By NHI Mgmt Group Editorial TeamPublished 2025-12-12Domain: Workload IdentitySource: GlobalSign

TL;DR: Shorter certificate lifetimes, broader AI adoption, PQC planning, and persistent ransomware are converging into an operational test for identity and PKI teams, according to GlobalSign. The underlying issue is that trust models built for slower change now collide with faster rotation, weaker visibility, and more dynamic digital identities.


At a glance

What this is: This is a 2026 outlook on PKI, AI, PQC, and ransomware, with the central finding that faster certificate turnover and identity assurance demands will outpace manual operations.

Why it matters: It matters because identity and security teams must now align certificate lifecycle, workload identity, and trust assurance practices with a much faster operating tempo across human and non-human identity programmes.

By the numbers:

👉 Read GlobalSign's outlook on 2026 PKI, AI, and certificate automation


Context

Certificate governance is becoming an identity problem, not just a PKI problem. As certificate lifetimes shorten and renewal cycles tighten, the organizations most at risk are the ones still depending on spreadsheets, reminders, and manual ownership for assets that now behave like operational infrastructure.

The article argues that AI adoption, post-quantum cryptography planning, and persistent ransomware are all pushing the same direction: faster trust decisions and tighter control of digital identities. That makes certificate inventory, lifecycle automation, and assurance across workloads and services central to identity governance, especially where machine identities already outnumber human accounts.

In NHI terms, this is a classic scale-and-speed mismatch. The operational question is no longer whether certificates are trusted, but whether the surrounding governance model can keep pace with the rate at which they must be issued, renewed, rotated, and validated.


Key questions

Q: How should security teams handle certificate lifecycles as validity windows get shorter?

A: They should treat certificate lifecycle as a continuous identity process, not a periodic maintenance task. That means authoritative inventory, service ownership, automated renewal, and revocation paths that work without manual ticketing. If a certificate cannot be renewed or replaced at machine speed, the environment is already too dependent on it.

Q: Why do short-lived certificates create more operational risk even when they improve security?

A: Shorter lifetimes reduce exposure, but they also compress the time available for detection, renewal, and exception handling. The risk grows when ownership is unclear or when the environment still depends on manual tracking. In those cases, security gains can be offset by outages, missed renewals, and hidden dependencies.

Q: What do teams get wrong about using AI in identity and certificate operations?

A: They often assume AI will solve governance gaps on its own. In reality, AI can speed detection and automation, but it also helps attackers scale phishing and impersonation. The underlying requirement remains the same: clear identity ownership, continuous monitoring, and lifecycle processes that do not depend on slow human review.

Q: Who is accountable when certificate failures cause outages or trust breaks?

A: Accountability should sit with the service owner, identity owner, and platform owner together, because certificate failures are usually a dependency problem, not a single-team mistake. Governance frameworks need named ownership for renewal, revocation, and dependency mapping so that operational failures can be traced and corrected quickly.


Technical breakdown

Why short-lived certificates stress identity governance

Short-lived certificates compress the time available for renewal, replacement, and revocation. That changes PKI from a periodic maintenance task into a continuous identity operation. When validity windows shrink, the real control is not the certificate itself but the inventory, ownership, and automation surrounding it. In practice, the failure point is often hidden in dependency chains, where applications, CI/CD systems, and workloads rely on certificates nobody can confidently enumerate. This turns certificate management into a governance problem across NHI, application, and infrastructure teams.

Practical implication: teams need authoritative inventory and automated renewal paths before certificate lifetime reductions become operational failures.

How AI changes certificate and identity risk

AI is relevant here in two ways. First, defenders are using it to detect anomalies in certificate and identity operations. Second, attackers can use it to scale phishing, impersonation, and socially engineered compromise, increasing pressure on identities that protect infrastructure and services. The issue is not that AI replaces PKI controls, but that it accelerates both detection and abuse while making manual review cycles less effective. That raises the bar for identity assurance across human users, workloads, and service-to-service trust.

