New gTLDs increase complexity because each additional namespace adds delegation, provider dependency, and trust verification work. The challenge is not only scale, but coordination across DNS, PKI, and messaging controls. If those layers are owned separately, organisations lose visibility into where trust is established, where it is weakened, and who can restore it.
Why This Matters for Security Teams
New gTLDs add more than branding options. Each suffix creates another namespace that must be validated, monitored, and governed across DNS, certificate issuance, messaging policy, and identity workflows. That widens the control plane and raises the chance that an approved domain, subdomain, or sending identity exists outside the team’s normal review path. Current guidance suggests treating namespace growth as an identity governance problem, not just a DNS administration issue.
When organisations rely on separate teams for DNS, PKI, email security, and application onboarding, trust decisions become fragmented. A domain can be technically registered yet still fail policy checks, or it can be allowed in one layer while blocked in another. That is why NHI governance materials from Ultimate Guide to NHIs emphasise visibility, rotation, and lifecycle control, while the NIST Cybersecurity Framework 2.0 frames identity and access as enterprise-wide risk management rather than a narrow technical task.
NHIMG research shows the operational stakes are real: only 5.7% of organisations have full visibility into their service accounts, and 68% do not know how to fully address NHI risks. In practice, many security teams discover namespace sprawl only after a phishing campaign, certificate misuse, or delegated domain ownership gap has already created exposure.
How It Works in Practice
Governance becomes harder with new gTLDs because identity controls are distributed across layers that do not share one source of truth. DNS proves name delegation, PKI proves certificate trust, and messaging controls prove whether a domain may send or receive on behalf of the organisation. None of these layers is sufficient on its own. The practical challenge is verifying that the same business owner, security policy, and lifecycle process apply consistently across all three.
A workable model starts by inventorying every registered domain, delegated subdomain, certificate, and authenticated sender tied to a new gTLD. Then map each asset to an accountable owner, approval path, and review cadence. This is where the NHI lifecycle guidance in Ultimate Guide to NHIs is useful: identities and their credentials must be discoverable, attributable, and removable when no longer needed.
- Require registration approval before a new gTLD is used for production services.
- Verify DNS delegation, certificate issuance, and mail authentication together, not separately.
- Bind each namespace to a named business and technical owner.
- Review domain usage, expiration, and certificate renewal on a fixed cadence.
- Revoke or retire inactive namespaces as part of offboarding.
The control objective is consistency: if a domain can be created, it must also be traceable, recoverable, and revocable under the same governance model. The Top 10 NHI Issues research reinforces that visibility gaps and lifecycle failures are recurring causes of exposure. These controls tend to break down in decentralised environments where business units can register or delegate domains without a central inventory or policy gate.
Common Variations and Edge Cases
Tighter namespace governance often increases coordination overhead, requiring organisations to balance speed of launch against trust assurance and auditability. That tradeoff is especially visible for marketing-led launches, mergers, and regional subsidiaries that want brand flexibility but do not own the security controls that make the namespace safe.
There is no universal standard for how much DNS, PKI, and email policy should be centralised, but best practice is evolving toward shared governance with local execution. For high-risk namespaces, security teams often require pre-approval for DNS changes, certificate requests, and sender authentication records. For lower-risk or internal use cases, they may allow faster delegation but still enforce ownership, expiry, and offboarding rules.
Edge cases appear when a new gTLD is used only for a campaign, a partner integration, or a regional brand variant. These situations often create short-lived identities that are easy to forget after launch. That is where the operational problem becomes similar to other NHI lifecycle issues documented by NHIMG: a trusted identity is created quickly, then left behind long after its business purpose ends. If the namespace is also used for email or customer-facing authentication, the risk expands from governance friction to direct impersonation and phishing exposure.
For organisations aligning governance to broader risk programs, the Regulatory and Audit Perspectives section is helpful, because auditors usually care less about the number of domains and more about whether ownership, review, and revocation are provable.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Namespace sprawl creates unmanaged non-human identities and trust paths. |
| NIST CSF 2.0 | PR.AC-1 | Domain trust decisions depend on knowing who can access and change identity assets. |
| CSA MAESTRO | Agentic trust chains across DNS and PKI need coordinated governance and assurance. |
Treat each namespace as a governed workload boundary with owner, policy, and revocation paths.
