The Security Layer and the AI Layer Are Becoming the Same Thing. Nobody Is Ready for That.
The Security Layer and the AI Layer Are Becoming the Same Thing. Nobody Is Ready for That.
When an AI agent can issue, revoke, and replace TLS certificates, you have built something more significant than a certificate management tool. You have given machines an identity — and the world has not figured out what happens when that identity gets compromised.
On June 2, Sectigo announced general availability of what it calls the industry's first production-ready, globally available MCP Server for Certificate Lifecycle Management. The product lets AI agents like Claude or Microsoft Copilot manage SSL/TLS certificates — issuing, revoking, renewing, replacing them — through a natural-language interface backed by Sectigo Certificate Manager. The press release frames this as an efficiency story: enterprises are drowning in certificate renewal work as TLS validity periods shrink, and AI can help.
That is accurate. It is also a significant undersell.
The real story is what this product category implies about the emerging architecture of AI-run infrastructure. When a certificate authority builds a standardized interface that lets autonomous agents issue and revoke digital certificates, it has done something more consequential than automating a tedious IT task. It has made AI systems into first-class principals in the PKI ecosystem — entities that hold credentials, make trust decisions, and operate on systems that humans no longer touch in real time.
We have not figured out what happens when those credentials need to be revoked.
The operational pressure is real
The immediate context for this launch is not hypothetical. The CA/Browser Forum has been compressing TLS certificate validity periods as part of a multi-year push to reduce the window of harm from compromised or misissued certificates. Under the current roadmap, validity periods are trending toward 47 days. CyberArk estimates this creates an eightfold increase in certificate renewal workloads for enterprises already managing thousands of certificates across hybrid and multi-cloud environments.
The financial exposure is not abstract. Certificate expiration outages — where an expired certificate takes down a production service — cost enterprises up to $5 million per incident, according to research by Red Sift, and typically take hours to resolve. As validity periods shrink and certificate volumes grow, the operational math gets worse. Manual renewal processes that worked when certificates lasted two years do not survive at 47-day cycles.
This is the problem Sectigo is solving. The MCP Server lets AI agents handle the operational execution — the issuance, the renewal, the revocation of a compromised certificate — without a human in the loop for every action. The governance layer, meaning SCM's role-based access controls, approval workflows, and audit logs, remains intact. Agents do not bypass corporate policy; they execute within it.
The competitive window
Sectigo is not the only company thinking about this problem. Keyfactor, a competing PKI and certificate lifecycle management vendor, announced a Command MCP Server integration in June 2025 — eleven months before Sectigo's announcement. But Keyfactor's own press release described its integration as "in early development" and "not intended for production use." It was a prototype, positioned as a demonstration of where the product was heading.
Sectigo's GA announcement is meaningfully different. It is production-ready, globally available, and — critically — read-write capable. The distinction matters because most MCP servers for enterprise systems in the current ecosystem are read-only. They let agents query status, not act on it. A read-write certificate management MCP server is a different class of tool: one that can actually replace a human operator in the certificate lifecycle workflow, not just report on what a human operator would see.
The Digital Applied MCP Ecosystem Tracker, published May 25, 2026, notes that the broader MCP ecosystem shifted structurally that month with the introduction of MCP tunnels — an outbound-only encrypted connection model that removes a key enterprise deployment blocker — and self-hosted sandboxes from Cloudflare, Daytona, Modal, and Vercel. The tracker catalogs 56 production-ready or vendor-backed MCP servers across ten categories. Sectigo's claim of first GA, read-write MCP server for certificate lifecycle management is plausible in this context: Keyfactor's prototype predates the structural ecosystem changes that make enterprise production deployment viable, and Venafi — the market leader in enterprise certificate management, now owned by CyberArk — has not announced an equivalent GA product.
The governance question that nobody is asking
Here is what the Sectigo press release does not address: what happens when the AI agent holding a certificate behaves badly, is compromised, or needs to be shut down?
