Securing agentic AI with digital trust and machine identity

At a glance

What this is: This is Keyfactor’s view that agentic AI should be secured as machine identity, with strong identity, auditability, and rapid revocation as the baseline.

Why it matters: It matters because IAM, PAM, and NHI programmes now have to govern autonomous tool-using systems alongside service accounts and human users, without assuming human-paced review cycles will be enough.

By the numbers:

• 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.

👉 Read Keyfactor's analysis of securing agentic AI with digital trust

Context

Agentic AI is a software-driven identity problem, not just an AI problem. When an agent can connect to tools, data warehouses, applications, and other agents at runtime, the real question becomes whether the enterprise can prove who or what it is, what it may do, and how quickly that access can be withdrawn when behaviour changes.

Keyfactor’s framing puts digital trust and machine identity at the centre of this shift. That lens matters for NHI and IAM teams because the same controls used for workloads, service accounts, and certificates now have to be extended to systems that reason and act inside business workflows. It is a typical next-stage governance problem for organisations already exposing APIs and secrets to automation.

The article also introduces MCP as the connective layer between agentic systems and enterprise applications. The governance issue is not the protocol itself, but the identity and authorisation model wrapped around it, because connectivity without strong authentication and auditability simply creates a faster path to misuse.

Key questions

Q: How should security teams govern agentic AI that can call enterprise tools?

A: Treat each agent as a workload identity with explicit authentication, scoped authorisation, and auditable sessions. Security teams should define which tools the agent may reach, log every call, and tie revocation to the same identity chain used for access. If an agent cannot be uniquely identified, it cannot be safely governed.

Q: Why do agentic AI systems complicate existing IAM and PAM controls?

A: They complicate IAM and PAM because they do not fit stable, human-paced review cycles. Agents can chain actions inside a single runtime session, so the risk window may open and close before a periodic access review ever sees it. That means governance must shift toward runtime identity, tight scope, and rapid revocation.

Q: What breaks when AI agents are connected without strong digital trust?

A: What breaks is the ability to prove who the actor is, what it may do, and when that access should end. Without strong identity and encryption, agents become hard to audit and easier to misuse. The result is not only data exposure but also uncontrolled access to downstream enterprise systems.

Q: Who should own governance when autonomous agents sit inside business workflows?

A: Identity, security, and platform teams should share ownership, but the governance model must sit with the team that can enforce identity, scope, logging, and revocation across the workflow. If ownership is split without a clear control owner, agent behaviour will outrun accountability and no one will have a complete view of risk.

Technical breakdown

Why machine identity becomes the control plane for agentic AI

Agentic AI does not behave like a static workload. It can select tools, chain actions, and move across systems in response to runtime context, which means the trust model must move from request-based access to identity-backed execution. In practice, that pushes certificate-based identity, workload authentication, and fine-grained authorisation into the control plane for AI systems. If the enterprise cannot bind the agent to a durable identity, then logs, policy enforcement, and revocation all become weaker than the behaviour they are meant to govern.

Practical implication: treat every agent as a workload identity that must be authenticated before it can act.

What MCP changes for authentication and auditability

Model Context Protocol gives agents a way to reach tools and enterprise applications, but it does not remove the need for identity, policy, or traceability. The protocol expands the attack surface because it creates a standard interface between reasoning systems and operational resources. That means the security question shifts to who authorised the connection, what scopes were granted, and whether every tool call can be attributed to a specific identity and session. Without that chain, auditability degrades quickly once agents start making multi-step decisions.

Practical implication: map MCP-enabled connections to explicit identities, scopes, and auditable sessions.

Why rapid revocation matters more when behaviour is dynamic

Conventional access governance assumes the actor remains stable long enough to review and remediate. Agentic systems break that assumption because behaviour can drift during a single runtime session and the risk may emerge after access has already been granted. The control problem is not just privilege size, but how fast an organisation can invalidate trust when the agent begins to act outside expectation. That is why revocation, anomaly detection, and behaviour-based containment sit alongside identity proofing as core controls.

Practical implication: design revocation paths that can shut down agent access as fast as behaviour changes.

Threat narrative

Attacker objective: The attacker aims to hijack trusted agent pathways to reach enterprise systems at scale through a seemingly legitimate identity.

1. Entry occurs when an agent is connected to enterprise tools through MCP or similar interfaces without strong identity binding and encryption.
2. Escalation occurs when the agent can chain tool calls across applications, data stores, or other agents with scopes broader than the task requires.
3. Impact occurs when anomalous or malicious agent behaviour is not detected quickly enough, allowing misuse of credentials, data exposure, or business process abuse.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Machine identity is the right governance lens for agentic AI, but only if teams stop treating agents like enhanced automation. Keyfactor’s framing is directionally correct because agents are not just scripts with better interfaces. Once they can decide, call tools, and act across systems, the enterprise must govern them as identities with durable proof, scope, and revocation. The practitioner conclusion is straightforward: AI governance and identity governance are converging on the same control problem.

