They fail when organisations focus on trust establishment but neglect certificate lifecycle governance. If certificates are not issued, renewed, revoked, and retired cleanly, access can persist beyond the intended relationship or device state. The control problem is usually governance, not cryptography.
Why This Matters for Security Teams
Certificate-based authentication is often treated as a cryptographic problem, but practice shows it is really a lifecycle problem. Certificates work only when issuance, binding, renewal, revocation, and retirement are governed consistently across devices, workloads, and service accounts. Once that lifecycle breaks, authentication can outlive the asset, the role, or the trust relationship it was meant to represent.
This is why machine identity failures show up so often in incident reviews. NHIMG research on The Critical Gaps in Machine Identity Management report notes that 53% of organisations have experienced a security incident directly related to machine identity management failures, while 45% cite certificate expiry as the leading cause of outages. The pattern is familiar to teams using NIST Cybersecurity Framework 2.0: controls exist on paper, but ownership, inventory, and renewal discipline are missing in operation.
In practice, many security teams encounter certificate failure only after an outage, an expired trust chain, or an unauthorised connection has already exposed the gap.
How It Works in Practice
A certificate programme succeeds when identity, policy, and operations are tied together. The certificate itself is not the control. The control is the process that proves what is being authenticated, how long it should be trusted, and what happens when the underlying asset changes state. That means organisations need an inventory of all certificates, clear ownership, automated renewal, reliable revocation paths, and monitoring for stale trust anchors.
Current guidance suggests aligning certificate governance with machine identity management rather than treating it as a separate PKI task. NHIMG’s Ultimate Guide to NHIs — What are Non-Human Identities frames these identities as operational assets, not one-time setup artifacts. That matters because certificates authenticate a non-human identity, but they do not manage its lifecycle. If the workload is cloned, the service is retired, or the device is reimaged, the certificate must be re-evaluated immediately.
- Use short-lived certificates where possible, and tie issuance to an authoritative workload or device identity.
- Automate renewal before expiry, with alerting that reaches the team that actually owns the asset.
- Revoke and retire credentials when systems are decommissioned, not weeks later during housekeeping.
- Track every certificate against a live inventory, not spreadsheets or ad hoc spreadsheets plus tribal knowledge.
- Validate that revocation checking and trust store updates are working in the environments that consume the certificate.
For implementation teams, the practical test is simple: if no one can answer who owns a certificate, what it protects, and when it should die, the programme is already at risk. These controls tend to break down in highly distributed environments because service ownership changes faster than certificate governance.
Common Variations and Edge Cases
Tighter certificate governance often increases operational overhead, requiring organisations to balance stronger assurance against renewal complexity and service disruption risk. That tradeoff becomes sharper in hybrid estates, CI/CD pipelines, and ephemeral workloads, where certificates may be created and destroyed faster than manual review can keep up.
Best practice is evolving for environments that use mTLS, container platforms, and large fleets of service identities. In those settings, certificate-based authentication usually works best when paired with workload identity, policy-as-code, and automated issuance from a trusted source such as SPIFFE-aligned patterns, rather than long-lived static certificates. The key is not just proving possession of a private key, but proving that the identity is still valid for this task, in this context, right now.
Edge cases matter. Legacy applications may not support automated renewal, so teams sometimes tolerate longer TTLs, but that should be an explicit risk acceptance, not the default. Similarly, revocation checking can fail in offline or intermittently connected systems, which means certificates may continue to authenticate even after they should have been invalidated. NHIMG’s Sisense breach and the DeepSeek breach both reinforce the broader lesson: exposed or unmanaged machine credentials become operational risk very quickly when governance lags behind deployment.
There is no universal standard for this yet, but current guidance is clear that certificate programmes fail less from weak cryptography than from weak identity hygiene, ownership, and lifecycle automation.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers certificate rotation and lifecycle failures for non-human identities. |
| NIST CSF 2.0 | PR.AC-1 | Authenticating identities depends on managed access and trust relationships. |
| NIST AI RMF | Lifecycle governance supports accountable and reliable automated identity decisions. |
Assign ownership, monitoring, and escalation for machine identity decisions across the full lifecycle.
Related resources from NHI Mgmt Group
- Why do authentication controls fail when users work around them?
- What is the difference between role-based access and API key governance for NHI security?
- What does the 144:1 NHI-to-human ratio mean for IAM governance programmes?
- How can organisations decide when certificate-based authentication is worth the effort?
