Certificate lifetimes and AI agents: what IAM teams need to change

TL;DR: Shorter certificate lifetimes, rising automation demands, and the spread of agentic AI are pushing machine identity governance beyond manual renewal models, according to SPHERE Technology Solutions' podcast highlights. The real issue is that identity programmes built on human-paced review cycles cannot reliably manage fast-changing certificate and key lifecycles.

NHIMG editorial — based on content published by SPHERE Technology Solutions: podcast highlights from Smells Like Identity Hygiene on certificates, automation, and agentic AI

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

Questions worth separating out

Q: How should security teams handle certificate renewals as lifetimes get shorter?

A: Security teams should treat certificate renewal as a lifecycle control, not a ticketing exercise.

Q: Why do short-lived certificates increase governance risk?

A: Short-lived certificates increase governance risk because they compress the time available for manual review, approval, and replacement.

Q: What do security teams get wrong about machine identity management?

A: Security teams often treat certificates, keys, and tokens as infrastructure details instead of governed identities.

Practitioner guidance

• Inventory every certificate and key Create a complete register that ties each certificate to an owner, renewal method, expiry date, and dependent application.
• Automate renewals for high-volume infrastructure Start with load balancers, API gateways, and cloud key stores where one workflow can cover many certificates.
• Extend NHI governance to AI credentials Add agentic AI systems to the same lifecycle process used for service accounts and tokens.

What's in the full article

SPHERE Technology Solutions' full podcast recap covers the operational detail this post intentionally leaves for the source:

• The episode discussion of CA/B Forum timing and what 47-day certificate lifetimes mean for renewal operations.
• Practical commentary on where automation should start in infrastructure estates such as gateways and key stores.
• The conversation about agentic AI as a new class of machine identity and why shadow AI complicates ownership.
• The full exchange on why human approval gates can become the bottleneck in certificate security.

👉 Read SPHERE Technology Solutions' podcast highlights on certificates, automation, and agentic AI identity →

Certificate lifetimes and AI agents: what IAM teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →