Subscribe to the Non-Human & AI Identity Journal

Should organisations automate PKI before or after they centralise inventory?

Centralise inventory first, then automate the most repetitive lifecycle steps. Automation without inventory just accelerates bad data, while inventory without automation leaves renewal and revocation vulnerable to human delay. The right order is visibility, ownership, then controlled automation.

Why This Matters for Security Teams

PKI is often treated as a tooling problem, but the real dependency is identity governance. Certificates, private keys, and renewal workflows are only safe when teams know what exists, who owns it, and where revocation will actually land. Without central inventory, automation can renew abandoned certificates, miss shadow services, and preserve access long after the workload has changed. The Ultimate Guide to NHIs notes that only 5.7% of organisations have full visibility into their service accounts, which is why inventory usually has to come first.

That visibility requirement aligns with NIST SP 800-53 Rev 5 Security and Privacy Controls, especially where asset accountability, access enforcement, and lifecycle control intersect. In practice, PKI automation without ownership data tends to create blind spots faster than it removes manual work. Security teams get more certificates issued, but not better control over where they live, who depends on them, or whether revocation paths are current. In practice, many security teams encounter expired or orphaned certificates only after an outage or exposure has already forced an emergency audit.

How It Works in Practice

The safest sequence is to centralise inventory first, then automate the highest-friction PKI tasks. Inventory should map each certificate to a workload, owner, environment, issuer, expiry date, and revocation path. Once that data is reliable, automation can take over repeatable lifecycle steps such as certificate issuance, renewal, rotation, and expiry alerts. This is not a one-time project; it is an operating model that combines discovery, governance, and controlled execution.

A practical rollout usually follows three steps:

  • Discover certificates across servers, containers, APIs, load balancers, and CI/CD systems.
  • Normalise ownership so every certificate has a business or technical steward.
  • Automate renewal and rotation only after the inventory is accurate enough to trust.

That approach is consistent with the NHI lifecycle emphasis in the Ultimate Guide to NHIs and with NIST control expectations around configuration, accountability, and access enforcement. Automation should also respect operational boundaries: short-lived certificates are usually easier to manage than long-lived ones, but TTL alone does not solve ownership or revocation problems. Where possible, integrate with policy checks so renewal can be blocked for unowned or unmanaged assets rather than blindly extended.

These controls tend to break down when certificates are embedded in legacy appliances, partner-managed systems, or manually maintained infrastructure because inventory signals are incomplete and revocation paths are often outside the team’s control.

Common Variations and Edge Cases

Tighter PKI control often increases operational overhead, requiring organisations to balance faster automation against the cost of discovery, remediation, and change management. There is no universal standard for the sequence in every environment, but current guidance suggests the order should still favour visibility before scale. Some teams with mature CMDB coverage can automate selected renewal flows earlier, while others need a hard inventory freeze before they touch certificate automation.

Edge cases matter. External-facing certificates with strict uptime requirements may justify phased automation, while internal service meshes can often move faster once workload ownership is clean. Partner and third-party certificates are a common exception because inventory may be partial even when internal systems are well managed. In those environments, manual approval gates and exception queues are safer than fully automated renewal.

The main tradeoff is speed versus correctness. Organisations that automate too early often inherit stale records, duplicate certificates, and untracked revocation gaps. Those that wait too long keep relying on humans for repetitive renewals and incident-driven cleanup. The best practice is evolving, but the consistent principle is simple: automate the process after the asset map is trustworthy, not before.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 Inventory and ownership are core NHI governance prerequisites.
NIST CSF 2.0 ID.AM-1 Asset inventory is the prerequisite for controlled PKI automation.
NIST AI RMF GOV-1 Governance first mirrors the need to establish oversight before automation.
NIST Zero Trust (SP 800-207) SC-1 Zero Trust requires strong identity and lifecycle control for workload credentials.

Treat certificates as workload identities and automate only within verified trust boundaries.