Because the certificate can outlive the device assurance that justified it. If a certificate stays valid after a laptop is reassigned, lost, or rebuilt, the access path still looks legitimate to the service. The risk is not the certificate itself, but the gap between issuance and retirement.
Why This Matters for Security Teams
Client certificates often look like a clean answer to machine authentication because they are cryptographic, scalable, and easy to validate at the service edge. The governance problem appears when issuance is treated as the end state instead of the start of an identity lifecycle. If revocation is weak, stale certificates can continue to authenticate devices that are lost, reassigned, rebuilt, or no longer trusted, which turns a technical control into a standing access path.
That risk is well documented in machine identity research. NHIMG’s Critical Gaps in Machine Identity Management report notes that only 38% of organisations have automated certificate lifecycle management in place, while 53% have already experienced a security incident directly related to machine identity management failures. Those numbers matter because certificate governance is not only about expiry dates. It is about ownership, revocation speed, and the ability to prove that the device behind the certificate is still the device that was approved. The NIST Cybersecurity Framework 2.0 reinforces this by pushing identity governance into ongoing risk management, not one-time provisioning.
In practice, many security teams discover certificate sprawl only after a device has been repurposed or an access review has already missed a stale trust relationship.
How It Works in Practice
Weak revocation creates governance risk because the relying service usually trusts the certificate chain, not the operational reality of the endpoint. If a laptop is wiped and reassigned, or a contractor device is lost, the certificate may still validate until it expires unless the organisation can revoke it quickly and ensure every service checks revocation status reliably. In other words, the security question is not “was the certificate valid when issued?” but “is the identity behind it still authorised right now?”
That is why current guidance increasingly treats certificates as one control in a broader machine identity program. A stronger pattern combines inventory, ownership, short-lived certificates, automated renewal, and revocation that is tested in production. NHIMG’s Lifecycle Processes for Managing NHIs and Regulatory and Audit Perspectives both emphasise that machine identities need clear retirement paths, not just issuance workflows. The practical control stack usually includes:
- Named ownership for every certificate and the workload or device it authenticates.
- Automated renewal and rotation so long-lived certificates are the exception, not the norm.
- Revocation processes tied to asset status changes, such as reassignment, disposal, compromise, or rebuild.
- Service-side checks that do not rely on certificate expiry alone as the only backstop.
- Periodic audit of issued certificates against active assets and approved use cases.
The reason this matters is that revocation is only effective if the certificate lifecycle is connected to real operational events. If the organisation cannot reliably detect ownership changes, certificate risk becomes invisible until a service account, application, or endpoint is abused.
These controls tend to break down in large hybrid estates where legacy applications cannot enforce live revocation checks and certificate ownership is spread across multiple teams.
Common Variations and Edge Cases
Tighter certificate governance often increases operational overhead, requiring organisations to balance stronger revocation with service availability and legacy compatibility. That tradeoff is especially sharp when applications depend on offline validation, embedded trust stores, or manual certificate distribution.
There is no universal standard for this yet, but best practice is evolving toward shorter certificate lifetimes, automated issuance, and revocation mechanisms that are tested as part of change management. In high-change environments, short TTLs reduce the window of misuse, but they also demand dependable automation. Without that, teams often fall back to long-lived certificates because they are operationally easier, which reintroduces the exact governance gap the control was meant to close.
Edge cases also matter. Shared devices, ephemeral workloads, and break-glass access paths can all create exceptions that should be explicit and time-bound. For deeper context on why stale machine access becomes a broader identity problem, see NHIMG’s Top 10 NHI Issues and the Key Challenges and Risks section. In governance terms, the hard part is not generating certificates, but proving they stop working when the trust decision is no longer valid.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers credential lifecycle weakness, including stale machine certificates. |
| NIST CSF 2.0 | PR.AC-4 | Identity and access permissions must be continuously managed for machine identities. |
| NIST SP 800-63 | AAL | Assurance declines when the certificate outlives the device assurance behind it. |
| NIST Zero Trust (SP 800-207) | SC-7 | Zero trust requires continuous verification instead of assuming old certificates stay trusted. |
| OWASP Agentic AI Top 10 | Autonomous workloads amplify stale credential risk when certificates persist beyond intent. |
Require ongoing trust checks and do not treat prior certificate issuance as permanent access.