Certificate revocation — the process of invalidating a certificate before its natural expiry — is a solved problem for human operators. There are established workflows, protocols (CRL, OCSP), and institutional processes for deciding when a certificate should be revoked and executing that revocation. When an AI agent is the certificate holder, not just the manager of certificates issued to other entities, the revocation question becomes more complex.
Who revokes the agent's certificate? On what authority? Under what governance framework? If an AI agent is issued a client certificate for mutual TLS authentication — the mechanism by which an agent proves its identity to backend systems — and that agent is later found to have acted improperly or been compromised, the revocation process is not clearly defined in most enterprise environments. There is no established standard for AI agent certificate revocation, no widely adopted best practice, and no clear liability framework for what happens when the revocation fails or is delayed.
This is not a theoretical concern. As AI agents take on more operational roles in enterprise infrastructure — managing certificates, yes, but also accessing databases, executing code, provisioning resources — the question of what happens when those agents need to be disconnected becomes urgent. The PKI ecosystem was designed for human principals. It has not yet been systematically redesigned for autonomous software principals.
Sectigo's product acknowledges this gap implicitly by positioning governance preservation as a feature: the MCP Server does not bypass existing SCM workflows, it executes within them. That is the right engineering answer. It sidesteps the harder question, which is whether existing SCM workflows are actually equipped to govern autonomous AI principals, or whether they were designed for a world where the operator was always human.
What this means for enterprise AI deployment
For organizations building agentic AI systems — systems that are supposed to operate autonomously in production environments, not just assist humans in reasoning tasks — the certificate problem is a proxy for a larger infrastructure gap. AI agents that cannot manage their own credentials cannot be truly autonomous in the sense that infrastructure teams need. They can analyze, recommend, and assist. They cannot act, at least not without humans retaining custody of every action that touches a trust boundary.
MCP, the Model Context Protocol, is the infrastructure layer that is supposed to solve this. Anthropic donated MCP to the Linux Foundation under the Agentic AI Foundation in December 2025, creating a multi-stakeholder governance structure for the protocol. Sectigo's MCP Server is one of the first production-grade integrations of that protocol into enterprise infrastructure. The MCP ecosystem now spans more than 15,900 indexed servers across major registries, but most are read-only or community-grade. Enterprise production deployment of write-capable MCP servers is a 2026 phenomenon.
That means the governance frameworks — the standards for how autonomous agents should be issued, scoped, and revoked within enterprise PKI — are lagging the technology by months, at minimum. Sectigo has shipped the tool. The rules for using it responsibly have not been written yet.
The liability question
When a certificate expires because a human forgot to renew it, the liability is clear: the organization that failed to renew bears responsibility for the outage. When a certificate expires or is misused because an AI agent failed to renew it, or renewed it incorrectly, or issued a certificate it should not have — the liability chain is not defined.
No major CA, enterprise security vendor, or standards body has published a framework addressing liability allocation for AI-managed certificate failures. This is not unique to certificates; it is a general feature of early agentic AI deployment. But certificates are a particularly high-stakes domain because the failure mode — expired certificates, unauthorized certificates, certificate-based authentication failures — can be catastrophic and immediate. There is no graceful degradation when a critical certificate expires.
Sectigo's MCP Server is a genuine product innovation. It solves a real operational problem that enterprises are facing right now, in a production-ready way that competitors have not matched. It is also an early example of a category of product that will become common: infrastructure tools that give AI agents real operational authority over trust-critical systems, in advance of the governance frameworks that should constrain that authority.
That gap — between what autonomous agents can now do to digital trust infrastructure and what we have agreed they should be allowed to do, and who is on the hook when something goes wrong — is the story. The press release calls it an efficiency play. It is that. It is also an inadvertent argument that we need to start building the revocation rules before we hand machines the certificates.
Sources: Sectigo press release (June 2, 2026); Sectigo blog (Emily Cao, June 1, 2026); Keyfactor press release (June 11, 2025); Digital Applied MCP Ecosystem Tracker (May 25, 2026); CyberArk TLS validity analysis; Red Sift certificate outage cost research.