TL;DR: Trust programs need continuous measurement, not periodic checks, to prove control, surface drift, and prioritize remediation across certificate, cryptography, and machine-identity estates, according to Keyfactor. Hard evidence is now the operational requirement, because unmanaged gaps only become visible when teams can quantify them.
At a glance
What this is: This is an analysis of continuous measurement in the Trust Control Plane, with the key finding that trust governance only improves when telemetry, dashboards, and alerts turn control activity into actionable evidence.
Why it matters: It matters because IAM teams cannot govern machine identities, certificates, and human-adjacent trust processes on assumption alone, and the same measurement discipline increasingly underpins NHI, autonomous, and human identity programmes.
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
👉 Read Keyfactor's Stage Two analysis of trust control plane measurement
Context
Trust programmes fail when teams can only describe policy intent and cannot prove operational reality. The primary gap here is measurement: without continuous telemetry, organisations cannot answer whether machine identities, certificates, and trust controls are actually improving or simply being reported more often.
In practice, this makes analyse-and-measure the layer that turns identity governance into evidence. It matters for non-human identity management because service accounts, secrets, and certificates drift faster than periodic review cycles can catch, and it matters for human IAM because executives still need proof that controls are reducing exposure rather than creating more process noise.
Key questions
Q: How should security teams measure whether trust controls are actually working?
A: Security teams should measure trust controls through a small set of operational indicators that show scope, compliance, lifecycle performance, and anomaly trends. The key is to pair each metric with an owner and a response threshold so the number drives action rather than reporting theatre. If a metric cannot change a decision, it is not a control indicator.
Q: Why do machine identities need continuous measurement instead of periodic review?
A: Machine identities change too quickly for periodic review to provide reliable assurance. Renewals, expirations, misconfigurations, and hidden assets can all appear between review cycles, which means the organisation can look compliant while risk is already moving. Continuous measurement keeps the programme aligned with real operational state, not with the last review event.
Q: How do organisations know if lifecycle controls for certificates are effective?
A: They know by tracking renewal success rate, time to issuance, remediation speed, and unplanned expirations over time. If those measures improve and exceptions fall, the lifecycle control is working. If they remain flat or noisy, the organisation is producing process activity without reducing operational risk.
Q: Who should own trust telemetry when reporting spans NHI and cryptography controls?
A: Ownership should sit with the team that can act on the signal, not the team that merely receives the report. Operators need asset-level visibility, while CISOs and executives need trend lines and exception summaries. Clear ownership prevents metrics from becoming passive dashboards and turns them into governance inputs.
Technical breakdown
Trust telemetry and control-plane visibility
A trust control plane is only as useful as the telemetry it collects. The article focuses on inventory coverage, compliance scores, lifecycle performance, and anomaly trends, which are all signals that convert identity and cryptography state into measurable evidence. In NHI and certificate environments, telemetry must show what is in scope, what is expiring, what is out of policy, and what is changing faster than review processes can absorb. Without that layer, dashboards become commentary instead of control evidence.
Practical implication: define a small set of measurable control signals before expanding automation or reporting.
Lifecycle performance for certificates and machine identities
Lifecycle metrics are the operational heart of the stage. Time from request to issuance, renewal success rate, change failure rate, and remediation speed show whether the process can sustain itself under normal load and exception conditions. For NHI governance, these metrics matter because machine identities often fail silently until expiry, rollover, or policy drift interrupts service. If the lifecycle is slow, brittle, or opaque, the control plane is not improving trust, it is delaying failure.
Practical implication: track issuance, renewal, and remediation outcomes as hard controls, not admin convenience metrics.
Why shadow AI and shadow IT belong in the same measurement model
The article’s mention of unexpected anomalies is important because discovery does not stop at known assets. New scanning can uncover previously hidden infrastructure, but the same telemetry can also reveal shadow AI or shadow IT that was never enrolled in the trust process. That is a measurement problem, not just a discovery problem, because untracked assets distort every downstream metric, from compliance to expiry risk. If unknown assets are excluded, the programme may look healthier than it is.
Practical implication: treat discovery gaps as measurement defects and fold them into the same reporting model as known assets.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Continuous measurement is the control that makes trust governance real. Policy statements do not prove control, and occasional audits do not show drift as it happens. This stage matters because identity and cryptography programmes fail when they are run from assumptions instead of evidence. Practitioners should treat telemetry quality as a governance requirement, not a reporting feature.
Trust inventory coverage is the named concept this stage exposes. Coverage is not the same as awareness, and awareness is not the same as active management. A programme can report strong outcomes while still leaving newly acquired, newly deployed, or newly discovered assets outside the measurement loop. The implication is that incomplete inventory turns every other metric into a partial truth, so coverage must be validated before performance claims are trusted.
