PKI-based identity for agentic AI: what security teams need

At a glance

What this is: This is a vendor analysis about using PKI-based identity to secure agentic AI, with the central finding that certificate-backed trust needs to extend into agent workflows.

Why it matters: It matters because IAM, PAM, and NHI teams need a governance model that can cover AI agents, machine identities, and human-controlled approvals without assuming one control pattern fits all.

By the numbers:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
• Only 5.7% of organisations have full visibility into their service accounts.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.

👉 Read Keyfactor's analysis of PKI-based identity for securing agentic AI

Context

PKI-based identity for agentic AI is about giving software actors a verifiable identity that can be authenticated, authorised, and governed across their runtime interactions. The governance gap is that many IAM programmes still treat machine trust as static infrastructure plumbing, while agentic systems make decisions and call tools in ways that change the risk surface at runtime.

For identity teams, the issue is not whether certificates matter. It is whether certificate-backed trust is being extended into AI agent governance, lifecycle control, and privilege boundaries in a way that aligns with NHI and autonomous-system oversight. Without that shift, agent identity becomes another exposed trust layer rather than a control point.

Keyfactor frames the problem around securing agentic AI, which is typical of the broader market conversation: vendors are moving from AI novelty to identity control mechanics, while practitioners still need a governance model that can survive tool chaining, delegated access, and audit requirements.

Key questions

Q: How should security teams govern PKI-based identity for AI agents?

A: They should treat certificates as the start of governance, not the finish. The important controls are scoped issuance, short-lived trust, revocation tied to workflow changes, and logging that links each certificate to downstream actions. Without those controls, PKI authenticates the agent but does not contain its authority or explain what it did.

Q: Why do AI agents complicate traditional machine identity controls?

A: AI agents can change actions, choose tools, and continue execution in ways that static workload identities were never designed to describe. Traditional controls assume a bounded service role, but agentic behaviour can expand effective privilege during the session. That makes lifecycle, delegation, and traceability more important than simple identity proof.

Q: What breaks when certificate lifecycle is not tied to agent workflows?

A: Revocation and rotation lose operational meaning if the certificate is no longer mapped to a specific workflow, delegate, or action path. The identity may still be valid while the business task has changed, which creates hidden overreach and weak forensic evidence. Security teams should not let certificates outlive the authority they were meant to represent.

Q: Who is accountable when an autonomous agent uses privileged access incorrectly?

A: Accountability depends on where approval was granted, who owned the agent, and which privileged systems it was allowed to reach. If the human approved the task, the platform granted the certificate, and downstream access was over-broad, responsibility is distributed across governance layers. The audit record must show that chain clearly.

Technical breakdown

PKI-based identity for agentic AI workloads

PKI gives an actor a cryptographically verifiable identity by binding keys to certificates and certificates to trust anchors. In agentic environments, that identity can be used to authenticate an agent to APIs, services, and tool endpoints without relying on shared secrets alone. The technical question is not just issuance, but how trust is scoped, rotated, revoked, and logged when the actor can change actions mid-session. For agentic AI, certificate-based identity only helps if the trust chain is tied to runtime authorisation and not treated as a one-time onboarding step.

Practical implication: map certificate issuance and revocation to the same lifecycle controls you apply to other non-human identities.

Why agent identity needs more than authentication

Authentication answers who the actor is, but agentic systems also need to prove what the actor is allowed to do as it moves through tools and services. That is where PKI often gets over-extended: a valid certificate can confirm identity, yet still leave tool scope, delegation, and session behaviour under-governed. In AI agent settings, the real control problem is keeping identity, authorisation, and activity boundaries aligned when execution paths are not fully predetermined. NIST AI RMF and agentic threat models both point to this separation between identity proof and behavioural control.

Practical implication: separate authentication trust from tool authorisation and session constraints.

Certificate lifecycle and auditability in autonomous workflows

Lifecycle is where many identity models fail under agentic pressure. Certificates expire, rotate, and get revoked, but autonomous or semi-autonomous workflows may keep acting across services long after the original trust assumption was made. That creates an audit problem as much as an access problem, because the organisation needs to know which certificate enabled which action, when, and under whose delegated authority. Without strong lifecycle coupling, PKI can become a clean identity layer on top of an unclear accountability model.

Practical implication: require end-to-end certificate-to-action traceability for every agent workflow.

Threat narrative

Attacker objective: The objective is to turn a trusted agent identity into a scalable path for unauthorised access, tool misuse, or data exfiltration.

1. Entry occurs when an AI agent or workload presents a certificate-backed identity to gain access to tools, APIs, or services.
2. Escalation follows if that identity is over-scoped, reused across workflows, or insufficiently bound to session-level intent and delegation.
3. Impact is achieved when the agent can chain tool actions, access data, or invoke downstream systems with no clear lifecycle or approval boundary.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

PKI-based identity is becoming the trust wrapper for agentic AI, but it does not solve governance by itself. Certificates can prove an actor is genuine, yet they do not define whether that actor should be able to chain tools, move across services, or act outside the original request. That means the control problem shifts from simple authentication to lifecycle-bound authorisation and auditability. Practitioners should treat PKI as an identity primitive, not a complete governance model.

