Certificate security and agentic AI expose the limits of identity hygiene

At a glance

What this is: This podcast recap argues that certificate security is now an identity governance problem, not just an infrastructure task, because machine identities and agentic AI are multiplying renewal and access risks.

Why it matters: It matters because IAM, PAM, and NHI teams must govern machine certificates, keys, and AI-driven identities with the same discipline they already apply to human access and lifecycle control.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

👉 Read SPHERE Technology Solutions' podcast highlights on certificates, automation, and agentic AI identity

Context

Certificate lifetimes are shrinking, and that changes the identity problem. When SSL and TLS certificates expire more often, renewal becomes a governance issue rather than a routine maintenance task, especially in environments that still depend on manual approval chains.

The same pressure is now showing up in broader machine identity programmes. Certificates, keys, API tokens, and agentic AI credentials all behave like non-human identities, which means IAM teams need ownership, visibility, and lifecycle controls that match machine speed rather than human process cadence.

Key questions

Q: How should security teams handle certificate renewals as lifetimes get shorter?

A: Security teams should treat certificate renewal as a lifecycle control, not a ticketing exercise. Build complete inventories, assign explicit owners, automate high-volume renewals, and keep exception paths visible. The goal is to prevent expiry from becoming an availability event while maintaining clear accountability for every certificate in production.

Q: Why do short-lived certificates increase governance risk?

A: Short-lived certificates increase governance risk because they compress the time available for manual review, approval, and replacement. If renewal processes depend on people, the chance of delay, outage, or inconsistent trust state rises quickly. Short lifetimes only improve security when ownership and automation are already mature.

Q: What do security teams get wrong about machine identity management?

A: Security teams often treat certificates, keys, and tokens as infrastructure details instead of governed identities. That mistake leaves gaps in ownership, offboarding, and rotation. Once machine credentials are viewed as identities, the programme can apply the same lifecycle discipline used for access control and privileged accounts.

Q: How should organisations govern AI systems that need credentials?

A: Organisations should place AI systems inside the non-human identity inventory and assign each one a clear owner, scope, and offboarding path. If an AI feature can authenticate, call tools, or hold tokens, it needs lifecycle governance. Without that, hidden access paths can outlive visibility and accountability.

Technical breakdown

Why shorter certificate lifetimes break manual renewal models

When certificate validity drops from a year to 47 days, renewal frequency rises sharply and the tolerance for manual handling disappears. The operational problem is not just volume, but coordination across load balancers, gateways, cloud stores, and application owners. A certificate that expires silently can interrupt authentication, break service-to-service trust, or create emergency change activity that is itself risky. In practice, certificate security becomes a lifecycle control problem: inventories, ownership, renewal triggers, and exception handling all need to work continuously, not periodically.

Practical implication: map every certificate to an owner and renewal path before shorter lifespans expose gaps in coverage.

How automation changes machine identity governance

Automation is not a convenience layer here. It is the only practical way to keep renewal and rotation from becoming outage events as certificate counts rise. But automation still needs governance because unmanaged workflows can hide exceptions, create blind spots, or leave critical assets outside the automated path. The right model is selective automation around high-volume infrastructure, paired with escalation paths for edge cases and clear reporting on what remains manual. That is the difference between operational scale and uncontrolled sprawl.

Practical implication: automate the high-volume certificate estate first, then track every exception as a governance defect.

Why agentic AI turns credential management into an identity problem

Agentic AI changes the identity conversation because these systems need credentials, access, and trust relationships to operate at machine speed. Unlike static scripts, they can chain actions continuously, which increases the importance of knowing which keys, tokens, and certificates belong to which runtime identity. The article also points to shadow AI, where vendors embed AI capabilities without clear enterprise oversight. That creates a discovery problem as much as a security problem, because unmanaged AI agents may inherit access without clear ownership or offboarding.

Practical implication: include AI agents in your non-human identity inventory and require explicit ownership for every runtime credential.

NHI Mgmt Group analysis

Certificate security is now a non-human identity governance problem. The article shows that certificate expiry, renewal, and ownership cannot be treated as isolated infrastructure tasks once lifetimes compress and renewal frequency rises. Machine identities behave like NHIs because they are credentials with lifecycle obligations, not just technical artifacts. Practitioners should treat certificate governance as part of the same control plane used for service accounts, keys, and tokens.