Digital trust is the named concept that matters here: identity, encryption, and revocation must travel together. Agentic systems do not fail safely when only one of those three exists. Strong identity without traceability is hard to audit, encryption without identity is hard to trust, and revocation without behavioural visibility is too slow to matter. The implication is that AI control design should be built around a complete trust chain, not isolated security features.

The assumption that access can be reviewed after it is granted was designed for stable actors and predictable sessions. That assumption fails when the actor is autonomous because it can select tools, sequence actions, and alter its path while the session is still active. The implication is not simply to add more review, but to recognise that human-paced governance no longer matches agent-paced execution.

MCP will become a governance choke point before it becomes a productivity layer. Any standard that makes it easier for agents to reach enterprise resources also makes weak identity choices easier to scale. Teams that separate protocol adoption from identity policy will create a wide corridor for misuse. The practitioner conclusion is to bind protocol rollout to identity controls from day one, not after deployment.

The field is moving toward policy-driven trust for both NHI and autonomous actors. The same conversations that once focused on service accounts and certificates now extend to agent authentication, scoped access, and runtime containment. That convergence matters because identity teams can reuse governance principles, but not blindly reuse human review cadences. The practitioner conclusion is to redesign identity programmes around runtime behaviour, not just enrolment and certification.

From our research:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
• Only 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
• For a broader identity lens, see Ultimate Guide to NHIs , Why NHI Security Matters Now for how machine identity governance changes as non-human populations expand.

What this signals

Digital trust will become the practical boundary between acceptable AI automation and unmanaged identity risk. As agentic systems move from pilots into operational workflows, teams will need to decide whether they can prove identity at every tool hop, not just at login. The more a programme relies on API-connected services, the more it should align with OWASP Agentic AI Top 10 and similar control frameworks.

Agent identity governance will increasingly sit inside the same operational queue as service account and certificate governance. That means IAM and NHI teams need shared visibility into scopes, revocation, and auditability across human, machine, and agentic workloads. The programme signal to watch is whether your controls can answer attribution questions without manual reconstruction.

With 98% of companies planning to deploy even more AI agents within the next 12 months, the problem is not early adoption but late governance. The organisations that prepare now will be the ones that can expand safely without turning every new agent into a new blind spot, especially where OWASP NHI Top 10 concerns overlap with runtime access decisions.

For practitioners

• Bind every agent to a durable workload identity Use certificate-based identity or equivalent machine identity controls so each agent is uniquely authenticated before it reaches tools, data, or external services.
• Scope MCP access to explicit task boundaries Define which enterprise applications, data sets, and downstream agents each agent may reach, and make those scopes part of the authorisation model rather than a post-review artifact.
• Instrument audit trails for tool-by-tool attribution Ensure SIEM and detection tooling can reconstruct which identity called which tool, at what point in the session, and with what resulting action.
• Design fast revocation paths for agent drift Build containment steps that can invalidate an agent session or credential chain as soon as behaviour deviates from expected scope, without waiting for a manual access review.

Key takeaways

• Agentic AI creates an identity governance problem because tool-using systems need authentication, scope control, and revocation, not just model oversight.
• Keyfactor’s framing is strongest where it treats machine identity and digital trust as the control layer for agent behaviour, especially across MCP-connected workflows.
• Identity programmes should prepare for runtime access drift in autonomous systems, because review-based governance alone cannot keep pace with agent-paced execution.

Key terms

• Agentic AI: AI systems that can perceive context, choose actions, and use tools to complete goals inside a runtime environment. For identity teams, the key issue is not model capability alone, but whether the system can be bound to a durable identity, a defined scope, and a revocable trust chain.
• Machine Identity: A non-human identity used by software, workloads, devices, or agents to authenticate and interact with systems. It is the control layer that proves what the actor is, what it may reach, and how its access can be audited or withdrawn when behaviour changes.
• Model Context Protocol: A protocol that connects AI agents to tools and enterprise applications through a standard interface. In identity terms, it increases the importance of authentication, authorisation, and auditability because it makes it easier for an agent to act across systems from a single workflow.
• Digital Trust: The set of identity, encryption, and verification controls that make a connected system trustworthy. For agentic AI, digital trust means each agent must be authenticated, its communications protected, and its actions traceable so that misuse can be detected and contained.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Keyfactor: The Next Security Frontier: Securing the Future of Agentic AI with Digital Trust. Read the original.