Practical implication: security teams should treat AI as a force multiplier for both monitoring and adversary tradecraft, then tighten identity assurance accordingly.

What PQC and cripto-agility mean for certificate operations

Post-quantum cryptography pushes organisations toward cripto-agility, the ability to change algorithms, trust chains, and certificates without redesigning the whole environment. The operational insight is that migration readiness depends on the same controls required for short-lived certificates: automation, inventory, and change discipline. If an organisation cannot rotate certificates reliably today, it will struggle to adapt when hybrid or PQC-ready certificate models become mandatory. PQC is therefore not just a crypto concern, but a lifecycle and governance stress test.

Practical implication: map certificate lifecycle processes to a future algorithm migration path now, before PQC becomes a forced transition.


Threat narrative

Attacker objective: The attacker wants durable access to trusted systems and data, then uses that access to disrupt operations, extort the victim, or harvest data for later decryption.

  1. Entry occurs when attackers exploit phishing, compromised identities, or exposed infrastructure to gain a foothold in the environment. The article notes that AI improves the realism of phishing and impersonation, which lowers the cost of initial access.
  2. Escalation follows when compromise reaches service identities, certificates, or application trust relationships that were not built for rapid detection and revocation. In PKI-heavy environments, weak lifecycle controls extend the useful life of stolen trust material.
  3. Impact lands as ransomware, supply chain disruption, or long-lived access to encrypted data and operational systems. The article frames the outcome as business continuity and economic harm, not only technical compromise.
  • Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
  • Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Certificate lifecycle is now an identity governance control, not a PKI housekeeping task. Shorter validity windows turn renewal, ownership, and revocation into a continuous assurance problem. The organisations that still treat certificates as background infrastructure will absorb avoidable outages and trust failures. The practitioner conclusion is simple: certificate lifecycle must sit inside identity governance, not beside it.

AI accelerates both attack pressure and control expectations across human and non-human identity. The article correctly links AI to phishing, impersonation, and defensive detection, but the deeper lesson is that AI compresses the time available for identity verification. That matters for humans, service accounts, and workloads alike. The practitioner conclusion is that assurance models must assume faster adversary iteration, not just faster automation.

Cripto-agility only works when the underlying identity estate is already observable. PQC planning does not start with algorithms, it starts with knowing where certificates live, who owns them, and which services depend on them. That is a classic NHI governance issue because machine identities and certificates now form the operational trust layer for modern environments. The practitioner conclusion is that visibility is the prerequisite for any migration path.

Short-lived trust creates an identity blast radius problem. When renewal cadence tightens, every unmanaged certificate becomes a potential outage point and every untracked dependency becomes a hidden coupling. This is the same governance pattern seen in broader NHI sprawl: excessive distribution, weak ownership, and delayed remediation. The practitioner conclusion is that blast-radius reduction becomes the practical metric for programme maturity.

Identity programmes that exclude infrastructure trust will miss the largest change in 2026. The article spans human identity, machine identity, and cryptographic trust in one narrative because the operational boundary between them is collapsing. That means IAM, PKI, and NHI teams must plan together rather than in parallel silos. The practitioner conclusion is that cross-domain governance is no longer optional.

From our research:

  • 69% of organisations now have more machine identities than human ones, according to our Ultimate Guide to NHIs.
  • 57% of organisations lack a complete inventory of their machine identities, which means many teams are still trying to govern trust without a full asset map.
  • That is why readers should also review The 52 NHI breaches Report for the failure patterns that follow incomplete visibility.

What this signals

Certificate governance is converging with NHI governance. When machine identities outnumber human ones, the control problem shifts from user access to service trust, renewals, and ownership. Teams that still separate PKI operations from identity governance will struggle to build a defensible operating model for 2026.

With 53% of organisations already reporting security incidents tied to machine identity management failures, the change pressure in this article is not theoretical. The practical signal is that inventory, ownership, and automated lifecycle controls need to be prioritised ahead of any PQC migration work.

