A quiet but significant shift is underway in how organisations approach identity verification. Rather than collecting and storing customer data as the basis for trust decisions, forward-thinking security teams are moving toward requesting verifiable proofs — cryptographic attestations that confirm facts without exposing underlying data. For CISOs and IAM practitioners already grappling with non-human identity (NHI) sprawl, this shift carries direct implications for how machine identities authenticate and how NHI security frameworks will need to evolve.
The Problem With Storing What You Can Verify
Every data store is a liability. IBM’s 2025 research puts the average cost of a data breach at $4.4 million globally, while malicious bots now account for roughly 37% of internet traffic — many of them targeting credential and identity stores. The traditional model of onboarding — collect data, store it, verify against it — creates exactly the kind of honeypot that adversaries target.
The same logic applies directly to machine identity management. Service accounts, API keys, and tokens are frequently over-provisioned and stored in centralised vaults or configuration files precisely because the verification model requires them to be present and accessible. This is a structural weakness. If the goal is verification rather than storage, NHI security architectures need to reflect that.
How zkTLS Changes the Equation
Zero-Knowledge Transport Layer Security (zkTLS) is the technical mechanism gaining traction here. It generates a cryptographic proof during a TLS handshake — confirming that a specific fact is true about a session without revealing the underlying data or requiring credential sharing. In practice, this means verification becomes a yes/no proof anchored to a live session, not a document or credential that can be exfiltrated.
For machine identity, the parallel is clear. Rather than a service account presenting a long-lived token that can be stolen and replayed, zkTLS-style attestation models allow a machine identity to prove it has legitimate access to a resource without exposing the credential itself. This directly addresses one of the core weaknesses in current Agentic Identity deployments, where AI agents often carry persistent credentials with broad access scope.
What This Means for IAM Practitioners
Regulatory pressure is accelerating this shift. California’s DELETE Act and federal scrutiny of data brokers hiding opt-out mechanisms signal that storing verification data is becoming both a legal and reputational risk. Organisations that redesign their identity verification flows around proof-over-storage principles now will be ahead of compliance requirements, not scrambling to catch up.
For IAM teams, the practical implication is to evaluate where long-lived credentials and stored identity data can be replaced with short-lived, proof-based attestations — particularly for non-human identities operating in automated pipelines. Personhood credentials and verifiable proof frameworks are no longer theoretical; they are the direction the market is moving, and NHI security architectures should be designed accordingly.