Deferred functions are agent-based rather than master-based. This allows users to leverage Vault in more ways. Instead of being locked into a more basic Hiera hierarchy, operators can use any authentication method available on the agent side, including leveraging the existing certificate authority (CA) from the Puppet master with the Vault certificate backend.