Subscribe to the Non-Human & AI Identity Journal

What do security teams get wrong about code signing visibility?

They often assume certificate inventory is the same as signing observability. It is not. Knowing that a certificate exists does not tell you which artefacts it signed, which system requested the signature, or whether the request followed policy. Good governance needs a record of signing events, not just a list of credentials.

Why This Matters for Security Teams

Certificate inventory answers only one question: what signing material exists. It does not answer the operational questions that matter after compromise, including who used the key, what was signed, whether the request was authorised, or whether the artefact later changed. That gap is why code signing visibility belongs in the same conversation as NHI governance and secret hygiene, as described in the Top 10 NHI Issues and the Ultimate Guide to NHIs — Key Challenges and Risks. When signing activity is invisible, teams cannot separate routine releases from malicious use of a trusted certificate.

Good visibility is not just forensic convenience. It supports policy enforcement, blast-radius reduction, and trust decisions for software distribution pipelines, firmware, containers, and automation scripts. NIST controls in NIST SP 800-53 Rev 5 Security and Privacy Controls emphasise logging, accountability, and monitoring for privileged activity, which is the right lens for signing operations as well. In practice, many security teams discover that a signing key has been abused only after a suspicious artefact is already in circulation, rather than through deliberate signing-event monitoring.

How It Works in Practice

Effective code signing visibility starts by treating each signing event as an auditable security action, not as a by-product of certificate management. That means capturing the signer identity, the workload or system that requested the signature, the artefact hash before and after signing, the policy decision, the timestamp, and the target environment. This is especially important when signing is performed by build systems, release automation, or ephemeral workloads, because the certificate itself can remain unchanged while the signing context shifts.

A practical visibility model usually includes:

  • Certificate inventory for ownership, expiration, and key location.
  • Signing-event logs for every request, approval, and signature outcome.
  • Policy records showing whether the artefact met release rules.
  • Chain-of-custody data linking source commit, build job, and signed output.

That separation matters because a certificate can be valid while the signing workflow is compromised. The 2024 ESG Report: Managing Non-Human Identities shows how frequently organisations experience NHI compromise, which is a useful reminder that signing keys are high-value non-human identities rather than passive assets. For implementation, current guidance also aligns with logging and audit expectations in NIST SP 800-53 Rev 5 Security and Privacy Controls and with broader lifecycle discipline in the NHI Lifecycle Management Guide. These controls tend to break down when signing happens inside opaque CI/CD runners or air-gapped release processes because the request context is never exported into a central audit trail.

Common Variations and Edge Cases

Tighter signing control often increases release friction, requiring organisations to balance traceability against build speed and developer autonomy. That tradeoff becomes sharper when teams use short-lived runners, multiple code-signing services, or delegated signing for third-party packaging, because each extra hop can hide who actually requested the signature.

There is no universal standard for code signing observability yet, so current guidance suggests focusing on minimum viable evidence: who requested the signature, what was signed, which policy approved it, and where the signed artefact was deployed. In regulated environments, that evidence may need to be retained longer and tied to change-management records; in fast-moving product teams, the priority may be near-real-time alerts on unusual signing patterns rather than long retention.

A common edge case is certificate rotation. Teams sometimes assume that replacing a certificate also resets trust, but signing visibility must persist across key versions so investigators can correlate old and new material. Another is local signing by developers, where desktop tools can bypass central pipelines entirely. In those environments, governance fails unless local signing is either prohibited or brought under the same logging and policy framework as automated release systems. The Top 10 NHI Issues is a useful reference for prioritising those control gaps before an incident forces the issue.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-07 Signing keys are NHIs that need event-level visibility, not just inventory.
NIST CSF 2.0 DE.CM-1 Code signing observability depends on continuous monitoring of security events.
NIST SP 800-53 Rev 5 AU-12 Audit generation is essential to reconstruct who signed what and when.
NIST AI RMF GOVERN Governance requires accountable evidence for automated signing workflows.
NIST Zero Trust (SP 800-207) PR.AC-4 Signing should be authorised per request, not trusted by static certificate presence.

Define ownership, policy, and review for all signing automation as governed AI-adjacent operations.