The next programme question is whether certificate operations are measured as a living identity estate or as a static compliance asset. If teams cannot trace renewal, dependency, and revocation paths, short-lived certificates will expose the same governance gap that large NHI estates already create.


For practitioners

  • Inventory every certificate and owning service Build a complete inventory that ties each certificate to a business owner, system owner, renewal source, and dependency chain. Include code signing, TLS, internal service, and third-party certificates so that renewal risk is visible before expiry windows tighten.
  • Automate renewal before shortening lifetimes bites Replace spreadsheet-driven renewals with event-driven automation for issuance, rotation, and revocation. Prioritise systems where renewal failure would trigger outage, including customer-facing applications, CI/CD pipelines, and workload identities.
  • Separate trust monitoring from human review cycles Use continuous monitoring for certificate health, expiration drift, and failed renewals instead of waiting for periodic access review or ticket queues. This is especially important where machine identities and application trust chains change faster than governance cadences.
  • Treat PQC readiness as a lifecycle exercise Map current certificate lifecycle processes to the migration steps required for hybrid and post-quantum schemes. Focus on inventory, algorithm dependency, and renewal automation first, because those are the controls that make a future migration feasible.

Key takeaways

  • Shorter certificate lifetimes turn PKI into a continuous identity governance problem, not a periodic renewal task.
  • AI and PQC both increase the need for inventory, automation, and explicit ownership across machine trust estates.
  • Teams that cannot map certificate dependencies and renewals at scale will see outages before they see security benefits.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Certificate lifecycle and NHI ownership are central to the article's operational risk.
NIST CSF 2.0PR.AC-4The article centers on maintaining access and trust for changing digital identities.
NIST Zero Trust (SP 800-207)Section 3.4Short-lived trust and identity assurance align with continuous verification in zero trust.
NIST SP 800-53 Rev 5IA-5Certificate renewal and authenticator management map directly to credential lifecycle control.
MITRE ATT&CKTA0006 , Credential Access; TA0040 , ImpactThe article discusses phishing, ransomware, and trust abuse as attack paths.

Track identity compromise and outage scenarios to TA0006 and TA0040, then prioritise controls that shorten exposure.


Key terms

  • Certificate Lifecycle Management: Certificate lifecycle management is the process of issuing, tracking, renewing, rotating, and revoking digital certificates across their useful life. In modern environments it is an identity governance discipline, because certificate ownership, expiry, and dependency mapping determine whether trust can be maintained without outages.
  • Cripto-agility: Cripto-agility is the ability to change cryptographic algorithms, trust chains, and certificate formats without redesigning the surrounding environment. It depends on inventory, automation, and clean dependency mapping, because migration fails when organisations cannot see where cryptographic trust is embedded.
  • Machine Identity: A machine identity is a non-human identity used by software, infrastructure, or services to authenticate and communicate. It includes certificates, tokens, API keys, and workload credentials, and it must be governed with the same lifecycle discipline as human access, but at much higher scale and speed.
  • Identity Blast Radius: Identity blast radius is the operational scope of harm that results when a trust credential expires, is compromised, or is mismanaged. For non-human and certificate-based systems, the blast radius is driven by hidden dependencies, missing ownership, and delayed lifecycle actions rather than user count alone.

What's in the full article

GlobalSign's full article covers the operational detail this post intentionally leaves for the source:

  • The specific 47-day certificate timeline and the March 2026 deadlines that affect renewal planning.
  • The article's full reasoning on why AI is changing both attack and defence patterns across identity systems.
  • The post's discussion of PQC only sketches the migration pressure, while the source expands on hybrid and short-lived certificate strategy.
  • The source also includes the article's practical framing for cloud PKI and service identity automation.

👉 GlobalSign's full article expands the March 2026 certificate deadlines, PQC planning, and cloud PKI implications.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or NHI governance programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-12-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org