As we enter the new year, I can’t help but look back on 2024, which was rife with emerging technologies disrupting digital transformation as we know it. What with AI delivering significant productivity gains, quantum developments arising more frequently, cloud native development taking off and yet another proposal to reduce TLS certificate lifespans, there was certainly no shortage of technology news and announcements. And our adversaries of all types, from nation states to organized cyber gangs, took notice, making cyberattacks a core business risk for every business—not just IT teams.
Foundational to protecting ourselves is identity, and in a world fueled by AI, ML and cloud computing, machine identity is the next frontier for cyber. It’s also a Gartner top cyber trend for 2025, which further underscores the need for machine identity security to emerge as its own defined category, rather than being lumped into broader identity programs.
Because if there’s anything we’ve learned from 2024, it’s that the volume, variety and velocity of machine identities are increasing, with these entities—such as TLS certificates, SSH keys and code signing credentials—set to outnumber humans by 100 to 1 soon. And attackers are laser-focused on machine identities, as we saw in the recent US Treasury Breach, which stemmed from a stolen API key.
To fortify the enterprise, it’s imperative that security leaders move beyond simply managing machine identities to securing them. But what technologies, specifically, are driving this change?
Here are the four key areas I predict will drive this shift and make 2025 the year of machine identity security.
The promises and perils of artificial intelligence
You can’t throw a rock without hitting a dozen headlines about AI, and already in 2025, we’re seeing scores of news from the heavy hitters. Like OpenAI CEO, Sam Altman, who recently stated the company may already know how to create artificial general intelligence (AGI), which can perform any task a human can. We can expect the overwhelming amount of AI news to continue in 2025, and as it does, enterprises will continue to evaluate how to best bolster their efficiency while mitigating risk.
For instance, development teams have adopted GenAI with gusto, using it to generate code for the applications we all use daily. However, to sustain this newfound level of production, consistent code checks may get pushed aside, and I predict we will see some companies get overly confident in AI’s capabilities, not to mention grow complacent in how AI-generated code is used. This can lead to vulnerable and even malicious code finding its way into production through AI data poisoning attacks, jailbreaking large language models and more.
This level of risk will likely compound in 2025, too, as teams begin to rely on AI agents to autonomously fulfill their own task loads as digital coworkers.
Even without agentic AI in the equation, 78% of security leaders still believe AI-developed code will lead to a security reckoning, making it a requirement that every AI agent has a unique identity. We can’t have AI agents impersonating humans like we’ve done with primitive RPA bots.
This puts machine identity security—specifically code signing and workload identity—front and center as the required capability for AI agents to authenticate code, apps and workloads.
The rise of cloud native development and related security incidents
As companies turn to cloud native infrastructure to develop apps and services, they’ve awakened a sleeping dragon. Attackers are now actively exploring cloud native infrastructure, with 86% of organizations reporting at least one security incident related to their cloud native environment in 2024, with the most common incidents being attributed to service accounts, certificates and secrets. These incidents ultimately led to service outages or disruptions, along with attackers gaining unauthorized access to data, networks and systems.
What’s more, security leaders believe that access tokens and their connected service accounts are the next big target for attackers, and nearly 56% reported an incident related to machine identities using service accounts last year.
Cloud native machine identity complexity is only set to grow as teams uncover new challenges in protecting workloads and maintaining secure access. Nevertheless, security teams understand the importance of doing so, with 83% recognizing that failing to secure machine identities at the workload level renders all other security obsolete.
Although attackers are setting their sights on these increasingly complicated environments, the good news is that solutions for secrets management, certificate lifecycle management and cloud native security are available today, and they can help businesses ensure operational stability and growth. Ultimately, the rule for success is that every workload must have a unique and secure machine identity to authenticate and be authorized for access. Without them, we’re bound to see more application outages and service disruptions, as well as security incidents.
Also Read: The Arbitrage Opportunity of Small Language Models: Unlocking AI Efficiency and Performance
The coming tsunami of short-lived TLS certificates… and business outages
In March 2023, Google announced its intention to reduce the maximum TLS validity period to 90 days, decreasing it from the current 398-day standard. In 2024, however, Apple took things up a notch and proposed a draft ballot to shorten certificates to just 47 days by 2028. The jury’s still out on who’s set to make the next move, but we’ve seen this before: Apple set the 398-day precedent, and the rest of the industry had to scramble to keep up.
Ultimately, this means that security teams need to prepare now, or they may face an onslaught of certificate expirations and outages brought on by the new mandate, and that tidal wave cannot possibly be managed without automation. We’re talking about a 9-10x increase in certificate renewals, and if even one certificate isn’t managed and secured, teams will face disruption, outages and security incidents.
Application owners, platform teams and network operations will be looking for security teams to help. And unfortunately, when certificates expire, it’s CISO and team who most often get the blame. That means businesses need to adopt complete, 24/7 visibility of their certificate inventory, intelligence to know what’s at risk, and automation to reduce errors and secure the certificate management process. But this is easier said than done, as 83% of organizations have been hit with certificate-related outages in the last 12 months, and 77% think more outages are inevitable with shorter certificate lifespans.
However, with an automated machine identity security program, companies will emerge with a stronger, more resilient foundation, washing away their risk for certificate-related outages while future-proofing their business.
Quantum computers edge closer to cryptographic relevance
2024 was a year filled with quantum developments. We saw NIST finalize their first set of standards for post-quantum cryptography (PQC), as well as publish a recommended migration timeline for enterprises to begin shifting to quantum-resistant protocols—including an estimated deprecation date of 2030 for RSA encryption, which is susceptible to being broken by cryptographically relevant quantum computers.
Additionally, research teams in both the United States and China made significant strides, with Google releasing Willow, their new quantum chip that can crack difficult problems in minutes that would take today’s most powerful supercomputers septillions of years. In Shanghai, meanwhile, teams successfully cracked encryption on a small scale of 22-bits.
These updates don’t just have the potential to speed up the quantum timeline. They also highlight the importance for companies to start thinking about their post-quantum readiness strategies. Already, hackers are leveraging “store now, decrypt later” attacks to steal long-lived encrypted data—such as pharmaceutical plans, financial account information or energy company blueprints—with plans to decrypt it later, when quantum computers are strong enough to do so.
How can teams prepare for that post-quantum world? It all hinges on comprehensive machine identity security. Like with readying your enterprise for shorter certificate lifespans, you need to establish visibility and automation, as well as crypto-agility, which lets you swap out certificates and other machine identity assets that contain quantum-vulnerable cryptographic material.
All this together is why I predict quantum readiness will become the hottest cybersecurity topic in 2025 board meetings. CISOs and CIOs are already being peppered with questions about strategies, with 67% saying the shift to PQC will be a nightmare because they don’t have the foundational knowledge of where their keys and certificates are used, but it’s crucial that this journey starts now. Encryption shifts take a lot of time, and can cause significant operational disruption, especially in larger organizations using hundreds of thousands or even millions of machine identities.
Also Read: Data Breaches are Inevitable. Minimize their Impact with Fully Optimized Homomorphic Encryption
The most forward-thinking companies will adopt machine identity security in 2025
Given the array of identity-related challenges enterprises are set to face this year—and beyond—we can expect dedicated machine identity security programs to arise as a leading line of defense for the most forward-thinking organizations. From there, we’ll no doubt see more companies follow suit to get ahead, and stay ahead, of the challenges of today and tomorrow.
Those that don’t? They’re more likely to witness daily outages and security incidents as the machine identity landscape becomes even more turbulent.
