Keyfactor’s AI agent identity push reflects rising trust demand

At a glance

What this is: This press release frames Keyfactor’s growth as evidence that enterprises are expanding digital trust requirements across machine identities and AI agents.

Why it matters: It matters because IAM, NHI, and identity architects now have to treat cryptographic identity, certificate lifecycle, and agent governance as linked control problems rather than separate programmes.

By the numbers:

• Keyfactor says it achieved 210% three-year growth, earning Deloitte Technology Fast 500 recognition for the sixth consecutive year.
• The Deloitte Technology Fast 500 ranks the 500 fastest-growing companies in North America.
• Keyfactor says 2025 recognition marks its sixth consecutive year on the Fast 500.

👉 Read Keyfactor's press release on Fast 500 growth and digital trust demand

Context

Keyfactor's press release is really about the growing importance of digital trust for AI agents, machines, and human identities. The article uses a growth announcement to argue that cryptographic identity, certificate lifecycle management, and posture visibility are becoming central to identity governance programmes.

For IAM and NHI teams, the practical issue is not revenue growth itself. It is the underlying demand signal: enterprises are trying to bind trust to more non-human actors, while also preparing for post-quantum change and broader automation across environments.

Key questions

Q: How should security teams govern cryptographic identity for machine and agent access?

A: Security teams should govern cryptographic identity as part of identity lifecycle management, not as a separate PKI task. Every certificate, token, and key should have an owner, an expiry rule, a revocation path, and a linked business purpose. That is how machine access stays attributable and removable when the system changes.

Q: Why do AI agents complicate digital trust programmes?

A: AI agents complicate digital trust because authentication alone does not constrain runtime behaviour. Once an agent can select tools and act during execution, the programme must govern scope, accountability, and offboarding, not just credential issuance. Trust controls that work for static workloads can fail when the actor changes actions dynamically.

Q: What breaks when machine identities are not tied to lifecycle ownership?

A: When machine identities lack lifecycle ownership, certificates and tokens persist beyond their intended purpose and become standing access. That creates revocation gaps, weak accountability, and a larger attack surface for both attackers and misconfigured automation. The control failure is not visibility alone. It is unresolved authority over the identity.

Q: How do teams decide whether to treat an AI system as a governed identity?

A: Treat an AI system as a governed identity when it can independently access tools, data, or actions that affect production outcomes. At that point, the team needs clear ownership, scope boundaries, monitoring, and revocation. If those controls do not exist, the system is operating as an unmanaged identity, not a controlled one.

Technical breakdown

Cryptographic identity as the trust layer for machine and agent access

Cryptographic identity uses certificates, keys, and related trust anchors to prove that a workload, service, or AI agent is what it claims to be. In practice, this sits below application logic and above raw network access, which is why it matters for Zero Trust environments. When identity expands beyond people, certificate issuance, rotation, revocation, and validation become the enforcement plane for machine-to-machine trust. The challenge is that cryptographic assurance only works if lifecycle controls keep pace with asset creation and decommissioning.

Practical implication: map every machine and agent trust path to certificate ownership, rotation, and revocation responsibility.

Certificate lifecycle management and crypto-agility

Certificate lifecycle management covers issuance, renewal, rotation, replacement, and revocation. Crypto-agility is the ability to change algorithms, keys, or trust mechanisms without rebuilding the environment. Those two ideas are linked because long-lived credentials and brittle trust stores make change expensive and risky. For organisations that depend on NHIs and automated systems, crypto-agility is not an abstract future-state goal. It is the operational requirement that allows the trust layer to survive changes in policy, scale, and cryptographic standards.

Practical implication: inventory certificate ownership and test whether rotation or algorithm changes can be executed without service interruption.

Agentic AI identities and digital trust controls

Agentic AI changes the identity problem because the actor can choose actions and tool use at runtime, which makes static identity assumptions less reliable. Even when the control plane still relies on certificates or tokens, the operational question becomes whether the trust model can distinguish approved agent behaviour from simply authenticated execution. That is why the article's AI framing matters: the next governance debate is not whether agents need identities, but how those identities are constrained, attested, and monitored across tool access and delegated actions.

Practical implication: treat AI agents as governed identities and require explicit ownership, scope definition, and monitoring across every tool they can reach.

Threat narrative

Attacker objective: The objective is to turn trusted identity into broad operational reach, allowing abuse of machine trust relationships at scale.

1. entry: A trusted workload, certificate, or token provides the initial identity foothold into systems that assume cryptographic proof is sufficient for access.
2. escalation: Once that identity is trusted, standing permissions and broad trust relationships let the actor move from authentication to unintended action paths.
3. impact: The attacker or misbehaving actor can impersonate trusted systems, expand access, or undermine the integrity of connected services and data.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Digital trust is becoming the control plane for machine and agent identity, not just a certificate-management problem. The article's growth message is a market signal that enterprises are buying into cryptographic assurance as the way to scale identity across workloads, systems, and emerging AI agents. That shifts the conversation from isolated PKI operations to lifecycle governance, ownership, and revocation across every non-human actor. Practitioners should treat digital trust as an identity architecture issue, not a tooling silo.

