Use PKI to provide verifiable identity for devices, workloads, and services, then connect that trust layer to access policy and lifecycle controls. Human MFA can support the model, but it does not replace certificate-backed verification for machine identities. The priority is to eliminate implicit trust and ensure every access path can be proven and revoked.
Why This Matters for Security Teams
PKI is the trust anchor that lets zero trust move beyond human logins and into the mixed reality of devices, workloads, services, and APIs. In a real enterprise, the problem is not only proving who a person is, but proving what a machine is, whether it is allowed to act, and whether that trust can be revoked quickly. NIST SP 800-207 Zero Trust Architecture makes that continuous verification model explicit, and NHIMG’s Ultimate Guide to NHIs — Standards shows why this matters operationally: 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Teams often get this wrong by treating certificates as a one-time setup task instead of a living identity lifecycle. That creates a gap where stale certs, embedded keys, and over-privileged service accounts keep working long after the original trust decision should have expired. PKI only supports Zero Trust when it is tied to issuance policy, short certificate lifetimes, rotation, revocation, and runtime authorization. In practice, many security teams discover the weakness only after a service credential has been reused across environments or exposed in CI/CD, not through deliberate identity governance.
How It Works in Practice
For mixed human and machine environments, PKI should be used to establish cryptographic identity first, then connect that identity to policy enforcement. For humans, certificates can complement MFA for high-assurance workflows, but they do not replace session controls, device posture checks, or conditional access. For workloads and services, PKI becomes the primary identity proof, usually through mTLS, service certificates, or workload identity systems that issue short-lived credentials at runtime. The goal is to prove possession of a private key and bind that proof to an authorized workload, device, or service instance.
A practical Zero Trust implementation usually combines PKI with identity-aware policy and strong lifecycle controls:
- Issue certificates per device, workload, or service instance, not per team or environment.
- Use short-lived certificates where possible so compromise windows are narrow.
- Bind certificate issuance to approved inventory, ownership, and attestation signals.
- Revoke and rotate on schedule, and immediately on compromise, decommissioning, or role change.
- Enforce policy at request time so access depends on identity, context, and destination, not network location.
The operational model aligns well with SPIFFE-style workload identity, and NHIMG’s Guide to SPIFFE and SPIRE is a useful reference for how cryptographic workload identity can replace static secrets in service-to-service communication. The key design choice is to treat certificates as evidence, not as permission by themselves. Current guidance suggests pairing PKI with policy-as-code and continuous validation so the trust decision is re-evaluated whenever the request, destination, or posture changes. These controls tend to break down when legacy applications cannot consume short-lived certs and still depend on long-lived shared secrets or manual trust stores.
Common Variations and Edge Cases
Tighter certificate control often increases operational overhead, requiring organisations to balance stronger trust guarantees against application compatibility and certificate-management complexity. That tradeoff is most visible in hybrid estates, where modern service meshes coexist with legacy systems that only support static certificates, mutual TLS at the edge, or manual renewal processes. Best practice is evolving, but there is no universal standard for how quickly every workload must move to short-lived identity; many teams phase by risk, starting with internet-facing services, privileged internal APIs, and third-party integrations.
Human identities are another edge case. PKI can raise assurance for administrators and sensitive workflows, but it should not become a substitute for phishing-resistant MFA, privileged access management, or session monitoring. For third-party and B2B connections, certificate governance must also cover offboarding, ownership, and revocation, because stale partner trust is a common failure mode. If the environment includes offline appliances, embedded systems, or heavily regulated systems with slow change windows, the identity model may need compensating controls such as constrained network paths, explicit allowlists, and tighter revocation monitoring. The practical test is simple: if a certificate can outlive the business purpose it represents, the Zero Trust model is already leaking.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | PKI provides verifiable identity before access decisions are made. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous verification of identity and context. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Certificate lifecycle and rotation are core NHI control concerns. |
Use certificate-backed identity to verify subjects before granting any resource access.
Related resources from NHI Mgmt Group
- How should security teams implement adaptive MFA in Zero Trust environments?
- How should security teams govern machine identities in zero trust environments?
- How should security teams implement zero trust for non-human identities in federal environments?
- How should security teams govern AI native engineering environments with mixed human and machine identities?
