AI agent identity needs certificates, PAM, and zero trust

At a glance

What this is: This is an independent analysis of how agentic AI changes identity control, with certificates and PAM positioned as the core governance model for agent access.

Why it matters: It matters because IAM, PAM, and NHI teams must govern AI agents as runtime identities, not just as tools, or autonomous access will outpace review and containment.

By the numbers:

• By 2030, CIOs expect that 0% of IT work will be done by humans without AI, 75% will be done by humans augmented with AI, and 25% will be done by AI alone, according to a July 2025 survey of over 700 CIOs by Gartner®.
• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).

👉 Read Keyfactor's analysis of AI agent identity, certificates, and PAM

Context

AI agent identity is the governance problem created when software systems can make runtime decisions, select actions, and interact with enterprise tools on behalf of users or independently. In that model, identity is no longer just authentication at login. It becomes the control layer that determines what the agent can reach, what it can retrieve, and how tightly its actions are bound to policy.

Keyfactor frames the issue around certificates, zero trust, and privileged access management because autonomous agents can otherwise accumulate access that is broad, static, and hard to audit. For IAM, PAM, and NHI programmes, the practical question is whether the agent has a verifiable identity, a bounded credential path, and enough traceability to survive operational review. That starting point is typical for current enterprise agent discussions, even if the deployment stack varies.

Key questions

Q: How should security teams govern AI agents that need access to enterprise systems?

A: Treat AI agents as non-human identities and require a verifiable workload identity before any privileged action occurs. Then route every external access request through policy, logging, and just-in-time credential issuance. The agent should not hold persistent secrets, and its access should expire with the task or workload instance.

Q: Why do AI agents complicate zero trust architecture?

A: Because zero trust assumes each access decision can be verified at the point of use, but agentic systems can make those decisions dynamically and repeatedly inside a session. If the workload identity, policy check, and credential scope are not tightly bound, the agent can move faster than human review and extend its own reach.

Q: What breaks when AI agents use static secrets or broad credentials?

A: Static secrets create a large blast radius because one compromised or overused credential can expose multiple systems, repositories, or data sets. Broad credentials also make it impossible to tell whether the agent stayed inside its intended task boundary. That is a governance failure as much as a technical one.

Q: What is the difference between workload identity and privileged access management for agents?

A: Workload identity proves which agent instance is acting, while privileged access management governs what that instance may retrieve or do. In practice, the first is about authentication and cryptographic trust, and the second is about scoped authorisation, session control, and auditability. Both are required for agent governance.

Technical breakdown

Certificate-based workload identity for AI agents

Agentic systems need a machine-verifiable identity before they can safely request access to internal or third-party services. Certificate-based workload identity gives each runtime instance a cryptographic identity that can be validated by infrastructure such as a service mesh, often using mTLS for mutual authentication. This does not grant permission by itself. It establishes that the agent is a known workload, not an anonymous process, so downstream systems can apply policy to the request rather than to a human session.

Practical implication: bind agent instances to workload certificates before they can reach sensitive systems.

PAM and just-in-time credential retrieval

Certificates solve identity, but external systems still expect application-specific credentials, tokens, or delegated access. PAM sits in the middle by validating the agent’s identity, issuing or brokering the right credential, and keeping that credential time-bound and scoped. That model reduces hard-coded secrets and creates auditability around credential use. It also prevents the agent from holding persistent access it does not need for the current task.

Practical implication: route agent access to repositories, SaaS, and cloud services through PAM-backed just-in-time issuance.

Zero trust for ephemeral agentic workloads

Agentic workloads are often short-lived, containerised, and dynamic, which means the identity boundary must follow the workload lifecycle. Zero trust in this context means each connection is re-authenticated, each privilege is validated, and no step is trusted simply because the agent is already inside the network. The architecture only works when identity, transport security, and authorisation remain separate controls rather than one shared assumption.

Practical implication: treat agent runtime, transport, and authorisation as separate checkpoints, not one trust decision.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agentic AI turns identity into a runtime control problem, not a provisioning problem. Once the system can decide what to do next, conventional IAM assumptions about static entitlements and review cycles become too slow to govern. The field has to treat the agent as a runtime identity with a bounded execution envelope, because access decided at design time will not constrain behaviour at execution time. The practical conclusion is that identity governance must move closer to the action itself.

Certificates establish who the agent is, but they do not answer what the agent may do. That division matters because cryptographic identity and authorisation are being collapsed in too many architectures. A valid workload certificate can prove origin and authenticity while PAM still governs credential use, scope, and traceability. Practitioners should read this as a boundary condition: identity verification and privilege control must stay separate or the control model loses precision.

