Summer 2026 Product Release: Overview

Advancing PQC Readiness and AI-Driven Certificate Management

Key Takeaways

• The fastest path through converging certificate pressures is a single platform that governs them together: the AppViewX Summer 2026 release extends certificate governance to agentic AI, scales lifecycle operations through policy, accelerates PKI modernization, and advances post-quantum readiness in one motion.
• A native Model Context Protocol (MCP) server gives AI agents governed, structured access to certificate inventory and metadata, establishing a policy-aligned foundation for AI-driven certificate lifecycle management.
• Policy-driven automation replaces per-certificate configuration, so renewal windows, validity periods, and triggers are defined once across certificate groups and CAs.
• A guided AD CS migration wizard compresses what once took months of planning into hours, with the option to introduce PQC-ready certificates in the same step.
• Business-context PQC discovery prioritizes cryptographic remediation by application criticality and ownership rather than technical severity alone.

The pressure on enterprise identity and security teams isn’t coming from one direction. It’s coming from every direction at once. Shortened certificate validity, legacy PKI modernization, post-quantum cryptography, and the rise of agentic AI are converging simultaneously. Each is significant on its own, but in practice, they are interconnected: progress on one is held back by gaps in the other, and solving them as separate initiatives creates fragmentation rather than resilience.

The AppViewX Summer 2026 release meets that convergence head-on. Building on the operational foundations introduced in Spring 2026, this release extends certificate governance to agentic AI workflows, scales lifecycle operations through policy-driven automation, accelerates PKI modernization, and advances cryptographic readiness. These challenges can be solved independently, but not efficiently or at scale, which is why the AVX platform is built to manage them together.

Summer 2026 release highlights

The four capabilities below address distinct operational challenges, but they share a common design goal: keeping governance, visibility, and control intact as certificate operations accelerate. The table summarizes how each maps to a business outcome:

Capability	What it does	Why it matters
Native MCP Support	Exposes certificate inventory and metadata to AI agents through a standardized, governed interface	Extends the platform beyond human users without sacrificing policy enforcement
Policy-Driven Lifecycle Automation	Defines renewal, validity, and trigger policies across certificate groups and CAs	Scales lifecycle operations as renewal frequency climbs
Guided AD CS Migration	Auto-discovers Microsoft CA instances and recreates equivalent PKI structure in AppViewX PKI	Reduces a months-long migration to hours and folds in PQC readiness
Prioritized PQC Discovery	Scans for cryptographic exposure and enriches findings with CMDB business context	Lets teams fix the highest-risk assets first, not just the easiest

Native MCP support for AI-driven certificate visibility

As AI agents move from analysis to action, they need governed access to the systems they operate within. That includes certificate lifecycle management. An agent provisioning a new service or responding to a security event cannot depend on a human manually executing certificate actions. The control model must evolve.

To meet the needs of agentic systems, the Summer release introduces a native Model Context Protocol (MCP) server for AppViewX CLM. The MCP server enables AI agents to interact directly and securely with the AVX platform. In this initial release, the MCP server delivers structured, governed access to certificate inventory and metadata. AI agents can retrieve detailed certificate information and query inventory based on key attributes such as expiration date, certificate authority, group, and status. This capability creates a real-time, programmatic interface for certificate visibility that AI systems can immediately act upon.

By standardizing how certificate data is exposed to AI clients, this MCP-based integration lays the groundwork for extending certificate lifecycle operations by standardizing how certificate data is exposed to AI agents and AI-driven workflows. It establishes a controlled, policy-aligned path toward automation, preserving governance, visibility, and security as organizations adopt agentic and autonomous systems.

Key benefits

• Extend the AVX platform beyond human users, enabling AI agents and automation tools to consume certificate data securely.
• Enable real-time, AI-driven visibility into certificate inventory through a standardized, structured interface.
• Lay the foundation for future automation, supporting AI-powered certificate lifecycle operations while maintaining policy enforcement and control.

→ Learn more about Native MCP support for AI-driven certificate visibility

Policy-driven lifecycle automation

As certificate lifespans step down toward 47 days by 2029, the operational model for certificate lifecycle management must change. Manual certificate management does not scale when the certificates need to be renewed and provisioned to applications and endpoints on an increasingly frequent basis. The model breaks down unless renewal is governed by policy rather than maintained through individual workflows.

The Summer release helps operationalize this shift. Instead of setting renewal windows, validity periods, and automation triggers for each certificate individually, administrators can define policies across certificate groups and CAs. In addition, the platform automatically synchronizes newly discovered certificates’ metadata with issuing CAs (DigiCert, Sectigo, GoDaddy) so that administrators have the complete data needed for reliable lifecycle operations in a single pane of glass visibility.

Key benefits

• Maintain data consistency and enable single-pane-of-glass visibility within the AVX dashboard.
• Reduce manual effort for certificate lifecycle management.
• Scale lifecycle management across CAs without configuring each one separately.

→ Learn more about policy-driven lifecycle automation

Modernize and future-proof PKI with guided migration from Microsoft AD CS

Most enterprises running Microsoft AD CS know they need to modernize. The challenge is not awareness, it’s risk, time, and resource constraints. Years of template customization, leading to brittle configurations, and the need to maintain continuity keep most organizations in a holding pattern.

The Summer release removes that barrier with a guided migration path. The new AD CS to AppViewX PKI migration wizard automatically discovers Microsoft CA instances, maps existing templates to equivalent AppViewX PKI configurations, and recreates the necessary PKI structure without manual rebuilds. What previously required months of planning and configuration can now be completed in minutes or hours.

