The problem no one is talking about in their AI rollout
Your organisation has probably deployed, or is actively evaluating, AI agents. These are software systems that don't just answer questions but take actions. They book meetings, submit purchase orders, query databases, trigger workflows, and interact with APIs on your behalf. The productivity case is compelling. The security case is largely unexamined.
Here is the structural problem: an AI agent can act, but it cannot prove a human approved the action.
That distinction is about to become a NIS2 audit question.
What passkeys actually require and why agents can't satisfy it
Passkeys are built on the W3C WebAuthn standard. At the core of that standard is a requirement called user verification: before a private key can sign an authentication challenge, the legitimate device owner must provide explicit, real-time proof of presence. A biometric scan. A PIN. A hardware key touch.
This is not an inconvenient design quirk. It is the security property that makes passkeys phishing-resistant. The cryptographic ceremony only completes when a human is physically present and deliberately authorising a specific action at that moment.
An AI agent is software. It has no hands. It cannot satisfy a user gesture requirement. The WebAuthn specification is unambiguous on this point: autonomous software-based agents cannot use passkeys directly.
This means that as your organisation deploys agentic AI with access to sensitive systems, you are operating those agents outside the authentication framework you use for your human workforce.
Why this matters for NIS2-covered entities
NIS2 requires that organisations implement appropriate technical measures to manage cybersecurity risks, including access control and authentication controls for systems that handle significant data or critical operations. As AI agents take on more consequential tasks such as approving transactions, accessing privileged systems, and modifying records, the question of who authorised that action becomes a direct compliance question.
Agentic AI has overtaken stolen credentials as the top identity security concern for organisations. Nearly half of security professionals believe agentic AI will represent the leading attack vector for cybercriminals and nation-state threats before the end of 2026. If an agent's actions are not tied to a verified, auditable human authorisation event, you have an accountability gap that regulators will eventually reach.
The architecture that closes the gap
The practical solution is not to avoid AI agents. It is to build a human approval step into your agentic workflows at the right points, specifically before agents are granted access to systems or APIs where their actions are consequential or irreversible.
The framework works as follows:
- A human authenticates using a passkey, anchored by a hardware security key such as a YubiKey.
- That authenticated session issues a scoped, time-limited OAuth token to the AI agent.
- The agent operates within the permissions defined by that token and only those permissions.
- The YubiKey touch that initiated the session is the auditable human approval event.
The agent never touches the passkey. The agent never bypasses MFA. It operates under delegated, revocable, time-bounded authority with a clear human accountability record attached.
This is not theoretical. GitHub's CI/CD pipelines already operate on this model: human authenticates, agent receives scoped token, actions are bounded and auditable.
What the YubiKey does in this architecture
A software passkey stored on a device can be copied, synced across a cloud account, or compromised by malware with access to the secure enclave. A hardware security key cannot be copied. The private key never leaves the device. The physical touch requirement means that even if an attacker has full control of your workstation, they cannot complete an authentication ceremony without the physical key.
In an agentic AI context, this matters because the blast radius of a compromised agent credential is potentially enormous. An agent operating under a stolen or forged authorisation token could take hundreds of actions before detection. The hardware key makes the initial authorisation event genuinely unforgeable.
For NIS2-covered entities, this also provides a clean audit trail. Every agentic session is tied to a specific YubiKey touch event, with a timestamp, a device identifier, and a defined scope of permissions. That is exactly the kind of evidence an incident response or regulatory audit requires.
Which YubiKey is right for enterprise agentic workflows?
For most enterprise deployments, the YubiKey 5 Series is the right choice. It supports FIDO2/WebAuthn, PIV, OATH-TOTP, and OpenPGP, giving you flexibility across different systems and agent integration patterns. USB-A, USB-C, and NFC form factors are available to match your hardware estate.
For high-assurance environments or FIPS-regulated sectors, the YubiKey 5 FIPS Series meets the additional certification requirements you may need to demonstrate.
Trust Panda supplies YubiKeys across the EU with local stock, volume pricing, and deployment support. If you are designing an agentic AI security architecture and want to understand how hardware authentication fits into your specific environment, get in touch with our team.
Browse the YubiKey 5 Series or contact us to discuss enterprise requirements.
