PKI identity for agentic AI highlights a trust gap in governance

At a glance

What this is: This is a Keyfactor newsroom post arguing that PKI-based identity is central to securing agentic AI because machine identity has to be established before tool access and execution can be trusted.

Why it matters: It matters because identity teams now have to align certificate, workload, and agent governance so autonomous systems do not inherit unmanaged access paths across NHI and human control planes.

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.

👉 Read Keyfactor’s validation of PKI-based identity for securing agentic AI

Context

Agentic AI needs a verifiable machine identity before it can be trusted to call tools, reach data, or inherit privileges. In practice, that shifts the security question from whether the model is intelligent to whether the identity bound to it is governed like any other privileged non-human identity.

Keyfactor’s focus on PKI-based identity reflects a familiar IAM pattern: authentication alone is not enough when runtime actions are taken by software acting on behalf of another process. The real gap is lifecycle control, certificate trust, and scope limitation across agent execution paths.

Key questions

Q: How should security teams govern agentic AI identities with PKI?

A: Security teams should treat agentic AI identities as governed machine identities, not as special exceptions. Use PKI to establish cryptographic proof of identity, then layer tight authorization, inventory, renewal, and revocation controls on top. The critical question is not whether the agent can authenticate, but whether its access remains tightly bounded during runtime.

Q: Why do agentic AI systems complicate traditional IAM controls?

A: They complicate IAM because runtime behaviour can change after identity is issued. Traditional IAM often assumes access can be assessed from a stable user or service profile, but agentic systems can alter tool use and execution paths within the session. That makes entitlement review, scope control, and revocation far more dynamic.

Q: What breaks when certificates are used without lifecycle governance for AI agents?

A: Certificates become durable trust tokens instead of managed identities. Without lifecycle governance, issuance can outpace inventory, renewals can happen without business review, and revocation can lag behind task completion or system change. The result is hidden persistence, which expands the agent’s blast radius even when the underlying model changes.

Q: Who should own AI agent identity governance in an enterprise?

A: Ownership should sit across IAM, PKI, and the platform team that deploys the agent, with clear accountability for issuance, privilege, and revocation. If no team owns the full lifecycle, the agent’s identity will be treated as infrastructure plumbing rather than a governed access path, which is where risk accumulates.

Technical breakdown

Why PKI matters for agentic AI identity

Public key infrastructure gives a machine a verifiable cryptographic identity that can be checked by other systems without relying on shared secrets alone. For agentic AI, that means a certificate or key pair can anchor trust in the agent’s workload identity, its service context, and its allowed communications. PKI does not make an agent safe by itself, but it does create a stronger basis for authentication, mutual trust, and certificate-bound policy enforcement than ad hoc tokens or static credentials.

Practical implication: bind agent identities to certificate-backed trust so access decisions can be tied to a managed cryptographic subject.

Agentic AI identity and runtime privilege

Agentic systems can change what they do during a session, which means identity controls must account for execution-time behaviour rather than just provisioning-time intent. A certificate can identify the workload, but privilege still has to be constrained by scope, policy, and the specific tools the agent is allowed to reach. This is where PKI intersects with NHI governance: the identity is cryptographic, but the authorisation model still needs clear boundaries around data access, service calls, and escalation paths.

Practical implication: separate identity proof from privilege assignment and review what each agent can actually do at runtime.

Certificate lifecycle is the hidden control plane

If PKI is used for agentic AI, certificate lifecycle becomes operationally central. Issuance, renewal, revocation, and inventory all determine whether the agent remains governed or drifts into undocumented access. This is the same governance problem identity teams face with service accounts and API keys: unmanaged persistence creates trust debt. For autonomous systems, that debt grows faster because machine identities can be deployed and replicated at scale.

Practical implication: treat certificate lifecycle as a governance function, not a back-office PKI task.

NHI Mgmt Group analysis

PKI-based identity for agentic AI is really a workload governance problem, not just an authentication choice. The valuable part of the control is not the certificate itself, but the ability to bind an agent to a managed identity that can be inventoried, scoped, and revoked. That puts agentic AI squarely inside NHI governance, where machine identity is only useful if it is lifecycle-managed and privilege-limited. Practitioners should treat the agent as a governed workload, not a clever application feature.

