Mutual TLS (mTLS) negotiation protects against device impersonation before access is allowed to underlying services. A certificate is deployed to a node and used to prove identity before/during SSL negotiation.
Chef-client supports mTLS, but requires read access to a certificate on the filesystem of the node. If this certificate is stolen, the node can be impersonated.
When using mTLS, chef-client should provide the option / configuration to access apis for hardware credential stores, such as the Apple Secure Enclave and the yubikey.