Agentic AI exposes a trust boundary problem that classic machine identity programmes did not have to solve. Service accounts were usually provisioned for bounded workloads, but agents can change behaviour mid-session, call new tools, and expand their own effective reach. That creates a runtime governance gap where static certificate issuance is no longer enough to describe actual privilege. Practitioners should reassess where runtime trust now sits in the control stack.

Certificate lifecycle becomes the real policy engine when AI agents are in the loop. If revocation, rotation, and traceability are not tied to specific agent actions, identity can outlive accountability. The result is not just excess access but a gap in forensic clarity, because the organisation cannot easily prove which identity drove which action. Practitioners should connect lifecycle to delegated authority, not just credential hygiene.

PKI for agentic AI widens the identity conversation across NHI, PAM, and human approval paths. The most useful control model is the one that shows where a human approved the agent, where the agent operated as an NHI, and where privileged access was consumed downstream. That cross-actor view matters more than any single product category. Practitioners should design for end-to-end identity provenance across the delegation chain.

Agent identity governance will increasingly be judged by traceability rather than trust claims. Security teams will need to explain not only that an agent was authenticated, but also how its actions were bounded, logged, and revocable. That is the difference between identity as a badge and identity as a control surface. Practitioners should measure whether agent actions can be attributed cleanly from certificate to outcome.

From our research:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
• For a deeper governance baseline, see NHI Lifecycle Management Guide for provisioning, rotation, and offboarding controls.

What this signals

PKI-backed agent identity will push IAM teams toward provenance-based governance. Once agent actions must be attributed to a certificate, a delegate, and a downstream tool path, the programme can no longer rely on simple account inventories. With 80% of identity breaches already involving compromised non-human identities such as service accounts and API keys, the control gap is structurally familiar even when the actor class changes. Teams should prepare for provenance to become a core audit requirement. Ultimate Guide to NHIs

Certificate lifecycle will matter more than certificate existence. A valid identity is not the same as a governed identity, especially when autonomous or semi-autonomous workflows can persist beyond the original approval point. The practical programme change is to connect issuance, revocation, and action logging to the same lifecycle record, rather than treating them as separate operational concerns. NHI Lifecycle Management Guide

The next maturity step is not more trust in the certificate layer. It is tighter linkage between identity proof, tool scope, and reviewable business intent, so that agent-driven access can be explained after the fact as clearly as it was granted before the fact.

For practitioners

• Bind agent certificates to explicit runtime scope Define what each AI agent certificate can access, which tools it may call, and which services sit outside that trust boundary. Treat broad certificate validity as a design flaw unless the delegated scope is narrow and reviewable.
• Tie revocation to workflow completion events Revoke or reissue credentials when the agent task, approval context, or delegated objective changes. Use certificate lifecycle controls to close the window where an old identity can still act with current trust.
• Create certificate-to-action audit chains Record which certificate, which delegation path, and which downstream action were involved in every agent transaction. This should support investigations across tool calls, not just login events.
• Review downstream privileged access consumed by agents Check whether the agent can reach APIs, secrets, or admin functions that were never intended for its original workload role. Where the chain touches privileged infrastructure, apply PAM-style approval and tighter session constraints.
• Map human approval points to autonomous execution points Identify where a person authorises the agent and where the system continues without further approval. That mapping shows where human governance stops and machine identity governance begins.

Key takeaways

• PKI can authenticate agentic AI, but authentication alone does not govern tool use, delegation, or downstream privilege.
• The control problem shifts to lifecycle, traceability, and session scope once AI agents can act across services with a trusted identity.
• Identity teams should manage agent certificates as governed NHI assets, not as static infrastructure artefacts.

Key terms

• Agentic AI identity: A machine identity assigned to an AI system that can choose actions and call tools during runtime. The identity is governed not just by authentication, but by delegation, scope, logging, and revocation so the system cannot exceed the authority it was given.
• Certificate lifecycle: The process that governs how certificates are issued, bound to a subject, rotated, renewed, and revoked. In AI and NHI programmes, lifecycle matters because a valid certificate can still become a risk if it outlives the task, approval, or delegation it was meant to support.
• Delegated authority: Access that a system receives through a human or upstream service acting on its behalf. In agentic environments, delegated authority must be explicit and reviewable because the downstream actor can continue operating after the original human intent has faded.
• Identity provenance: The traceable chain showing where an identity came from, who approved it, and what actions it performed. For AI agents and other NHIs, provenance is the evidence that links authentication to actual behaviour, which is essential for audit, incident response, and accountability.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Keyfactor: PKI-based identity for securing agentic AI. Read the original.