TL;DR: A major international services company used certificate-based credential management to secure engineer access to customer systems while reducing disruption, improving auditability, and automating certificate distribution and revocation according to Intercede. The case reinforces that lifecycle-managed credentials, not soft certificates or manual handoffs, are what make non-human access governable at scale.
At a glance
What this is: This case study shows how certificate lifecycle management can tighten engineer authentication to customer systems while preserving operational continuity.
Why it matters: It matters because IAM, PAM, and NHI teams need access models that prove current authorisation, support non-repudiation, and remove stale certificates without slowing field operations.
By the numbers:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
👉 Read Intercede's case study on certificate lifecycle control for engineer authentication
Context
Certificate-based authentication becomes difficult to govern when credentials are manually managed, long-lived, or disconnected from current authorisation. For engineer access to customer systems, the real challenge is not simply issuing certificates but proving that each credential still matches a live business need, a current device state, and an auditable access path.
This case study sits squarely in NHI governance and lifecycle control. It shows why organisations that rely on engineers, smart cards, USB devices, and customer-facing access need certificate management that can revoke access cleanly, reduce soft certificate exposure, and preserve non-repudiation without forcing a disruptive rebuild of the existing environment.
Key questions
Q: What breaks when engineer certificates are not lifecycle-managed?
A: When engineer certificates are not lifecycle-managed, access can outlive the approval that justified it. That creates stale entitlement, weaker non-repudiation, and more manual cleanup when relationships or tasks change. The result is a credential that still works even when the business no longer wants it to, which is exactly the kind of residual access IAM programmes should eliminate.
Q: Why do certificate-based access models improve accountability for customer-system access?
A: Certificate-based access improves accountability because each credential can be tied to a managed identity, an approval state, and an audit trail. That makes it easier to prove who accessed a system and whether access was current at the time. For engineer-led customer support, that traceability is often more valuable than login convenience alone.
Q: How should organisations reduce disruption when tightening certificate governance?
A: They should preserve existing devices and access patterns where possible, then add lifecycle control around them. That means updating, revoking, and auditing certificates without forcing engineers into a new operating model overnight. The practical goal is to strengthen governance while keeping business continuity intact.
Q: Who is accountable when certificate access is no longer current?
A: Accountability sits with the teams that own credential lifecycle, authorisation scope, and audit evidence. If a certificate remains active after access should have ended, the failure is usually governance, not authentication. For regulated or customer-facing access, that accountability should be explicit across IAM, PAM, and operational support functions.
Technical breakdown
Dynamic certificate deployment for field access
The core mechanism here is certificate distribution that follows current authorisation rather than static provisioning. Engineers need access from their own devices, but the entitlement is only valid while the business relationship, role, and system approval remain active. That shifts credential management from one-time issuance to runtime governance of certificate state. In practical terms, the security boundary is the certificate lifecycle, not the hardware token alone. When certificates are updated remotely or on-site, the organisation can preserve operational continuity while keeping access aligned to the present task and approved scope.
Practical implication: treat certificate issuance as part of access governance, not just authentication setup.
Why lifecycle revocation matters in certificate governance
Lifecycle management matters because certificates that outlive their need create residual access, audit ambiguity, and avoidable exposure. Revocation is what turns a credential from a permanent identity artifact into a controlled entitlement that can be removed when authorisation ends. In this model, the question is not whether a certificate was once valid, but whether it is still valid right now for this engineer, this customer system, and this access window. That is the difference between operational convenience and governed access.
Practical implication: build revocation into the same operating process that issues and updates certificates.
Non-repudiation and auditable engineer authentication
The case also highlights the value of auditable authentication for external-facing engineer access. Non-repudiation depends on being able to show who accessed what, when, and with which authorised credential. Smart cards and managed certificates support that traceability better than soft certificates scattered across endpoints or unmanaged stores. The technical point is not just stronger login assurance. It is evidence quality: when access events are tied to managed credentials, the organisation can reconstruct responsibility, prove control operation, and support customer assurance without relying on manual logs alone.
Practical implication: preserve audit trails that connect each certificate event to a named engineer and current approval.
NHI Mgmt Group analysis
Certificate lifecycle, not authentication alone, is the control plane for engineer access. This case shows that access to customer systems becomes governable only when credential issuance, update, and revocation are managed as one lifecycle. The underlying problem is not whether engineers can authenticate, but whether the credential still represents active authorisation at the moment of use. Practitioners should read this as a lifecycle governance case, not a device story.
Soft certificates create unnecessary identity drift in operational environments. When credentials are easier to copy, store, or leave behind than to govern, the identity surface expands faster than the access policy can keep up. That weakens both auditability and non-repudiation because the credential is no longer tightly bound to a managed state. The implication is straightforward: access evidence becomes less trustworthy as credential handling becomes more fragmented.
