Notifications
Clear all
Topic starter
25/06/2026 2:41 pm
TL;DR: AI-directed intrusion workflows can enumerate systems, harvest credentials, and move laterally at machine speed, which is why Keyfactor argues PKI and x.509 certificates are now foundational for infrastructure defence. Passwords and MFA still protect people at the login screen, but they do not govern internal machine-to-machine trust or autonomous attack behaviour.
NHIMG editorial — based on content published by Keyfactor: AI Beyond Passwords, How PKI Secures Your Infrastructure from AI-Driven Attacks
By the numbers:
- The September 2025 China Agentic AI attack scaled across more than two dozen organizations.
Questions worth separating out
Q: How should security teams secure machine-to-machine trust against AI-driven attacks?
A: Security teams should treat machine-to-machine trust as a separate identity domain from human access.
Q: Why do passwords and MFA fail to stop AI-driven intrusion workflows?
A: Passwords and MFA are built for interactive human login, not for internal service authentication.
Q: What breaks when bearer tokens are used as durable internal credentials?
A: Bearer tokens become replayable secrets, so any actor that steals them can use them as proof of access.
Practitioner guidance
- Inventory machine identities across internal trust paths Map service accounts, API keys, bearer tokens, and certificates to the systems they can reach so you can see where one credential can unlock multiple services.
- Replace shared secrets with certificate-based authentication Use x.509 certificates and mutual TLS for service-to-service traffic so internal authentication depends on cryptographic proof rather than replayable secrets.
- Separate human login controls from workload trust controls Keep MFA for people, but do not assume it secures internal machine communication or prevents bearer token replay inside the environment.
What's in the full article
Keyfactor's full article covers the operational detail this post intentionally leaves for the source:
- The step-by-step argument for why PKI and x.509 certificates are positioned as the trust model for AI-driven infrastructure
- The article’s direct comparison of mTLS and OAuth in the context of authentication versus authorization
- The full breakdown of where passwords, MFA, service accounts, and bearer tokens fail across internal machine traffic
- Keyfactor’s referenced whitepaper and supporting recommendations for secure AI deployment
👉 Read Keyfactor’s analysis of PKI, x.509 certificates, and AI-driven attacks →
AI-driven attacks and PKI: are your machine identities ready?
Explore further
25/06/2026 3:47 pm
Passwords and MFA are human controls, not machine trust controls. This article reinforces a long-standing governance gap: the authentication stack for people is not the authentication stack for services. AI-directed attackers do not need to defeat interactive login if they can operate through internal machine credentials instead. The implication is that identity programmes must stop treating human auth hardening as a proxy for workload security.
A few things that frame the scale:
- 53% of security leaders expect AI to run major portions of their infrastructure autonomously within the next three years, according to The 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
A question worth separating out:
Q: Who is accountable for workload identity security when AI is involved?
A: Accountability usually sits with platform, infrastructure, and identity teams together because workload trust crosses their boundaries. Security leadership should assign ownership for issuance, rotation, revocation, and policy enforcement before deploying AI-enabled infrastructure. That prevents machine identities from becoming unmanaged access channels.
👉 Read our full editorial: PKI and workload identities are now mandatory for AI-driven attacks
