PKI-based identity for agentic AI is changing enterprise trust

At a glance

What this is: Keyfactor argues that agentic AI needs PKI-backed identity so enterprises can verify, constrain, and audit autonomous agent actions.

Why it matters: This matters because IAM, NHI, and human identity programmes all rely on trust models that fail when AI agents act independently without a durable, verifiable identity.

👉 Read Keyfactor's analysis of PKI-based identity for agentic AI

Context

Agentic AI creates an identity problem before it becomes an orchestration problem. If an autonomous agent can choose actions, access systems, and execute transactions without human approval, then the programme must prove who or what is acting at runtime, not just who provisioned the workflow.

Traditional human-centric controls do not map cleanly to AI agents because the access relationship is machine-paced, short-lived, and often highly distributed. In that setting, certificate-backed identities, workload-bound credentials, and lifecycle automation become the practical way to preserve accountability across NHI and AI governance.

The core issue is not that AI is powerful. The core issue is that existing access models assume a stable subject and a reviewable trail, while agentic systems can create, use, and retire privileges at machine speed.

Key questions

Q: How should security teams govern AI agents that access enterprise systems?

A: Security teams should govern AI agents as workload identities, not as enhanced users. That means issuing each agent a unique cryptographic identity, binding access to policy, and automating lifecycle controls for issuance, rotation, and revocation. Human login controls alone do not provide the attribution or runtime enforcement needed for autonomous execution.

Q: Why do static API keys create risk for autonomous AI agents?

A: Static API keys create risk because they are reusable, portable, and weakly bound to the specific actor using them. An autonomous agent can copy, chain, or reuse those credentials across services, which makes attribution and least privilege harder to enforce. Certificate-backed identity gives each agent a stronger, non-replicable trust anchor.

Q: How do mTLS and certificate-based OAuth help with AI agent governance?

A: mTLS and certificate-based OAuth help by tying communication and authorization to a verified identity rather than a bearer secret. That lets teams enforce who the agent is, what it may reach, and which actions it may perform. The result is stronger Zero Trust enforcement across machine-to-machine interactions.

Q: What should organisations rethink when AI agents can act without human approval?

A: Organisations should rethink review cycles, revocation timing, and accountability assumptions. If an agent can complete a task before a human review occurs, then access reviews no longer capture the full risk. Governance has to move to runtime policy, per-agent identity, and machine-speed lifecycle controls.

Technical breakdown

Why API keys and passwords fail for AI agent identity

API keys, passwords, and shared client secrets identify an application only weakly because they are portable, replayable, and often reused across environments. For agentic AI, that creates a governance blind spot: the system can act independently, but the credential does not prove which specific agent acted. PKI changes the identity primitive by binding a unique private key and X.509 certificate to a single agent instance. That gives the enterprise a cryptographic anchor for authentication, audit, and policy enforcement. It also reduces the risk that one leaked secret can impersonate a whole class of agents.

Practical implication: stop treating static secrets as sufficient identity for autonomous agents and move toward per-agent cryptographic identity.

How mTLS and certificate-based OAuth constrain agent communication

Mutual TLS verifies both sides of a connection, while certificate-based OAuth ties authorization to a trusted client identity rather than a reusable bearer secret. In an agentic environment, that matters because the agent may call services, chain to other agents, or move between APIs in the same session. Certificate policy can encode which systems an agent may reach and which actions it may perform, turning identity into a controllable boundary instead of a loose credential. This is the security value of extending Zero Trust to machine-to-machine agent traffic: every request is still evaluated, but the requester has a stronger, non-shared identity.

Practical implication: bind authorization to cryptographic identity and policy, not to bearer tokens that can move independently of the agent.

Why certificate lifecycle automation is the scaling control for autonomous fleets

Thousands of AI agents are operationally unmanageable if certificate issuance, rotation, and revocation require manual handling. Lifecycle automation is what prevents certificate-based identity from becoming just another administrative bottleneck. In practice, the control plane must issue certificates fast enough for ephemeral agents, revoke them when agents retire, and preserve attribution across the full activity trail. That is especially important in regulated environments where proof of actor identity and action traceability matter as much as access prevention. Without lifecycle automation, certificate identity becomes too slow to support the very workloads it is meant to secure.

Practical implication: automate issuance, rotation, and revocation or the identity model will not scale to short-lived agents.

NHI Mgmt Group analysis

PKI-backed agent identity is the right baseline for autonomous systems, but it also exposes how weak static credential thinking has become. An AI agent that can act without human approval cannot be governed as if its identity were a shared secret. The field needs to treat per-agent cryptographic identity as the minimum viable control for attribution, boundary enforcement, and auditability. For practitioners, the implication is that agent identity must be provisioned as a first-class trust object, not a secondary implementation detail.