Revocation is the control that turns temporary access into accountable access. The case is useful because it shows revocation as a business enabler, not just a security backstop. If engineers can only reach customer systems while the certificate remains current, the organisation narrows exposure without blocking field work. Practitioner conclusion: lifecycle-offboarded certificates are the difference between controlled access and lingering entitlement.
Customer-facing authentication for engineers sits at the intersection of IAM, PAM, and NHI governance. This is not purely an access-management problem and not purely a device-management problem. The access path is privileged, externally facing, and tied to a non-human credential, so the governance model must account for certificate state, approval scope, and traceable usage together. The practitioner takeaway is to manage the identity, the privilege, and the certificate as one control set.
Managed credentials reduce business friction when the existing environment is preserved. The most relevant lesson is that stronger governance does not have to require a wholesale rebuild. By integrating with existing smart cards and devices, the organisation reduced disruption while tightening control. That matters for practitioners because adoption failure is often operational, not technical. The conclusion is that good lifecycle design can improve both security posture and deployment viability.
From our research:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- For the lifecycle dimension, see Ultimate Guide to NHIs , Key Challenges and Risks for how visibility and rotation gaps keep credentials alive too long.
What this signals
Lifecycle-managed certificates are becoming the difference between access assurance and access residue. As organisations preserve existing infrastructure while tightening control, the programme risk moves from authentication failure to credential persistence. Teams should watch for any process where a certificate can still function after the business reason for it has changed, because that is where governance drift starts.
Identity teams should expect more demand for auditable, hardware-backed access paths. Engineer-facing customer access is a preview of a broader pattern in which non-human credentials must be provable, revocable, and operationally light enough to survive in the field. The organisations that can connect certificate state to current authorisation will have a cleaner audit story and less manual cleanup.
The practical signal is simple: if revocation depends on memory, email, or after-the-fact review, the control is too weak for customer-facing access. Teams should prefer lifecycle workflows that can revoke access in the same system that issued it, and they should benchmark their credential hygiene against the visibility and rotation gaps documented in the Ultimate Guide to NHIs.
For practitioners
- Map engineer certificates to current authorisation state Tie each certificate to an active customer-system entitlement, and revoke access when the authorisation window closes or the task changes. This prevents credentials from surviving beyond the business need.
- Replace soft certificates with managed smart-card workflows Use managed hardware-backed certificates where possible so access remains traceable and less likely to drift across endpoints, shared stores, or unmanaged copies.
- Automate certificate revocation as a lifecycle event Trigger revocation from the same identity process that issues or updates credentials, so offboarding and role change do not depend on manual follow-up.
- Preserve non-repudiation with certificate-level audit trails Log issuance, updates, and revocation with enough context to show who accessed which customer system and under what approved condition.
Key takeaways
- This case study shows that certificate lifecycle control is the real governance layer for engineer access to customer systems.
- Automated distribution and revocation reduce manual error, improve non-repudiation, and keep access aligned to current authorisation.
- For IAM and NHI teams, the lesson is to manage certificates as governed entitlements, not static authentication artefacts.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207), NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Certificate revocation and lifecycle control are central to NHI credential governance. |
| NIST CSF 2.0 | PR.AC-1 | Identity management and access control fit this engineer authentication use case. |
| NIST Zero Trust (SP 800-207) | The case aligns with continuous verification and least privilege for customer access. | |
| NIST SP 800-53 Rev 5 | IA-5 | Authenticator management directly covers certificate issuance and revocation. |
| CIS Controls v8 | CIS-5 , Account Management | Managed credential lifecycle depends on disciplined account and access tracking. |
Apply zero-trust principles so certificate validity is checked against current authorisation and device context.
Key terms
- Certificate Lifecycle Management: The controlled process of issuing, updating, renewing, and revoking certificates across their useful life. In identity programmes, it ensures a certificate remains tied to current authorisation and is removed when the access need ends, rather than lingering as reusable standing access.
- Non-Repudiation: A property of access evidence that allows an organisation to show who performed an action and that the action was tied to an approved identity. For certificate-based engineer access, non-repudiation depends on strong audit trails and credentials that are managed, current, and attributable.
- Soft Certificate: A certificate stored in software rather than protected by a hardware-backed mechanism such as a smart card. It can be easier to deploy but often creates more risk because it is simpler to copy, misplace, or leave active outside its intended lifecycle.
- Current Authorisation: The access state that is valid right now for a person, device, or service to reach a protected system. In governed identity environments, current authorisation is what matters at the moment of use, not whether access was approved at some point in the past.
What's in the full article
Intercede's full case study covers the operational detail this post intentionally leaves for the source:
- How MyID CMS handles smart-card updates on-site and remotely without forcing a hardware replacement programme
- The credential distribution and revocation workflow used to keep engineer access aligned to current authorisation
- The implementation approach that preserved existing expenditure while reducing disruption for engineers and customers
- The business and financial outcomes associated with a single-pane-of-glass credential management model
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org