We’re currently experiencing the explosion of AI helping organizations automate repetitive tasks, accelerate software development, and streamline customer service, with new use cases launching daily. Agentic AI takes this one step further. These systems don’t just generate text or insights; they take action. They access enterprise systems, retrieve data, write code, execute workflows, and interact with APIs autonomously.
“By 2030, CIOs expect that 0% of IT work will be done by humans without AI, 75% will be done by humans augmented with AI, and 25% will be done by AI alone, according to a July 2025 survey of over 700 CIOs by Gartner®, Inc., a business and technology insights company.”
The potential of agentic AI opens the door to enormous opportunities but also introduces new and urgent security challenges.
The Identity Problem with Agentic AI
Unlike today’s common AI assistants that simply respond to prompts, agentic AI systems act on behalf of users or, sometimes, independently. These agents access enterprise applications, interact with APIs, commit code to repositories, and can operate in both attended and fully autonomous modes.
Introducing AI always carries certain security risks, but autonomy elevates it.
When an AI agent can retrieve credentials, install tooling, or interact dynamically with infrastructure, its behavior becomes harder to predict and constrain. Once an agent obtains a credential, it can perform any operation in external systems that the credential authorizes. Without strong guardrails, this creates several challenges:
- Credential exposure risk – Unmonitored secrets and secrets without granular workflows and audit trails can create risk.
- Unbounded privilege escalation – If an agent is given access to overly broad credentials, it can breach its intended boundaries, without anyone knowing.
- Lack of non-human identity (NHI) management– In autonomous scenarios, there often is no human in the loop. The AI agent itself must have a verifiable identity.
- Dynamic, ephemeral workloads – Agents running in containers spin up, perform work, and terminate, so identity must be able to follow that same ephemeral lifecycle.
- Supply chain vulnerabilities – Agents interacting with external APIs could introduce unvetted code or data.
If agents are going to act like, or even replace, users, they must be governed by the same access controls and zero-trust principles as any human or service identity.
Why Certificates Are Foundational to Zero Trust
To solve this, we must start with identity.
Zero trust requires that every connection be authenticated and authorized with digital certificates becoming the de facto means of cryptographic foundation.
For short-lived agentic workloads, containerized environments are an ideal deployment model. Given the maturity of the container technology, seamless integration of identity certificates is well-supported. Through a service mesh like Istio, zero trust is facilitatedand enforced, with workload-bound certificates automatically issued and used, all with no code changes to the containerized application.
This approach directly supports two-thirds of the CIA triad:
- Confidentiality – The use of non-human identities ensures that an agentic AI can only access the intended information or service.
- Integrity – Encrypted communication through mTLS ensures that data exchanged between services is authenticated and protected from tampering.
Privileged Access Management: Supporting the Zero Trust Architecture
While certificates establish strong workload identity and secure service-to-service communication, they do not by themselves grant access to external systems. Agentic AI systems often need to interact with third-party platforms like source code repositories, cloud infrastructure, SaaS applications, and databases, each with its own authentication requirements.
Certificates can be used to initiate OAuth flows, allowing agents to authenticate using client certificates and exchange them for OAuth tokens. This creates a stronger, more transparent authentication model for AI-driven access. However, OAuth doesn’t cover all applications.
This is where Privileged Access Management (PAM) becomes essential.
PAM delivers several key security benefits:
- Elimination of hard-coded secrets
- Centralized policy enforcement
- Granular, least-privilege access
- Full auditability of credential use
- Reduced blast radius for autonomous agents
In short, certificates establish who the agent is, privileged access management governs what the agent can do.
In a properly authenticated architecture for agentic AI:
- Workload identity is established
Regardless of how an agent is deployed or where it runs, it should receive a cryptographically verifiable identity certificate of an appropriate validity period. - Mutual authentication is enforced
Service mesh or similar infrastructure ensures encrypted, authenticated communication between internal services. - Identity-based secret access is required
When the agent needs access to an external system (for example, committing code to a repository, automating HR workflows, or managing cloud resources), it does not store credentials locally or embed static secrets. - Centralized secret retrieval occurs
The agent authenticates to a PAM or enterprise secret management platform using its certificate-based identity. That system validates the agent and determines what credentials it is authorized to retrieve. - Scoped, just-in-time credential use
The agent receives only the specific credential required, often time-bound and tightly scoped. The secret is never permanently embedded in the workload and is governed by policy, logging, and audit controls.
A strong identity ensures every workload is verified. Privileged access controls ensure every action is governed. Together, they complete the zero-trust architecture, allowing organizations to confidently enable autonomous AI systems without sacrificing security posture.
From theory to practice: Keyfactor + Delinea
Keyfactor and Delinea have joined forces to showcase that securing agentic AI isn’t theoretical; it’s deployable today. This collaboration builds on proven technologies already in use by Fortune 500 companies.
Keyfactor EJBCA provides seamless identity certificate issuance for containerized workloads with Istio integration for automated mTLS enforcement.
The workload identity established through these certificates is then used by the AI service to securely request privileged credentials from Delinea Secret Server. Secret Server enforces policy-based access controls and provides tightly scoped credential retrieval through a controlled process.
The result is a secure, end-to-end model for agentic AI built on zero trust principles. A certificate serves as the core identity for the agentic AI, allowing the PAM to provide tightly scoped credential access while minimizing the risk of the AI being over-credentialed, with every step and interaction secure and auditable.
As AI agents become more autonomous—writing code, managing infrastructure, processing workflows—the need for strong identity and privileged access controls becomes non-negotiable.
Organizations don’t have to choose between innovation and security. By combining certificate-based workload identity from Keyfactor with privileged access management from Delinea, enterprises can enable agentic AI confidently and securely.
Agentic AI is here; now we must secure it.
For a deeper understanding of the challenges of securing AI, check out our AI Education page.
