AI, quantum and trust predictions expose certificate governance gaps

At a glance

What this is: This is a forward-looking DigiCert analysis of how AI, quantum risk, and digital trust will reshape 2025, with certificate automation, provenance, and trust governance as the central themes.

Why it matters: It matters because IAM, PKI, and identity teams will need to align certificate lifecycle, trust signals, and automation controls across human, NHI, and machine trust boundaries.

By the numbers:

• Nearly 25% of enterprises manage their thousands of certificates manually.
• 23.53% of respondents said certificates are managed via manual effort.

👉 Read DigiCert's 10 predictions for AI, quantum and digital trust in 2025

Context

AI, quantum computing, and certificate trust are converging on the same operational problem: identity systems are being asked to prove legitimacy faster, more often, and across more actors than legacy governance models were built to handle. For IAM and PKI teams, the issue is not a single technology shift but the collapse of slow, manual trust administration under continuous change.

In practice, this means certificate governance, content provenance, and phishing resistance are no longer separate tracks. They are part of the same trust programme, because machine-scale automation and AI-generated deception both increase the cost of weak lifecycle discipline and inconsistent verification.

Key questions

Q: How should security teams reduce risk from short-lived certificates and crypto-agility pressure?

A: They should treat certificates as governed identities with owners, expiry monitoring, and automated renewal paths. The goal is to remove manual handling wherever possible, because shorter validity periods make spreadsheet-based management fragile and increase outage risk. Teams should also map dependencies across applications and HSMs before policy changes force rushed remediation.

Q: Why do AI-generated phishing attacks change human identity controls?

A: They reduce the value of message inspection as a control because attackers can now generate persuasive, context-aware lures at scale. Human identity programmes should shift toward phishing-resistant authentication, stronger verification for sensitive actions, and recovery processes that do not depend on user intuition alone.

Q: What should organisations do when digital trust depends on content authenticity as well as identity?

A: They should treat provenance metadata, signature validation, and certificate trust as a single verification chain. If external content can influence decisions, updates, or approvals, the organisation needs controls that prove the artefact is authentic before it is acted on.

Q: Who should own post-quantum cryptography planning in an identity programme?

A: Ownership should sit with the teams responsible for cryptographic lifecycle, platform architecture, and risk governance together, not with security in isolation. PQC affects applications, hardware, compliance obligations, and renewal processes, so it needs a cross-functional migration register and clear accountability.

Technical breakdown

Why crypto-agility is becoming a lifecycle control problem

Crypto-agility is the ability to move cryptographic algorithms, key sizes, and certificate policies without breaking services. The article ties that to shortening certificate lifetimes and the growing need for automation. That matters because manual renewal processes become brittle as validity windows shrink and policy changes accelerate. In identity terms, certificates behave like non-human credentials with a lifecycle, not static assets. When renewal, inventory, and policy enforcement are disconnected, trust failures become operational failures rather than isolated crypto events.

Practical implication: map certificates into the same lifecycle governance model used for other NHI credentials and remove spreadsheet-driven renewal paths.

How AI-driven phishing changes human identity assurance

The article’s AI phishing prediction is really about identity assurance under high-quality deception. Generative models lower the cost of impersonation and make message quality a weak signal. That shifts the burden onto stronger authentication and verification methods, especially phishing-resistant controls and provenance-aware trust checks. Human identity programmes that still rely heavily on message inspection or user suspicion will absorb more risk as attackers improve scale and personalisation.

Practical implication: strengthen phishing-resistant authentication and step up verification controls where human judgement is the main detection layer.

What content provenance adds to digital trust

C2PA and content credentials extend trust from identity to artefact integrity. The point is not merely to label content, but to create a tamper-evident record showing whether media has been altered. That is relevant to security teams because trust decisions increasingly depend on whether a file, image, or update can be verified as authentic before it is acted on. In a broader governance sense, provenance becomes a control surface alongside authentication and certificate validation.

Practical implication: treat provenance metadata as part of your trust architecture when evaluating media, updates, and externally supplied content.

Threat narrative

Attacker objective: The attacker’s objective is to manipulate trust decisions at scale by getting people or systems to accept malicious content, requests, or credentials as legitimate.

1. Entry occurs through AI-generated phishing that mimics legitimate communication closely enough to bypass human suspicion and conventional content heuristics.
2. Escalation follows when the attacker uses that trusted interaction to capture credentials, initiate fraudulent requests, or redirect verification flows toward a malicious endpoint.
3. Impact is realised through compromised trust decisions, fraudulent access, or the acceptance of altered content and unsafe updates as legitimate.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Manual trust administration is the new identity debt. When certificate management still depends on spreadsheets, renewal calendars, and human follow-up, organisations are carrying hidden operational risk into shorter certificate lifetimes and more frequent policy changes. That debt now affects web PKI, workload trust, and any programme that depends on timely cryptographic lifecycle actions. The practical conclusion is that trust governance cannot scale on manual exception handling.