Migrations Step	Traditional AD CS Rebuild	Guided AppViewX Migration
Discover CA instances	Manual inventory	Automatic discovery
Map certificate templates	Hand-rebuilt, one by one	Auto-mapped to AppViewX PKI equivalents
Recreate PKI structure	Months of planning and configuration	Minutes to hours
Switch issuance	High-risk cutover	Bulk or selective, controlled
Introduce PQC	Separate future project	Optional in the same step

This release also introduces an AI-powered CPS interpretation engine that reads plain-English certification policy documents and auto-generates enforceable PKI rules, eliminating the manual process of translating written policies into technical configurations and reducing the risk of misconfiguration.

Key benefits

• Reduce AD CS migration from months to hours with a guided, wizard-based approach.
• Combine modernization and post-quantum readiness in a single step.
• Eliminate misconfigurations and manual effort by auto-generating PKI policies from CPS documents using AI.

PQC Readiness through prioritized cryptographic discovery

Post-quantum cryptography readiness is no longer a theoretical exercise. NIST finalized its first post-quantum encryption standard in 2024, and its draft transition guidance (NIST IR 8547) points to quantum-vulnerable algorithms being deprecated after 2030 and disallowed after 2035. Organizations need more than an inventory of algorithms. They need to understand which cryptographic assets support critical business systems so they can prioritize what to fix first.

This release enables the shift from discovery to prioritization. Automated PQC scanning identifies cryptographic exposure across servers and applications, while integration with the CMDB enriches those findings with business context, including application ownership, function, and criticality. Security and PKI teams can prioritize PQC migration by business impact and ownership rather than technical severity alone, ensuring that high-risk assets supporting critical business applications are addressed first.

Policy controls extend that alignment further. Organizations can define PQC policies scoped to specific business applications. Critical systems like payments, healthcare, and regulated environments can be governed by stricter PQC policies, while lower-risk applications retain greater flexibility.

A new tenable integration provides an additional discovery path, analyzing existing scan data to identify PQC-relevant cryptographic assets without deploying additional agents and keeping the cryptographic inventory current on the same schedule as existing scans.

To support safe and incremental adoption to post-quantum readiness, the AppViewX PKI solution enables the issuance of hybrid composite PQC certificates, combining classical and post-quantum algorithms in a single certificate. This allows organizations to begin their PQC migration without disrupting legacy applications, making the transition both practical and achievable.

Key benefits

• Prioritize PQC migration by business impact using CMDB-enriched discovery.
• Scope PQC policies based on the criticality of business applications and regulatory requirements.
• Demonstrate compliance readiness with reports that combine technical and business context.
• Maintain backward compatibility during PQC transition with hybrid composite certificates.

Understanding the 47-day timeline

The CA/Browser Forum’s phased reduction of public TLS certificate validity shaped much of this release. Knowing exactly when each threshold takes effect helps teams decide where to start with automation and what to prioritize first. The schedule set by Ballot SC-081v3, approved in April 2025, phases in as follows:

Effective Date	Maximum Certificate Validity	Domain Validation (DCV) reuse
March 15, 2026	200 days	200 days
March 15, 2027	100 days	100 days
March 15, 2029	47 days	10 days

Each step gives teams time to upgrade tooling and strengthen validation processes before renewal frequency sharply accelerates. The practical question for most organizations is not whether to automate but where to start, and the answer is usually the assets that renew most often and carry the most business risk. The AppViewX 47-day resources hub collects guidance for planning that transition.

A Platform for convergence

Individually, each capability addresses a real challenge. Together, they establish a cohesive approach to managing enterprise security and machine and agent identities. Migration creates the modern PKI foundation. Policy automation scales operations on top of that foundation. Cryptographic discovery reveals what needs to change and where the business risk lies in a post-quantum world. And MCP integration ensures that governance keeps pace with how enterprise teams are actually operating AI workflows and agents.

The result is a platform designed for the future, where security, automation, and governance evolve together instead of in isolation.

The Summer 2026 Release is now available.

Find full release notes and resources on the Product Release Hub or contact your customer success team with any questions. You can also download the Summer Product Datasheet to learn more.

Frequently Asked Questions

How does the guided AD CS migration work?

The migration wizard discovers active Microsoft CA instances, maps their templates to equivalent AppViewX PKI configurations, and creates the CA and template infrastructure needed to begin issuing from AppViewX PKI. A separate step allows administrators to re-issue certificates from AppViewX PKI CA while preserving the identity and usage constraints of the original, with the option to enable PQC algorithms during re-issuance. Both bulk and selective migration are supported.

How does this release support 47-day readiness?

The expanded Policy Engine supports automatic renewal, regeneration, and re-enrollment triggers that fire before a configurable expiration window. Organizations can operationalize 47-day certificate management through centralized policy rather than manual intervention.

What does the PQC discovery capability include?

Automated agentless scanning identifies cryptographic exposure across servers and application services. Scan results are enriched with business context from CMDB integration, including application ownership, criticality, and business function, enabling teams to prioritize PQC migration by business impact rather than technical severity alone.

What can the MCP server do in this release?

The initial MCP server release provides certificate visibility and query operations, enabling AI agents to retrieve certificate information and filter certificate inventories by expiry, CA, certificate group, and status. This establishes the foundation for expanded AI-driven certificate lifecycle operations in future releases.

Do these enhancements require new agents or re-architecture?

No. The Summer 2026 Release is designed to deepen platform capabilities without requiring new agents, significant infrastructure changes, or disruption to existing operations. PQC discovery is agentless, and the AD CS migration wizard works with existing AD CS environments without requiring changes to the source infrastructure.