The identity landscape has always evolved, but right now, we’re at one of the most significant turning points I’ve seen in over two decades of working in this space.
The identity landscape has always evolved, but right now, we’re at one of the most significant turning points I’ve seen in over two decades of working in this space.
When you think about the scale of today’s digital transformation — the rise of bots, connected devices, AI agents, and cloud workloads — it’s clear that machine identities now outnumber human ones. That’s a big shift. And it requires a rethink of how we treat them: not as something separate, but as identities just like any other, governed with the same techniques, rigour and lifecycle discipline we apply to human access.
The real challenge is scale — there are vastly more machine identities than human ones, and many of them are invisible without intentional discovery.
Recently, I had the pleasure of hosting a webinar with Kevin Bocek, SVP of Innovation at CyberArk, and Paul Heaney, ProofID CTO/CISO, where we unpacked what this means for organizations preparing for the next phase of identity security. You can now watch the full session on demand: From Certificates to AI Agents: Building Resilience in the Machine Identity Age.
Here are some of my reflections and key takeaways from that discussion.
The 47-Day Countdown Has Begun
If you work in security or IT operations, you’ll already be hearing about the “47-day rule”. From 2026, technology giants including Google, Apple and Microsoft will begin enforcing shorter TLS certificate lifespans — moving to a 47-day maximum by 2029.
That change means a twelvefold increase in the workload required to manage certificates across your organization. For most businesses, it’s simply not feasible to continue doing this manually.
As Kevin pointed out during the webinar, every certificate is a type of machine identity — authenticating systems to each other in the same way usernames and passwords authenticate people. When one expires, things break. And when things break, it costs money, productivity, and reputation.
Across ProofID’s managed service base, we’ve seen up to 40% of P1 and P2 outages traced back to certificate expiry. That’s an astonishing statistic — and one that highlights how much risk is quietly sitting in our machine identity infrastructure today.
You Can’t Protect What You Can’t See
The first step to managing any identity — human or machine — is visibility.
In most organizations, teams think they have a few hundred or a few thousand certificates. In reality, it’s often ten times more.
Every digital service, microservice, or API uses certificates to establish trust. As we move toward cloud-native architectures, that number is only going up.
This is where discovery becomes essential. You can’t govern what you don’t know exists. The organizations that will succeed in the machine identity age are those that can continuously discover, register and monitor every certificate and key across their environment — whether that’s on-prem, in the cloud, or somewhere in between.
Discovery Is Just the Start — Governance and Automation Are Next
Discovery gives you the visibility. But governance and automation give you control.
Paul framed this well in our conversation: manual management might have worked when renewals happened once a year, but it’s not sustainable when certificates expire every few weeks.
Automation ensures that renewals happen seamlessly, without downtime or human intervention. But governance — knowing which certificates belong to which systems, who owns them, and whether they meet security policy — is what keeps automation aligned with risk management.
At ProofID, we call this the “see it, fix it” approach:
- See it – discover all your certificates and keys, map ownership and expiry.
- Fix it – automate renewals, enforce policy, and monitor continuously.
When these disciplines come together, organizations can achieve genuine resilience rather than constantly firefighting outages.
AI Agents and Machine Access Are the Next Frontier
While certificates are the headline challenge today, they’re only part of the picture.
The next big identity wave is the rise of AI agents and autonomous systems acting on behalf of humans and organizations. These digital entities are already making recommendations, executing tasks, and exchanging data — all of which require secure authentication and authorization.
And it’s worth making the terminology clear:
“machine identity” and “non-human identity” mean exactly the same thing.
They both refer to identities used by systems, services, workloads, bots, keys, tokens, and AI agents — not people.
Because of that, they should be governed in exactly the same way we govern human identities: through strong lifecycle management, policy, authorization, ownership and continuous validation.
The shift in mindset is simply recognizing that these identities are not special cases — they’re just another type of identity that needs the same oversight.
The difficulty is volume and visibility: there will be exponentially more machine identities than humans, and many of them may be hidden deep within infrastructure unless properly discovered and onboarded to governance structures.
Start Small, but Start Now
For many organizations, this can feel overwhelming — a “tsunami” of change. But it doesn’t have to be.
The key is to start with discovery. Understand what certificates and keys you have today. That data will guide your strategy for automation and governance.
At ProofID, we’re helping customers take that first step with a FREE certificate scan — scanning environments, surfacing the scale of the challenge, and building a roadmap to automate and secure certificate management in partnership with CyberArk.
This isn’t about doing everything at once. It’s about moving forward with a manageable, structured approach that delivers measurable improvements in resilience, uptime, and security posture.
FINAL THOUGHT
As identity professionals, we’ve mastered human access. Now, the challenge — and opportunity — lies in mastering non-human access.
Machine identities are the new frontier perimeter. Whether you’re running a bank, a university, or a global retailer, your ability to discover, govern, and automate these identities will define your organization’s digital resilience for the next decade.
If you haven’t already, I’d encourage you to watch the full on-demand webinar to hear more from our discussion with CyberArk — and to see how you can take your first step toward automated, governed machine identity management.
At ProofID, we’re here to help you take that next step — with the experience, technology partnerships, and end-to-end services to make it achievable.
About the Author
Tom Eggleston is CEO of ProofID, a global leader in identity security services, and a long-standing partner of Ping Identity, SailPoint, and CyberArk. He’s passionate about helping organizations build secure, scalable identity programs that deliver measurable value.
Be the first to hear about news, product updates, and innovation from proofid
