By Byron V. Acohido

Public key infrastructure — the authentication and encryption framework that has held digital commerce together through every chaotic leap forward in technology — is facing a double whammy.

Related: Achieveing AI security won’t be easy

Autonomous AI agents are flooding enterprise networks, most without verified identities or any meaningful governance. What’s more, quantum computers are just around the corner — and when they arrive, current encryption becomes obsolete overnight.

I sat down with DigiCert CEO Amit Sinha at RSAC 2026 to discuss this. The identity management and encryption communities are not sitting on their hands. Here is what I learned that you should know.

PKI has been the quiet backbone of digital trust for 30 years. E-commerce needed it to authenticate strangers. The cloud and IoT needed it to manage machine identities at scale.

Each time the technology shifted, PKI scaled to meet the load — under strain, imperfectly, but it held. The question now is whether it can be extended fast enough to handle two simultaneous disruptions: autonomous AI agents spreading like wildfire through enterprises and a quantum threat that will require replacing the underlying encryption math entirely.

Sinha’s framing at RSAC was direct. “We are in a once-in-30-year upgrade cycle,” he told me.

Encouragingly, the security community is already moving on two fronts. The first has to do with a problem that has been building since generative AI made synthetic media cheap and easy to produce. Fake videos, fabricated audio, and AI-generated images are flooding the internet and enabling fraud at scale.

The industry’s answer is C2PA — the Coalition for Content Provenance and Authenticity — an open standard that cryptographically signs content at the moment of creation, embedding a verifiable record of origin and any subsequent changes directly into the file.

A trusted certificate authority vouches for authenticity, and anyone downstream can verify it. The standard is gaining real traction. Samsung built C2PA signing into the native camera app of the Galaxy S25, the first mass-market smartphone to carry it. Cloudflare has implemented it across roughly 20 percent of the web. DigiCert is a certified certificate authority under the standard.

The second front has to do with companies racing to deploy autonomous AI agents — software that does not just answer questions but takes actions, executes transactions, manages systems, and interacts with other agents, all without waiting for a human to confirm each step.

These AI agents have no verified identity. They operate on borrowed credentials or API tokens, with no reliable way to establish who — or what — is actually acting, on whose authority, and with access to what. Sinha explained how PKI can be extended to solve this the same way it solved machine identity in the cloud era.

Every agent, he says, should carry a “digital passport” — a cryptographic credential, issued through the same certificate infrastructure that authenticates websites and software; this would establish the agent’s identity, define what it is authorized to access, and allow it to be revoked instantly if need be.

Think of it the way Sinha does: when you arrive at an airport, your passport gets you into the secure area; your boarding pass governs exactly where you go from there. The standards to do this already exist — SPIFFE and SPIRE, adapted from cloud workload security — and DigiCert is extending its platform to issue and manage these credentials for AI agents at enterprise scale.

“As agents move from answering your questions to taking actions on your behalf, you need governance, you need auditability, you need the ability to revoke all those privileges — much like you would with any human,” he said.

Adoption, however, is in the earliest innings. DigiCert CTO Jason Sabin told CSO Online late last year that fewer than 5 percent of enterprises deploying autonomous agents have created verifiable identities for them. Sinha described what AI has done to the security industry’s clock as “time dilation” — what used to be a year’s worth of change now happens in weeks.

PKI has carried the load through every prior shift. Whether it can be extended fast enough for this one is the defining near-term question. I’ll keep watch, and keep reporting.

Listen to the full podcast for Sinha’s complete breakdown.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(Editor’s note: I used Claude and ChatGPT to assist with research compilation, source discovery, and early draft structuring. All interviews, analysis, fact-checking, and final writing are my own. I remain responsible for every claim and conclusion.)

April 20th, 2026