Measure, do not infer, whether lifecycle controls are working. Certificate renewal success, remediation timing, and exception rates are the only defensible signals that lifecycle controls are reducing operational risk. If those numbers are not improving, the programme is producing activity rather than control. Practitioners should use lifecycle metrics to separate genuine resilience from process volume.
Shadow asset discovery changes the meaning of compliance reporting. When anomaly trends reveal previously unknown systems, the governance issue is not just exposure, it is model integrity. A trust platform that cannot surface hidden assets will undercount risk and overstate readiness. That makes continuous discovery and continuous measurement the same governance problem in practice.
Board reporting becomes credible only when metrics are directional, not decorative. Executives need to know whether risk is falling, where exceptions cluster, and which control gaps are persistent. Flat reporting cycles that repeat the same dashboard without trend analysis do not support decision-making. Practitioners should connect metrics to decisions, not just to status updates.
From our research:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- For a deeper standards view, see Ultimate Guide to NHIs , Standards and map measurement outputs to control expectations rather than anecdotal reporting.
What this signals
Trust telemetry will become the proof layer for identity programmes. As machine estates expand and operational teams inherit more automation, the organisations that can show trendable evidence will be better placed to defend budget, prioritise remediation, and separate real exposure from dashboard noise. The measurement model should now include the same rigor for NHI as it already does for regulated human identity processes.
Trust inventory coverage is the named concept that should change programme design. If discovery is incomplete, every downstream control score is partly fictional, because untracked assets sit outside the control plane. Practitioners should therefore treat coverage gaps as a governance defect that affects board reporting, compliance posture, and remediation sequencing at the same time.
With only 5.7% of organisations reporting full visibility into service accounts, the practical signal is that most teams still do not know their true baseline. That makes continuous measurement the prerequisite for any credible zero-trust, NHI, or lifecycle improvement programme.
For practitioners
- Define control indicators before expanding dashboards Limit reporting to a small set of metrics that show scope, compliance, lifecycle performance, and anomalies. Make each metric actionable by assigning an owner, a threshold, and a response path before you publish it.
- Tie renewal and remediation metrics to operational ownership Track time to issuance, renewal success rate, exception rates, and unplanned expirations as operational controls. Put these metrics on the same governance review agenda as policy exceptions so they drive action, not just observation.
- Use discovery data to challenge inventory assumptions Compare known assets against newly discovered items every reporting cycle, including hidden or unmanaged systems that fall outside standard enrolment. Treat every unexpected find as a control gap until it is either governed or removed.
- Separate executive reporting from operator diagnostics Give leaders trend lines, risk posture, and unresolved exceptions, while giving operators the asset-level drill-down needed to fix problems. This prevents the board view from hiding operational drift.
Key takeaways
- Continuous measurement turns trust governance from a claim into evidence, which is the difference between policy intent and operational control.
- Lifecycle and anomaly metrics reveal whether certificate and machine-identity processes are actually reducing risk or merely producing activity.
- Programmes that cannot prove inventory coverage or trend improvement will struggle to defend their maturity, regardless of how polished the dashboard looks.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers monitoring and lifecycle controls for non-human identities. |
| NIST CSF 2.0 | DE.CM-1 | Continuous monitoring aligns with trust telemetry and anomaly detection. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Least-privilege evidence depends on continuous verification of access and scope. |
Measure NHI lifecycle and exposure trends continuously, then act on drift before expiry or exception rates rise.
Key terms
- Trust Control Plane: A trust control plane is the operational layer that collects telemetry, applies policy, and exposes evidence about identity and cryptographic state. In this article, it is the mechanism that turns control activity into measurable proof across certificates, machine identities, and exceptions.
- Trust Inventory Coverage: Trust inventory coverage is the proportion of assets and identities that are actively known, monitored, and governed by the control plane. It matters because any unmanaged segment makes reporting incomplete and can distort compliance, risk, and remediation decisions.
- Lifecycle Performance: Lifecycle performance is the set of measurements that show how efficiently identities or certificates move through request, issuance, renewal, and remediation stages. For machine identities, it is a practical indicator of whether governance is sustainable under real operating conditions.
- Control Signal: A control signal is a metric or alert that can be tied directly to a governance decision or operational response. A number becomes a control signal only when someone owns it, understands what change it represents, and can act before the risk compounds.
Deepen your knowledge
Trust telemetry, lifecycle metrics, and evidence-led governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a measurement model for certificates, secrets, or service accounts, it is worth exploring.
This post draws on content published by Keyfactor: Stage Two - Analyze & Measure, continuous insight for continuous improvement. Read the original.
Published by the NHIMG editorial team on 2026-05-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
