Keyfactor’s move to close AI-era security gaps with machine identity safeguards reflects a maturing recognition across the PKI and certificate lifecycle management space: the explosion of AI agents and automated workloads has fundamentally outpaced the identity infrastructure most enterprises rely on. For organisations still treating machine identity as a certificate-renewal afterthought, this is a wake-up call.
The problem Keyfactor is addressing is structural. Traditional PKI and certificate management tools were built for a world of relatively static machine populations — servers, load balancers, a handful of service accounts. AI agents break that model entirely. They spin up dynamically, often provisioned by other automated processes, frequently short-lived, and increasingly granted broad access to internal systems and data in order to do their jobs. Each of these ephemeral agents needs a verifiable, revocable identity — and most certificate infrastructure was never designed to issue, rotate, and retire credentials at that speed or scale.
What makes this an urgent non-human identity security problem rather than a routine infrastructure upgrade is the attack surface it creates. An AI agent with a long-lived, over-permissioned certificate is functionally similar to a human employee who never changes their password and retains admin access after leaving the company — except there may be thousands of these agents, provisioned faster than security teams can track them. Keyfactor’s positioning around “AI-era security gaps” suggests the company is targeting exactly this blind spot: the growing population of machine identities that exist outside conventional IAM visibility.
For CISOs, the practical implications centre on three capabilities that machine identity platforms must now deliver. First, automated certificate issuance and rotation that can keep pace with AI agent provisioning velocity, rather than requiring manual approval workflows designed for infrequent human onboarding. Second, granular scoping — ensuring that an AI agent’s certificate grants only the access that specific agent’s function requires, not broad organisational trust. Third, real-time visibility into which certificates are tied to which agents, so that when an agent is retired or compromised, its credentials can be revoked immediately rather than lingering as dormant risk.
The broader signal here is that certificate and PKI vendors are being forced to reposition themselves as machine identity security providers, not just cryptographic infrastructure providers. As AI agents become embedded in core business processes, the distinction between “certificate management” and “non-human identity governance” is disappearing — and security leaders evaluating their machine identity posture should expect this convergence to accelerate.
Source: SiliconANGLE