Static credentials were designed for subjects whose access was stable enough to be reviewed later, and that assumption fails under agentic behaviour. A bearer token or API key can be copied, forwarded, or reused across decision points, but an autonomous agent may initiate actions, obtain data, and complete a workflow before a human review cycle ever starts. The implication is not merely to add a stronger secret, but to rethink review, revocation, and accountability around machine-paced execution.

Policy embedded in certificates is a useful governance pattern because it moves privilege from memory to machine-enforced constraints. That matters across NHI and autonomous identity because runtime authorisation has to survive scale, delegation, and short-lived execution. When the policy follows the identity artifact, practitioners can express scope in a way that survives automation. The implication is that identity policy should be enforceable at the credential layer, not only in surrounding application code.

Identity blast radius: the real risk in agentic AI is not only unauthorized access, but the speed at which one compromised or overbroad identity can chain through services, other agents, and regulated workflows. That makes AI agent governance a Zero Trust problem as much as an IAM problem. The strongest programmes will align workload identity, certificate lifecycle, and access policy under one operating model. Practitioners should assume that agent identity will be attacked as soon as it becomes operationally valuable.

Governing agentic AI with human-centric MFA assumptions will not work at enterprise scale. Workload-bound identities, certificate lifecycle automation, and auditable policy enforcement are the controls that map to autonomous execution. This is where IAM, NHI governance, and AI risk management converge. Practitioners should re-baseline their control design around workload identity rather than adapt human login patterns to machines.

From our research:

• 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• That gap is why practitioners should also examine OWASP Agentic AI Top 10 for control patterns that map runtime agent behaviour to governance decisions.

What this signals

Identity teams should expect agentic AI to accelerate the move from user-centric controls to workload-centric governance. The practical shift is not just stronger authentication, but stronger proof of actor identity at runtime. That means certificate lifecycle, service boundary policy, and auditability will become core requirements for any AI deployment that touches regulated data or transactions.

Per-agent identity will become a default expectation in mature programmes. Once AI systems start making independent decisions, shared secrets and generic application credentials no longer provide enough accountability for incident response or compliance evidence. Teams should prepare to integrate workload identity patterns into their IAM and NHI roadmaps rather than bolt them on later.

Agentic AI increases the value of Zero Trust at the identity layer. If an agent can reach multiple systems and chain actions across them, then every trust decision has to be explicit and enforceable. Practitioners should use resources like NIST AI Risk Management Framework and OWASP Agentic AI Top 10 to pressure-test their current governance assumptions.

For practitioners

• Define each AI agent as a distinct identity object Issue a unique certificate or workload-bound credential to every agent instance, including short-lived or task-specific agents, so attribution is not shared across multiple runtimes.
• Bind service access to certificate-backed policy Use mTLS and certificate extensions to constrain which services an agent may call, which actions it may perform, and which downstream identities it may delegate to.
• Automate certificate issuance and revocation Integrate identity lifecycle automation with agent orchestration so credentials are issued, rotated, and revoked at machine speed rather than through manual approvals.
• Separate human MFA from workload identity controls Do not extend human login patterns to autonomous agents. Map agents to workload identities and enforce Zero Trust decisions at the service boundary instead of the user login boundary.

Key takeaways

• Agentic AI cannot be governed safely with shared secrets and human-centric login assumptions.
• Certificate-backed identity, mTLS, and lifecycle automation turn AI agents into auditable workload identities.
• The next control gap is not whether agents can act, but whether each action can be attributed, constrained, and revoked in time.

Key terms

• Agentic AI Identity: The identity assigned to an AI system that can make decisions and act without human approval. In practice, it must be unique, cryptographically verifiable, and tied to the specific runtime instance so that actions can be attributed and controlled across services and sessions.
• Workload Identity: A machine identity used by applications, services, and automated systems to authenticate to other systems. For autonomous agents, workload identity must support stronger attribution than a shared secret and should be paired with lifecycle controls for issuance, rotation, and revocation.
• Certificate Lifecycle Automation: The automated process of issuing, renewing, rotating, and revoking certificates without manual handling. For AI agents, it is the control that keeps cryptographic identity usable at scale while reducing the chance that expired or orphaned credentials continue to grant access.
• Identity Blast Radius: The amount of damage a single identity can cause if it is compromised, overbroad, or reused too widely. For agentic AI, blast radius can grow quickly because one identity may trigger chained actions across services, other agents, and regulated workflows.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Keyfactor: 3 Things to Know About Keyfactor’s PKI-Based Identity for Agentic AI. Read the original.