Agentic AI invalidates the assumption that identity can be provisioned once and trusted for the whole session. That model was designed for stable service identities with predictable behaviour. It fails when the actor can choose actions, tools, and timing during execution because access intent is not fixed at provisioning time. The implication is that identity programmes must rethink how they define trust boundaries for software that can alter its own execution path.

Runtime identity blast radius: The key governance question is how far a compromised or over-entitled agent can move once its cryptographic identity is accepted. PKI can prove who the agent is, but it does not answer whether the agent should reach the whole environment, a single service, or one short-lived task. That makes blast-radius control the decisive metric for agentic AI governance. Practitioners should measure how much damage a valid agent identity can still do.

Agentic AI governance will converge with NHI lifecycle management faster than many teams expect. The same operational disciplines that already apply to service accounts, certificates, and secrets now extend to AI agents that act independently at runtime. That convergence means identity teams, PKI owners, and platform security teams need a shared model for issuance, monitoring, and offboarding. Practitioners should align agent governance with existing NHI lifecycle controls rather than creating a separate, disconnected process.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• Use the NHI Lifecycle Management Guide to align issuance, renewal, and offboarding when agent identities are treated as governed machine accounts.

What this signals

PKI will not close the governance gap on its own. Once agentic systems are allowed to act on behalf of a workload, the real risk sits in entitlement scope, lifecycle ownership, and revocation discipline. Teams that already struggle with service account sprawl should assume agent certificates will multiply the same problem unless the identity programme owns the full chain.

With 97% of NHIs carrying excessive privileges, per the Ultimate Guide to NHIs, agentic AI governance will fail if teams treat certificate issuance as the finish line. The programme signal to watch is whether cryptographic identity is matched by narrow runtime privilege and clear offboarding.

The next phase of identity security will blur the line between workload identity, secrets management, and autonomous execution. That makes certificate lifecycle, inventory quality, and revocation latency the practical indicators of whether an AI agent programme is under control or simply authenticated.

For practitioners

• Inventory agent identities as first-class NHIs Map every agent, workload, and service account that can invoke tools or access data. Record issuer, certificate subject, renewal path, and revocation owner so the identity can be governed throughout its lifecycle.
• Bind privilege to task scope, not just identity proof Use certificate-backed identity to authenticate the agent, then enforce narrow authorization rules on the specific services, data sets, and tool calls that agent may reach.
• Operationalise revocation and renewal workflows Define who can revoke agent certificates, what telemetry confirms revocation, and how renewals are approved before expiry. Do not let certificates persist by default after the agent’s purpose changes.
• Align PKI governance with NHI lifecycle controls Fold agent certificates into the same lifecycle review process used for service accounts and other machine identities. Use the NHI Lifecycle Management Guide and the Ultimate Guide to NHIs to anchor ownership, offboarding, and review cadence.

Key takeaways

• Agentic AI identity must be governed as a machine identity problem, because cryptographic proof alone does not constrain runtime behaviour.
• PKI strengthens trust, but excessive privilege and weak lifecycle control still determine the real blast radius of an AI agent.
• Identity teams should extend existing NHI lifecycle practices to agent certificates instead of creating a disconnected governance model.

Key terms

• Agentic AI identity: The cryptographic or logical identity assigned to an AI system that can act at runtime on tools, data, or services. In governance terms, it is not just an authentication artifact. It is a controllable access path that needs ownership, scoping, monitoring, and revocation like any other high-risk non-human identity.
• Machine identity: A machine identity is the set of credentials, certificates, keys, or tokens used by software to prove who it is to another system. It matters because software often gets more reach than people do. Without lifecycle control, machine identity becomes a durable source of privilege, not just a login mechanism.
• Certificate lifecycle: Certificate lifecycle is the end-to-end management of issuance, renewal, inventory, and revocation for a certificate-based identity. For non-human identities, lifecycle discipline is what prevents trust from persisting after purpose changes. If the lifecycle is weak, the certificate remains valid longer than the business context that justified it.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Keyfactor: PKI-based identity for securing agentic AI. Read the original.