TL;DR: Autonomous AI is now taking actions, not just supporting decisions, exposing governance gaps in identity, authorization, and accountability, according to Keyfactor’s AI Identity Edition, which draws on input from 450 security professionals across North America and Europe. The central issue is that trust models built for humans and static machines do not yet hold when agents operate at machine speed.
NHIMG editorial — based on content published by Keyfactor: Digital Trust Digest, AI Identity Edition
By the numbers:
- The magazine’s articles draw on insights from 450 security professionals across North America and Europe.
Questions worth separating out
Q: How should security teams govern autonomous AI agents as identities?
A: Security teams should assign each autonomous agent a unique identity, explicit least-privilege permissions, and a revocation path that works at runtime.
Q: Why do autonomous AI systems strain existing IAM and PAM controls?
A: They strain them because they can initiate actions, select timing, and trigger downstream processes without waiting for a human approval loop.
Q: What does AI identity change about certificate governance?
A: It shifts certificate governance from a mostly administrative function to a live operating issue.
Practitioner guidance
- Define AI agents as governed identities Assign each autonomous system a distinct identity, explicit permissions, and a revocation path so the agent itself can be controlled and audited.
- Automate certificate and trust lifecycle operations Use automated issuance, renewal, revocation, and policy enforcement for short-lived agents so trust does not lag behind execution.
- Move from periodic review to continuous enforcement Use runtime authorization, telemetry, and containment triggers because agent activity can outpace access review cycles.
What's in the full article
Keyfactor's full blog covers the operational detail this post intentionally leaves for the source:
- The magazine’s survey findings from 450 security professionals, including response patterns on autonomous AI governance and trust.
- Contributions from Keyfactor, IBM, AWS, and Delinea that expand the operational discussion beyond the editorial framing.
- The practical and regulatory guidance needed to move from awareness to implementation across AI identity and digital trust.
- The full AI Identity Edition context behind the magazine series and the contributors’ technical perspectives.
👉 Read Keyfactor's Digital Trust Digest: AI Identity Edition on AI identity risk →
AI identity and autonomy: what changes for security teams?
Explore further
Autonomous AI turns identity into an active control plane, not a static record. Once an agent can choose actions and trigger downstream work on its own, identity has to govern runtime behaviour rather than merely describe an account. That widens the scope from authentication to authorization, continuous evaluation, and revocation across the whole action chain. Practitioners should treat agent identity as an operational boundary that must be enforced while the system is acting.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
A question worth separating out:
Q: Who is accountable when an autonomous agent takes the wrong action?
A: Accountability should be shared across the sponsor who approved the agent, the team that defined its permissions, and the operators who can terminate or constrain it. If no owner can explain, audit, and reverse the action, the governance model is incomplete.
👉 Read our full editorial: AI identity edition shows autonomy is outpacing trust controls