The Certificate Arrives Before the AI Rulebook
AI Governance Henry Quentir AI Governance Henry Quentir

The Certificate Arrives Before the AI Rulebook

Identity is becoming infrastructure

At a border checkpoint, identity and permission are separate decisions. A passport names the traveler; another authority decides whether that person may enter. AI agents are approaching the same institutional split. HID Global’s 2026 survey of 300 IT and security leaders in the United States and Europe found that 16% of respondents already use certificates for AI agents, while 34% ranked agent certificates among the three leading PKI trends. That makes AI agent identity an operational layer while legal systems are still working out how existing attribution rules apply to autonomous action and what machine credentials prove.

The weak point is revocation

A certificate can bind a cryptographic key to an identity. It does not define which payment, database, model or patient record the holder may touch. NIST’s zero-trust architecture treats authentication and authorization as distinct controls, and the distinction matters most when an agent changes role, is compromised or exceeds its mandate. HID’s survey found that certificate renewal is much more automated than discovery or revocation. The practical kill switch therefore depends on the least mature part of many certificate estates.

Two migrations meet in one control plane

Public certificate lifetimes are shrinking as major infrastructure providers also accelerate post-quantum migration. The same systems will have to issue short-lived credentials at machine speed and replace the cryptography beneath them. Post-quantum identity governance now connects cybersecurity, AI accountability, procurement and contract attribution. The certificate is becoming part of the answer to who acted, under whose authority, and with which technical protection.

Read More