AI changes the economics of identity deception faster than it changes the economics of defence. The article’s phishing prediction is not just about better messages. It signals that human inspection is becoming a weaker control because attack quality can now be industrialised. That pushes identity teams toward stronger authentication, better verification choreography, and less reliance on user judgement as a primary trust signal.

Content provenance is becoming an adjacent trust control to PKI, not a separate concern. C2PA-style provenance matters because authenticity is no longer confined to certificates and logins. Security programmes increasingly need to verify whether digital artefacts have been modified before they are consumed or executed. The implication for practitioners is to think about trust as a chain that includes identity, cryptography, and content integrity.

Certificate lifecycle blind spots: This article shows how trust programmes fail when cryptographic assets are treated as static inventory instead of governed identities with expiration, ownership, and automation requirements. That assumption was designed for slower change cycles. It fails when certificate lifetimes shrink and renewal becomes a continuous operational requirement. The implication is that lifecycle governance must move from periodic maintenance to continuous trust operations.

Quantum risk is forcing organisations to distinguish preparedness from deployability. Many teams can discuss post-quantum cryptography, but fewer can operationalise it across hardware, applications, and compliance boundaries. The article reflects a market turning point where technical readiness, regulatory pressure, and procurement planning start to converge. Practitioners should treat PQC as a migration governance problem, not a future research topic.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing how remediation delays extend exposure windows in identity governance programmes.
• For a broader governance baseline, see 52 NHI Breaches Analysis for recurring control failures across exposed credentials and unmanaged access.

What this signals

Manual certificate management is now a governance signal, not just an operations smell. When nearly a quarter of enterprises still manage certificates manually, renewal discipline is already lagging the pace of policy change and certificate shortening. Teams should expect the pressure to migrate crypto operations into the same automation patterns used for other non-human identities, especially where service disruption and trust failures meet.

Trust programmes will increasingly be judged by how they handle false authenticity. AI-generated phishing and manipulated content mean that verification has to happen at the level of the request, artefact, and cryptographic proof, not just the user interface. The organisations that prepare now will align certificate automation, provenance checks, and human verification into one operational model.

The strategic signal is that identity security is expanding into a broader digital trust programme. That shift matters because certificate lifecycle, content provenance, and phishing resistance are converging into a single control plane for legitimacy, and programmes that keep them separate will struggle to keep pace.

For practitioners

• Inventory certificate-owned dependencies Map where certificates, keys, and trust anchors live across applications, HSMs, and operational workflows so you know which systems depend on manual renewal or policy exceptions.
• Move renewal out of spreadsheets Replace human-managed certificate tracking with automated discovery, expiry monitoring, and owner-based alerting so lifecycle actions happen before service disruption becomes likely.
• Adopt phishing-resistant verification paths Prioritise controls that reduce reliance on user judgement, including stronger authentication and explicit verification for high-risk requests, approvals, and account recovery.
• Treat provenance as a control requirement Include content authenticity checks in workflows that consume external media, signed updates, or user-generated artefacts so trust decisions are based on verifiable integrity signals.
• Build a PQC migration register Document cryptographic dependencies, replacement timelines, and business owners now so post-quantum transition work can be planned as a governed programme rather than an emergency response.

Key takeaways

• The article’s central risk is not AI or quantum alone but the collapse of manual trust governance under faster lifecycle change.
• The evidence points to a real operational gap, with manual certificate handling still common even as validity periods shorten and phishing quality rises.
• Practitioners should respond by automating lifecycle control, hardening human verification, and treating provenance as part of identity trust architecture.

Key terms

• Crypto-agility: Crypto-agility is the ability to change cryptographic algorithms, key lengths, or trust policies without breaking dependent systems. In practice, it is a lifecycle capability, not a one-time migration task, and it becomes essential when certificate lifetimes shrink or regulations change.
• Content provenance: Content provenance is the record of where digital content came from and whether it has been altered. It helps security teams and users decide if a file, image, or message can be trusted before they act on it, making authenticity a governed control surface.
• Phishing-resistant authentication: Phishing-resistant authentication uses methods that do not rely on users typing reusable secrets into a spoofed interface. It is designed to reduce credential capture and replay, which makes it more resilient when attackers use AI to craft convincing lures and impersonation attempts.
• Certificate lifecycle management: Certificate lifecycle management is the process of discovering, issuing, renewing, rotating, and revoking certificates before they fail or are misused. In modern environments, it must be automated and owner-aware because expired or mismanaged certificates can disrupt services and weaken trust.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by DigiCert: 10 ways AI, quantum and trust will shape the year ahead. Read the original.