TL;DR: AgileSec 3.6 adds RSA JWT signing, remote token revocation awareness, Tanium Connect ingestion, expanded cloud and source coverage, and improved PQC detection and CBOM export for cryptographic inventory and audit readiness, according to Keyfactor. The release matters because crypto-agility depends on knowing where cryptography exists, not just replacing algorithms later.
NHIMG editorial — based on content published by Keyfactor: AgileSec 3.6 gives security teams more visibility, more control, and a faster path to cryptographic-agility
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities , 46% confirmed, 26% suspected.
Questions worth separating out
Q: How should security teams govern cryptographic inventory across multiple platforms?
A: Treat cryptographic inventory as an enterprise control, not a per-tool report.
Q: Why does revocation matter as much as discovery in crypto-agility programmes?
A: Discovery shows what exists, but revocation determines how long a compromised credential remains useful.
Q: What do teams get wrong about post-quantum cryptography readiness?
A: They often start with algorithm migration instead of asset visibility.
Practitioner guidance
- Inventory all token signing and revocation paths Map where JWT signing occurs, where revocation is enforced, and which services still trust stale credentials after a change.
- Consolidate cryptographic findings into one search workflow Use cross-cluster search or an equivalent inventory layer so cloud, development, and search findings can be reviewed together.
- Build a Cryptographic Bill of Materials for critical systems Document the cryptographic assets, dependencies, and algorithms used by key applications so PQC migration planning is based on evidence rather than assumptions.
What's in the full article
Keyfactor's full blog covers the operational detail this post intentionally leaves for the source:
- Expanded configuration notes for RSA JWT token signing and remote token revocation awareness.
- Platform-specific coverage details for Tanium Connect, GCP KMS, GitHub, and Bitbucket Data Center sources.
- Deployment and administration changes for Kubernetes, Helm charts, and cross-cluster search tuning.
- PQC detection and CBOM export behaviour for teams building audit evidence and migration plans.
👉 Read Keyfactor's post on AgileSec 3.6 cryptographic visibility and control →
Cryptographic visibility and control in AgileSec 3.6: what changed?
Explore further
Cryptographic visibility debt is now the core governance problem. The article makes clear that organisations cannot govern what they cannot enumerate, and that applies to keys, signing paths, token controls, and cloud-native crypto assets alike. That is a governance failure before it is a tooling issue. The practitioner implication is that inventory quality has become a prerequisite for control effectiveness.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
A question worth separating out:
Q: How do organisations know if their cryptographic governance is actually working?
A: Look for whether inventory, revocation, and audit reporting all describe the same estate. If search results, CBOM exports, and operational records disagree, the programme has visibility gaps that will surface during incident response or compliance review. Effective governance produces a single defensible view of cryptographic exposure.
👉 Read our full editorial: AgileSec 3.6 expands cryptographic visibility and control