Manual renewal processes create an identity availability risk, not just an operational burden. When humans remain in the loop for every renewal decision, the control path becomes too slow for modern certificate volumes. That delay can produce outages, emergency changes, and inconsistent trust states across the environment. The practitioner conclusion is that renewal latency is itself a security exposure.

Shadow AI introduces unmanaged credential sprawl that certificate programmes cannot ignore. The article’s agentic AI discussion is a reminder that new runtime identities often appear inside products before security teams can inventory them. That means the governance boundary is moving from known servers and services to embedded AI functions with their own access paths. The practitioner conclusion is that identity inventory must expand to include AI-enabled machine identities.

Identity hygiene now depends on ownership, visibility, and automated lifecycle control across machines. The old assumption that humans manage the important identities and machines are merely configured assets no longer holds. Certificate security, API tokens, and AI agent credentials all require explicit accountability and continuous lifecycle enforcement. Practitioners should rebuild governance around machine identity first, then extend the same discipline to human access where needed.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• Only 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• For a broader lifecycle lens, the NHI Lifecycle Management Guide shows how provisioning, rotation, and offboarding need to be tied to ownership and visibility.

What this signals

Identity blast radius: shorter certificate lifetimes reduce the safe margin for manual intervention, so the question becomes how much of the credential estate can be renewed without a human bottleneck. If renewal depends on approvals, the risk is no longer just expiry, it is repeated exposure to avoidable service disruption.

With 97% of NHIs carrying excessive privileges, according to the Ultimate Guide to NHIs, certificate programmes cannot stay isolated from broader access governance. The same visibility and ownership discipline needed for machine credentials now needs to cover AI-enabled runtime identities too.

That is where teams should align certificate management with NIST Cybersecurity Framework 2.0 functions for identify, protect, and respond. The next step is not just faster renewal, but better decision-making about which credentials can be automated, which need exception handling, and which belong in a formal lifecycle process.

For practitioners

• Inventory every certificate and key Create a complete register that ties each certificate to an owner, renewal method, expiry date, and dependent application. Treat unknown ownership as a control failure, not an administrative gap.
• Automate renewals for high-volume infrastructure Start with load balancers, API gateways, and cloud key stores where one workflow can cover many certificates. Keep exception handling visible so the automated path does not hide unmanaged assets.
• Extend NHI governance to AI credentials Add agentic AI systems to the same lifecycle process used for service accounts and tokens. Require explicit credential ownership, offboarding steps, and revocation tracking for every AI-enabled runtime identity.
• Measure the manual exception rate Track how many certificates still require human intervention at renewal time and where those exceptions sit. A shrinking manual estate is a governance outcome, not just an automation metric.

Key takeaways

• Certificate lifetimes are shrinking fast enough that manual renewal models now create identity risk as well as outage risk.
• Machine identity governance depends on ownership, visibility, and automation, especially when certificates, keys, and AI credentials multiply together.
• Programmes that treat NHIs as first-class identities can control renewal pressure, reduce blind spots, and limit the blast radius of expired credentials.

Key terms

• Machine Identity: A machine identity is a non-human credential or trust object that lets software, services, or devices prove who they are. In practice, this includes certificates, keys, tokens, and workload identities that must be owned, rotated, and retired like any other governed identity.
• Certificate Lifecycle: Certificate lifecycle is the full process of issuing, tracking, renewing, replacing, and revoking certificates before they expire or become unsafe. In mature programmes, lifecycle control is continuous, because expiry, misconfiguration, and orphaned certificates all create trust and availability risk.
• Shadow AI: Shadow AI is the use of AI capabilities or agents that security and identity teams have not formally discovered or governed. These hidden runtime identities can carry credentials, access data, and execute actions without clear ownership, making inventory and offboarding difficult.
• Identity Blast Radius: Identity blast radius is the amount of damage that can occur when a single identity or credential is compromised, misused, or left unmanaged. For machine identities, it grows with privilege scope, renewal gaps, and the number of systems that trust the credential.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by SPHERE Technology Solutions: podcast highlights from Smells Like Identity Hygiene on certificates, automation, and agentic AI. Read the original.