Least privilege for agentic systems is only durable when it is paired with just-in-time retrieval. Persistent secrets embedded in workflows or containers create a larger blast radius than the underlying task requires. The article’s architecture points to an important operating rule for NHI governance: privilege should be brokered at the moment of use, not parked inside the workload. For IAM and PAM teams, that shifts the centre of gravity from access assignment to access issuance.

Zero trust is not complete unless the workload itself is the trust anchor. Network location, container placement, and orchestration context do not make an autonomous agent trustworthy. The control that matters is whether each action can be tied back to a verifiable non-human identity and a policy check at the point of use. The practitioner takeaway is that agent security has to be designed as identity-first infrastructure, not an add-on to application security.

Ephemeral credential trust debt is the right concept for this category. Agentic systems accumulate risk when short-lived execution patterns are paired with long-lived access assumptions. The governance gap is not simply over-privilege, but the mismatch between ephemeral work and persistent authorisation models. Teams should recognise that this is an NHI lifecycle problem wrapped around an AI runtime problem, which makes it cross-functional by design.

From our research:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• That visibility gap is why teams should also read Ultimate Guide to NHIs , Key Challenges and Risks for the broader governance pattern behind NHI sprawl and over-privilege.

What this signals

Ephemeral credential trust debt: agentic systems create a mismatch between short-lived execution and long-lived access assumptions, which means review-based governance will miss the critical window unless credential issuance is tied directly to runtime. The programme signal is clear: if your controls only see entitlements at rest, they will not govern autonomous behaviour in motion.

With 80% of organisations already reporting AI agents acting beyond intended scope, the question is no longer whether the category needs governance, but whether identity teams can make policy follow execution. That pushes programmes toward workload certificates, policy-brokered credential use, and tighter logging across the Ultimate Guide to NHIs.

The practical shift is from access reviews to access choreography. Teams should expect agent identities to sit at the intersection of NHI governance and AI risk management, with the strongest control point being the credential broker rather than the application itself.

For practitioners

• Bind agent runtime to cryptographic workload identity Issue a verifiable certificate to each agent instance before it can access internal services, SaaS platforms, or cloud APIs. Enforce mutual authentication so downstream systems can trust the workload identity, not the network location.
• Broker all external access through PAM Require agents to authenticate to a privileged access workflow before retrieving repository, infrastructure, or database credentials. Keep every credential time-bound, policy-checked, and fully logged so the agent never stores static secrets locally.
• Separate identity proof from privilege scope Do not let a valid certificate become a blank cheque for access. Use the certificate only to establish who or what the agent is, then apply task-scoped authorisation at the moment of credential retrieval or API invocation.
• Design for ephemeral execution and revocation Align agent access with container lifetimes, workflow duration, and task completion, then revoke the credential path when the work ends. That prevents access from outliving the workload that needed it.

Key takeaways

• AI agents behave like runtime identities, so static IAM assumptions are no longer sufficient on their own.
• The strongest governance pattern combines workload certificates, PAM, and just-in-time credential retrieval.
• Identity teams should design for ephemeral execution, because persistent access creates an avoidable blast radius.

Key terms

• Agentic AI: Agentic AI describes software that can decide what action to take, choose tools, and execute work on behalf of a user or goal. In identity terms, it behaves more like a runtime actor than a passive application, which means access, audit, and accountability controls must follow its actions closely.
• Workload Identity: Workload identity is the cryptographic identity assigned to a non-human runtime, such as a container, service, or agent instance. It lets infrastructure prove who is calling before any privilege is granted, which is essential when the actor is ephemeral and cannot rely on human login patterns.
• Just-in-Time Credential Retrieval: Just-in-time credential retrieval is a governance pattern where access is issued only when needed and only for the duration of the task. For autonomous systems, this reduces persistent secret exposure and limits the blast radius if the workload behaves unexpectedly or is compromised.
• Blast Radius: Blast radius is the amount of damage a credential, identity, or policy failure can create if it is misused. For agentic systems, the concept matters because a single broad secret can let one runtime action affect multiple systems, data sets, or workflows before detection occurs.

Deepen your knowledge

AI agent identity and privileged access management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for autonomous workloads, it is worth exploring.

This post draws on content published by Keyfactor: Keyfactor + Delinea: Shortening the Leash on Your AI Agent. Read the original.