Certificate lifecycle gaps now create identity risk wherever trust is delegated to machines. When certificates and keys outlive their owners, the trust layer becomes a standing access mechanism that attackers and misconfigured automation can exploit. This is where OWASP-NHI and Zero Trust thinking intersect: identity must be short-lived, attributable, and revocable across the full asset lifecycle. The operational conclusion is straightforward: unmanaged cryptographic identity becomes attack surface, not assurance.

Agentic AI forces a broader identity model because authenticated does not mean governed. The article's reference to autonomous agents exposes a familiar failure mode in a new form: organisations can authenticate an agent without constraining what it may do once trusted. That means the relevant governance question is not only credential issuance, but whether the identity framework can preserve accountability when runtime decisions are delegated to software. Practitioners should reassess whether their current controls still work once the actor can choose its own tool path.

Ephemeral trust debt: the real problem is not just inventory, but unresolved authority. The market is moving toward more identities, more automation, and more cryptographic assertions, yet many programmes still assume trust can be inferred from possession of a valid credential. That assumption weakens as machine and agent populations expand, because the challenge is no longer simply proving identity. It is proving that trust expires when authority expires. Practitioners should align governance to expiration, not just issuance.

Zero Trust only extends into autonomous systems when identity ownership and revocation are explicit. The article points to a future where digital trust spans humans, machines, and AI systems, but the architecture succeeds only when every identity has a clear steward and a clear offboarding path. Without that, cryptographic proof becomes a veneer over accumulation of standing privilege. The practitioner takeaway is to connect trust management to lifecycle governance before scale turns it into blind spot.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Another finding from our research shows that 71% of NHIs are not rotated within recommended time frames, which keeps trust relationships alive longer than governance teams expect.
• For a broader control baseline, NHI Lifecycle Management Guide is the next resource for provisioning, rotation, and offboarding discipline.

What this signals

Ephemeral trust debt: as machine and agent populations grow, the real governance risk is not just credential count but the amount of unresolved authority attached to each identity. Teams should watch for certificates, keys, and tokens that remain valid after their operational purpose has changed, because those assets quietly become standing privilege.

With 96% of organisations storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, the operational gap is already visible in most environments. The programme response is to tie cryptographic identity controls to the same lifecycle discipline used for human and service-account access, not to treat them as separate domains.

The market message here is that digital trust is moving closer to identity governance, Zero Trust, and workload identity management. Organisations that cannot name the owner, expiry condition, and revocation path for each non-human credential will struggle to scale AI and automation safely.

For practitioners

• Inventory cryptographic identity owners Create a system-by-system register of certificates, keys, and tokens with named business and technical owners, then tie each asset to renewal and revocation responsibility.
• Review trust paths for machine and agent access Map where workloads, service accounts, and AI agents use certificates or tokens to reach tools and APIs, then remove any access path that cannot be attributed to a clear approval model.
• Test crypto-agility under change Validate whether certificate rotation, algorithm changes, and trust store updates can happen without service outages or manual exception handling.
• Define governance for AI agent identities Assign ownership, scope, and monitoring to each AI agent identity before it is allowed to act in production, especially where tool access can change at runtime.

Key takeaways

• Machine and agent identity is becoming a core part of digital trust, which pushes certificate governance into the identity programme.
• High-growth market signals do not remove the control problem. They usually mean more identities, more delegation, and more lifecycle risk.
• The practical answer is explicit ownership, revocation, and crypto-agility across every non-human trust path.

Key terms

• Digital Trust: Digital trust is the set of cryptographic and governance controls that let systems verify who or what is connecting, and whether that connection should still be trusted. In practice it depends on certificates, keys, revocation, lifecycle ownership, and monitoring across human, machine, and agent identities.
• Cryptographic Identity: Cryptographic identity is the use of certificates, keys, and related trust material to prove the identity of a workload, service, or software actor. It is only useful when the organisation can issue, rotate, revoke, and attribute those credentials quickly enough to keep pace with system change.
• Crypto-Agility: Crypto-agility is the ability to change cryptographic algorithms, keys, or trust mechanisms without redesigning the environment. It matters because identity programmes must keep working as standards, threat models, and infrastructure change, especially where machine identities and long-lived trust stores are involved.
• Agentic AI Identity: Agentic AI identity is the governance of an AI system that can choose actions, tools, or execution timing at runtime. It requires more than authentication because the core risk is not only access, but whether the actor's delegated authority is bounded, monitored, and revocable.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Keyfactor: Keyfactor marks sixth consecutive year on Deloitte's Fast 500, continuing as the fastest-growing digital trust provider. Read the original.