Notifications
Clear all
Topic starter
25/06/2026 2:51 pm
TL;DR: Agentic AI changes the trust model by making software a decision-maker that can select tools, act across systems, and create new identity and access risks, according to Keyfactor. Digital trust now depends on governing machine and agent identities, not just human authentication and certificate hygiene.
NHIMG editorial — based on content published by Keyfactor: How Agentic AI Redefines Digital Trust
Questions worth separating out
Q: How should security teams govern agentic AI identities without over-trusting them?
A: Security teams should govern agentic AI identities by separating authentication from authorisation, then constraining runtime actions with policy, delegation boundaries, and task-scoped privileges.
Q: Why do agentic AI systems change the way IAM teams think about trust?
A: Agentic AI changes trust because the identity can make decisions during execution, not just present credentials at the start.
Q: What do organisations get wrong about machine identity in AI environments?
A: They often assume strong machine identity is enough.
Practitioner guidance
- Map agentic decision paths Inventory where AI systems can choose tools, data sources, or actions at runtime, then document which approvals or policy gates exist before each high-risk step.
- Separate identity proof from action approval Require controls that verify a machine or agent identity and independently constrain what it may do, especially for repository access, API calls, and data movement.
- Extend lifecycle governance to agentic accounts Apply provisioning, review, and offboarding discipline to AI-linked identities, service accounts, and delegated access paths so that no agent keeps authority after the business need ends.
What's in the full article
Keyfactor's full blog covers the operational detail this post intentionally leaves for the source:
- How its trust and compliance tooling maps to certificate lifecycle automation for agentic systems
- Product-specific detail on cryptographic discovery, inventory, and posture management for machine identities
- Implementation context for signing, PKI, and ecosystem integrations across AI and software supply chains
- Examples of how the vendor positions secure AI agents within its broader product set
👉 Read Keyfactor's analysis of how agentic AI redefines digital trust →
Agentic AI and digital trust: what IAM teams need to rethink?
Explore further
25/06/2026 4:02 pm
Agentic AI turns digital trust into a runtime governance problem. The core failure is that identity proof no longer guarantees bounded behaviour once the actor can decide what to do next. Traditional machine identity models assume access is granted to known workloads with predictable intent. When the identity itself becomes decision-capable, that assumption no longer holds, and trust has to be evaluated as an ongoing state, not a one-time condition. Practitioners should treat this as a governance reset, not a tuning exercise.
A few things that frame the scale:
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: How do IAM, PAM, and NHI controls fit together for AI agents?
A: IAM defines the access model, PAM constrains high-risk actions, and NHI governance manages the lifecycle and scope of the non-human identity itself. For AI agents, those controls must work together because the actor can act dynamically across systems. If any one layer is missing, the agent can inherit more trust than the organisation intended.
👉 Read our full editorial: How agentic AI redefines digital trust and identity governance
