TL;DR: Only 34% of organisations report complete certificate visibility, while 74% are highly concerned about certificate sprawl and nearly three-quarters fear outages from expired certificates, according to DigiCert’s 2026 Global PKI Research Report. Manual PKI management is no longer sustainable when machine identities multiply faster than teams can inventory, review, and automate them.
At a glance
What this is: This is DigiCert's survey-based look at certificate visibility, PKI modernization, and machine identity sprawl, with the key finding that most organisations still lack a complete and current view of their certificates.
Why it matters: It matters because incomplete certificate visibility creates outage risk, weakens machine identity governance, and leaves IAM, PAM, and lifecycle teams managing trust they cannot fully see.
By the numbers:
- Only 34% of organizations report a complete and current view of their digital certificates.
- 74% report the same level of concern about certificate sprawl.
👉 Read DigiCert's report on certificate visibility and PKI modernization
Context
Certificate visibility is the ability to inventory, track, and govern every digital certificate before it expires, duplicates, or becomes disconnected from ownership. In practice, this is a machine identity governance problem, not just a PKI housekeeping problem, because certificates act as credentials for workloads, services, devices, and increasingly AI systems.
The gap is structural: distributed environments, shrinking certificate lifespans, and manual tracking methods make it hard to keep trust state current. For IAM, IGA, and platform teams, the issue is less about issuing certificates and more about proving they are visible, owned, and rotated on time across the full lifecycle.
That is why PKI modernization now sits alongside broader identity governance work, including the NHI lifecycle management guide and related machine identity controls. The organisations that still treat certificates as an isolated infrastructure task will keep discovering trust failures after the fact rather than preventing them.
Key questions
Q: How should security teams govern certificate visibility across distributed environments?
A: Security teams should govern certificates as lifecycle-managed identity objects, not as isolated infrastructure assets. The first priority is an authoritative inventory with ownership, expiry, and dependency data. From there, automate discovery and renewal, and require exceptions to have named owners. Without that structure, visibility remains partial and outage risk stays high.
Q: Why does certificate sprawl increase operational risk?
A: Certificate sprawl increases risk because every additional certificate adds another trust object that can expire, duplicate, or go unowned. In distributed environments, sprawl expands the number of places where outages and control failures can start. It also makes manual tracking less reliable, which is why governance must shift from counting certificates to managing their lifecycle.
Q: How do organisations know whether certificate lifecycle automation is working?
A: Automation is working when renewals, replacements, and revocations happen without recurring manual intervention or last-minute firefighting. Useful signals include fewer expiry-related incidents, lower exception counts, and a shorter time from discovery to ownership assignment. If teams still rely on spreadsheets to confirm state, the automation layer is not yet trustworthy.
Q: Which governance frameworks apply to certificate visibility and PKI modernization?
A: NIST Cybersecurity Framework 2.0 is relevant because certificate visibility supports identity, protection, and response functions. Organisations should also align certificate governance with machine identity lifecycle controls so inventory, renewal, and revocation are treated as repeatable controls rather than ad hoc tasks.
Technical breakdown
Why certificate visibility breaks at scale
Certificate visibility fails when inventory data is fragmented across teams, tools, and environments. A certificate can exist in a load balancer, a container image, a device fleet, or a CI pipeline without a single authoritative owner or expiry record. That creates blind spots in trust management, because the problem is not only the certificate itself but the absence of lifecycle state around it. Once certificate sprawl grows faster than manual tracking, teams lose the ability to answer basic questions about where certificates live, who owns them, and which systems depend on them.
Practical implication: establish one authoritative inventory for certificates and tie each asset to an owner, expiry date, and renewal path.
How certificate sprawl becomes machine identity risk
Certificate sprawl is the uncontrolled growth of certificates across services, environments, and use cases. Each certificate is a machine identity credential, which means sprawl is also access sprawl. As certificates multiply, the blast radius of poor lifecycle control expands because expired, duplicated, or untracked certificates can break availability or persist longer than intended. In modern infrastructure, this becomes an identity problem because the organisation is governing trust objects rather than static infrastructure artefacts.
Practical implication: treat certificate population growth as an identity risk signal and review it alongside NHI and workload access reviews.
Why crypto-agility depends on certificate lifecycle automation
Crypto-agility is the ability to adapt cryptographic systems quickly when requirements, algorithms, or lifespans change. That only works if certificate issuance, renewal, replacement, and revocation are automated enough to keep pace with policy shifts. Manual spreadsheets cannot support shorter certificate validity periods or rapid cryptographic transitions. When automation is missing, the organisation can be technically compliant on paper while operationally exposed in production.
Practical implication: automate certificate lifecycle steps first, then test whether renewal and revocation can happen without manual intervention.
