Notifications
Clear all
Topic starter
25/06/2026 2:41 pm
TL;DR: Static API keys and passwords do not provide verifiable identity for autonomous AI agents, so enterprise trust shifts toward certificate-backed identity, mTLS, and lifecycle automation according to Keyfactor and Gartner research. The governance question is no longer whether AI can act, but whether each action can be cryptographically attributed and constrained before it scales beyond human review.
NHIMG editorial — based on content published by Keyfactor: 3 Things to Know About Keyfactor’s PKI-Based Identity for Agentic AI
Questions worth separating out
Q: How should security teams govern AI agents that access enterprise systems?
A: Security teams should govern AI agents as workload identities, not as enhanced users.
Q: Why do static API keys create risk for autonomous AI agents?
A: Static API keys create risk because they are reusable, portable, and weakly bound to the specific actor using them.
Q: How do mTLS and certificate-based OAuth help with AI agent governance?
A: mTLS and certificate-based OAuth help by tying communication and authorization to a verified identity rather than a bearer secret.
Practitioner guidance
- Define each AI agent as a distinct identity object Issue a unique certificate or workload-bound credential to every agent instance, including short-lived or task-specific agents, so attribution is not shared across multiple runtimes.
- Bind service access to certificate-backed policy Use mTLS and certificate extensions to constrain which services an agent may call, which actions it may perform, and which downstream identities it may delegate to.
- Automate certificate issuance and revocation Integrate identity lifecycle automation with agent orchestration so credentials are issued, rotated, and revoked at machine speed rather than through manual approvals.
What's in the full article
Keyfactor's full blog covers the operational detail this post intentionally leaves for the source:
- Certificate issuance and lifecycle automation patterns for short-lived AI agents
- Implementation details for certificate-based OAuth flows and mTLS in agent-to-service communication
- How SPIFFE integration can support automated identity assignment for containerised agents
- The product framing around cryptographic accountability and regulated-environment deployment
👉 Read Keyfactor's analysis of PKI-based identity for agentic AI →
PKI identity for AI agents: are your controls ready for scale?
Explore further
25/06/2026 3:48 pm
PKI-backed agent identity is the right baseline for autonomous systems, but it also exposes how weak static credential thinking has become. An AI agent that can act without human approval cannot be governed as if its identity were a shared secret. The field needs to treat per-agent cryptographic identity as the minimum viable control for attribution, boundary enforcement, and auditability. For practitioners, the implication is that agent identity must be provisioned as a first-class trust object, not a secondary implementation detail.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: What should organisations rethink when AI agents can act without human approval?
A: Organisations should rethink review cycles, revocation timing, and accountability assumptions. If an agent can complete a task before a human review occurs, then access reviews no longer capture the full risk. Governance has to move to runtime policy, per-agent identity, and machine-speed lifecycle controls.
👉 Read our full editorial: PKI-based identity for agentic AI is changing enterprise trust
