  • Cryptographic Inventory: Cryptographic inventory is the live record of where keys, tokens, certificates, signing mechanisms, and related dependencies exist across an environment. It is the foundation of crypto governance because it tells teams what they must protect, rotate, revoke, or eventually replace.

What's in the full article

Keyfactor's full blog covers the operational detail this post intentionally leaves for the source:

  • Expanded configuration notes for RSA JWT token signing and remote token revocation awareness.
  • Platform-specific coverage details for Tanium Connect, GCP KMS, GitHub, and Bitbucket Data Center sources.
  • Deployment and administration changes for Kubernetes, Helm charts, and cross-cluster search tuning.
  • PQC detection and CBOM export behaviour for teams building audit evidence and migration plans.

👉 Keyfactor's full post covers the new discovery sources, token controls, and PQC reporting detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-07-06.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org