NHI Mgmt Group analysis
Certificate visibility blind spots are now a machine identity governance failure, not a PKI side issue. The article shows that most organisations still cannot maintain a complete and current certificate view, which means ownership, expiry, and dependency data are incomplete at the point of decision. That is a governance failure because certificates are credentials, and credentials without lifecycle visibility are unmanaged trust. Practitioners should treat this as a machine identity control problem.
Standing certificate trust was designed for slower infrastructure change, and that assumption is collapsing. Certificate lifespans are shrinking while environments become more distributed, which means the old assumption that certificate state can be checked and corrected manually no longer holds. The implication is not simply to add more tooling, but to rethink whether governance models built for periodic review can still cope with continuous infrastructure change. Teams need a lifecycle model that matches machine speed.
Certificate sprawl is becoming identity blast radius, especially where AI systems and workloads depend on the same trust fabric. The report's mention of AI use cases matters because certificate governance is no longer limited to servers and applications. As AI systems, services, and devices share trust infrastructure, one visibility gap can affect multiple actor types. Practitioners should govern certificates as shared identity infrastructure, not as isolated PKI artefacts.
Manual tracking is the named failure mode this survey exposes. Spreadsheets, siloed tools, and disconnected processes create a control environment where ownership is inferred instead of proven. That pattern is incompatible with NIST CSF-style governance and with machine identity programmes that need repeatable inventory, renewal, and revocation evidence. The practical conclusion is that certificate governance must be operationalised before it can be trusted.
From our research:
- Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption, according to the 2026 Infrastructure Identity Survey.
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to the 2026 Infrastructure Identity Survey.
- For the broader governance picture, see the NHI Lifecycle Management Guide for how lifecycle controls change when trust objects are continuously created, rotated, and retired.
What this signals
Certificate governance is converging with machine identity governance. As environments absorb more services, devices, and AI-linked trust objects, teams need to stop treating certificates as a separate PKI backlog and start governing them as part of the identity lifecycle. The programme signal is clear: inventory, renewal, and revocation must be auditable across every trust domain.
With 70% of organisations granting AI systems more access than they would give a human employee performing the exact same job, the wider identity problem is already expanding beyond human and server credentials into autonomous decision paths. That makes certificate visibility part of a larger trust-assurance model, not a narrow infrastructure metric.
Visibility debt will become outage debt if it is not reduced now. Teams that cannot prove where certificates live or who owns them will struggle to respond to expiry, sprawl, and cryptographic change at the speed modern infrastructure demands. Practitioners should expect PKI modernization to merge with lifecycle governance, not replace it.
For practitioners
- Build a single certificate inventory Map every certificate to a system owner, workload owner, expiry date, renewal method, and revocation path. Include infrastructure, container, device, and AI-related trust points so hidden certificates do not sit outside lifecycle controls.
- Replace spreadsheet tracking with lifecycle automation Automate discovery, renewal, and revocation workflows for certificates that support production services. Use exceptions only for temporary remediation and require a documented owner for every exception.
- Review certificate sprawl as an identity risk metric Track certificate counts, orphaned certificates, renewal failures, and manual exceptions in the same governance cadence used for NHI and privileged access reviews. Rising sprawl should trigger remediation before expiry events create outages.
- Tie PKI modernization to machine identity governance Do not modernize PKI as a standalone infrastructure project. Align it with workload identity, certificate lifecycle management, and the NHI Lifecycle Management Guide so the trust fabric is governed end to end.
Key takeaways
- The core problem is not certificate issuance, but the inability to maintain a current, complete trust inventory across environments.
- The survey shows that certificate sprawl and expiry fear are already widespread, which makes automation and ownership assignment operational priorities rather than future improvements.
- Practitioners should manage certificates as machine identities inside the broader lifecycle governance programme, or the visibility gap will keep turning into outage risk.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | Visibility, protection, and recovery all depend on knowing where certificates live. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Certificate lifecycle failures are a classic non-human identity management problem. |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Certificate state underpins trust decisions in zero trust architectures. |
Treat certificates as credentials, then automate discovery, renewal, and revocation before expiry risk compounds.
Key terms
- Certificate Visibility: Certificate visibility is the ability to discover, inventory, and monitor every digital certificate in use. It matters because a certificate without an owner, expiry date, or dependency record cannot be governed reliably, especially in distributed environments where machine identities change faster than manual processes can track them.
- Certificate Sprawl: Certificate sprawl is the uncontrolled growth of certificates across systems, services, and environments. It creates operational risk because each certificate becomes another trust object that can expire, duplicate, or remain unowned, making outages and governance failures more likely.
- Crypto-Agility: Crypto-agility is the ability to change cryptographic mechanisms quickly when policy, risk, or standards change. In practice, it depends on automation, clean inventory, and lifecycle control, because manual certificate processes cannot keep pace with shorter lifespans or new cryptographic requirements.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by DigiCert: DigiCert Research Reveals Major Certificate Visibility Blind Spot for Enterprises. Read the original.
Published by the NHIMG editorial team on 2026-06-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
