Public Key Infrastructure is the trust system that issues, manages, and revokes digital certificates used to prove identity. In practice it binds keys to entities and policies, making authentication, encryption, and non-repudiation possible across users, devices, and services.
Expanded Definition
Public Key Infrastructure, or PKI, is the operating trust model that lets an organisation issue, validate, and revoke certificates so keys can be tied to specific entities under defined policy. In NHI security, that entity may be a user, workload, device, service account, or AI agent. PKI is not just about encryption. It also supports authentication, integrity, and proof of origin when certificates are managed correctly. NIST’s NIST Cybersecurity Framework 2.0 treats identity and access as core governance concerns, and PKI is often the mechanism that makes those controls enforceable across distributed systems.
Definitions vary across vendors when PKI is extended into machine identity, but the practical distinction is clear: PKI governs trust in certificates, while secrets managers govern storage and rotation of shared credentials. PKI is strongest when certificate lifecycle controls, revocation checking, and issuance policy are consistently enforced. It becomes weaker when certificates are treated as static plumbing rather than governed identities. The most common misapplication is treating PKI as a one-time setup for TLS, which occurs when teams issue certificates without ongoing inventory, revocation, or ownership tracking.
Examples and Use Cases
Implementing PKI rigorously often introduces operational overhead, requiring organisations to weigh strong identity assurance against certificate lifecycle complexity and renewal burden.
- Workload authentication in a service mesh, where short-lived certificates let services prove identity without embedding long-lived secrets.
- Device trust for laptops, servers, and edge nodes, where certificates establish that only enrolled assets can connect to internal systems.
- Service account identity in automation pipelines, where certificate-based trust reduces reliance on shared api key and hard-coded credentials.
- Agent access control for autonomous systems, where certificates can bind an AI agent or orchestration service to a limited, auditable policy boundary.
- Revocation after compromise, where a certificate must be invalidated quickly to prevent continued impersonation by a stolen private key.
For non-human identity programs, PKI becomes especially relevant when teams move away from static credentials and toward cryptographic identity. That shift is documented in the Ultimate Guide to NHIs, which shows how poor lifecycle controls lead to excessive privilege and stale trust. For broader identity architecture context, the NIST Cybersecurity Framework 2.0 reinforces the need for governance, monitoring, and recovery around identity systems.
Why It Matters in NHI Security
PKI matters because machine trust breaks quietly and at scale. When certificate issuance is unmanaged, organisations can lose visibility into which workloads, agents, and integrations are authenticated, and they may continue to trust expired, duplicated, or unrevoked identities. That risk is amplified in NHI environments, where the attack surface already expands beyond human users. NHIMG research shows that only 5.7% of organisations have full visibility into their service accounts, and 97% of NHIs carry excessive privileges in practice, creating ideal conditions for certificate-backed misuse when ownership is unclear. The Ultimate Guide to NHIs also reports that 79% of organisations have experienced secrets leaks, underscoring how often trust material is exposed outside proper controls.
PKI also becomes central to Zero Trust Architecture because certificate validation can provide strong, continuous identity signals, but only if revocation, rotation, and policy enforcement are real. Without that, certificates become long-lived badges that outlast their intended scope. Organisations typically encounter the operational importance of PKI only after a workload impersonation, certificate expiry outage, or stolen private key exposes a service path, at which point certificate governance becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Covers machine identity lifecycle and certificate-based trust for NHIs. |
| NIST Zero Trust (SP 800-207) | Zero Trust depends on strong, continuously validated identity assertions like PKI. | |
| NIST CSF 2.0 | PR.AA-01 | Identity assurance and access governance rely on validated credentials and trust anchors. |
Use PKI to authenticate workloads continuously and deny trust when certificates fail validation.
