DigiCert’s 2025 security predictions point to trust automation

At a glance

What this is: DigiCert’s 2025 outlook argues that quantum readiness, AI phishing, and certificate automation will shape digital trust programmes.

Why it matters: It matters because IAM, NHI, and security teams must treat trust infrastructure as a lifecycle problem spanning certificates, identities, and automation.

By the numbers:

• The era of manual certificate management ends, yet 23.53% of respondents still said certificates are managed via manual effort such as spreadsheets.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

👉 Read DigiCert’s 2025 security predictions on trust automation and PQC

Context

DigiCert’s 2025 predictions describe a trust environment where certificate lifecycles, phishing resistance, and cryptographic readiness are all changing at once. For identity security teams, the primary issue is not any single prediction but the operational strain on programmes that still treat trust assets as static objects.

The article spans digital trust, post-quantum cryptography, and AI-enabled deception, but its governance lesson is broader. Certificate operations, secrets management, and identity assurance now need the same lifecycle discipline that IAM teams already apply to human access and NHI credentials.

Key questions

Q: How should organisations prepare certificate estates for shorter lifespans?

A: They should treat certificate management as a continuous lifecycle process, not a periodic admin task. That means central inventory, automated issuance and renewal, expiry monitoring, and clear ownership for revocation. The goal is to eliminate manual renewal paths that fail under shorter validity windows and create avoidable outages.

Q: Why does AI-driven phishing change identity security decisions?

A: It lowers the reliability of human judgment in routine trust checks, which means organisations need stronger process controls. Security teams should shift validation into workflow design, use out-of-band verification for sensitive actions, and reduce reliance on user recognition of suspicious content.

Q: What breaks when cryptographic agility is missing?

A: Migrations stall because organisations cannot change certificates, algorithms, or trust chains quickly enough to meet new requirements. The result is operational fragility, delayed security upgrades, and a higher chance that legacy cryptography remains in place long after it should have been retired.

Q: How do teams know whether trust automation is actually working?

A: They should measure renewal success rates, expiry exceptions, revocation latency, and the percentage of certificates still handled manually. If those signals are not improving, the programme is still exposed to the same lifecycle failures it was meant to remove.

Technical breakdown

Post-quantum cryptography and crypto-agility

Post-quantum cryptography, or PQC, refers to cryptographic algorithms designed to withstand attacks from future quantum computers. Crypto-agility is the ability to change cryptographic primitives, certificates, and trust chains without rebuilding the surrounding service. In practice, the hard part is not algorithm selection alone but inventory, dependency mapping, and controlled replacement across applications, appliances, and identities. Organisations that cannot locate where crypto lives cannot migrate it safely.

Practical implication: build a cryptographic inventory now so PQC migration becomes a managed lifecycle task rather than an emergency replacement exercise.

Shorter SSL/TLS lifespans and certificate automation

Shorter certificate lifespans compress the time available for renewal, validation, and revocation handling. That shifts certificate management from periodic maintenance to continuous operational control, especially where certificates are embedded in code, infrastructure, and machine workflows. Manual renewal processes become unreliable when the margin for error shrinks. Automation matters here because certificate expiry is now a service continuity risk, not just an admin nuisance.

Practical implication: remove spreadsheet-driven renewal paths and enforce automated issuance, renewal, and monitoring across all certificate estates.

AI-driven phishing and trust validation

AI-driven phishing raises the fidelity of social engineering by improving language quality, personalisation, and scale. The technical challenge is not only email filtering but the erosion of user and process cues that people rely on when validating requests. As attacks become more convincing, organisations need stronger trust signals in workflows, not just better awareness messaging. That includes harder checks for payment changes, access requests, and account recovery.

Practical implication: harden high-risk business workflows with verified out-of-band validation and identity-aware controls.

Threat narrative

Attacker objective: The attacker wants to exploit trust at scale, converting believable messages into credential theft, fraud, or unauthorised access.

1. Entry occurs when attackers use AI-generated phishing to deliver messages that look credible enough to bypass normal scrutiny and capture trust.
2. Escalation follows when the victim interacts with the request, exposing credentials, approving fraudulent actions, or triggering downstream access abuse.
3. Impact is the theft of credentials, unauthorised financial or account activity, and broader compromise of trust in digital communications.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Digital trust is becoming a lifecycle governance problem, not a point control. The article’s mix of PQC, certificate automation, and AI phishing shows that trust assets now move, expire, and fail faster than annual review cycles can handle. That means certificate governance, secrets governance, and identity governance are converging around the same operational question: can the organisation actually see, renew, and revoke trust artefacts before they fail? Practitioners should treat trust lifecycle control as a core identity programme requirement.

Manual certificate management is a runtime exposure, not just an efficiency issue. DigiCert’s own statistic that nearly a quarter of enterprises still rely on manual effort for certificates points to a failure mode, not a maturity gap. When certificate lifetimes shrink, manual renewal becomes an availability and security risk because missed expiry, delayed revocation, and inconsistent inventories all widen attack windows. The practitioner conclusion is straightforward: the control surface has outgrown spreadsheet administration.

AI-driven phishing weakens the human side of trust validation, which pushes more verification into systems. As messages become more convincing, the burden shifts from user suspicion to workflow design, identity assurance, and transaction controls. That affects human IAM directly, but it also affects NHI and automation paths because many phishing outcomes target credentials, tokens, or approvals that unlock non-human access. Practitioners should assume deception now crosses the boundary between human and machine identity workflows.

Cryptographic agility is the named concept this market is moving toward. The issue is not whether PQC will arrive, but whether enterprises can change trust mechanisms without service disruption or governance blind spots. A programme that cannot inventory certificates, dependencies, and trust chains cannot rotate into quantum-resistant controls cleanly. The implication is that trust architecture must be managed as a continuously changing identity dependency, not a one-time build choice.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Another 71% of NHIs are not rotated within recommended time frames, which shows how quickly trust objects drift out of governance once lifecycle discipline weakens.
• For a broader control baseline, review the Top 10 NHI Issues to connect certificate automation, rotation, and access governance into one programme.

What this signals

Cryptographic agility: the next trust programme differentiator is not whether a team can adopt PQC eventually, but whether it can replace cryptographic assets without losing service visibility or approval discipline. That will force IAM, PKI, and platform teams to work from the same inventory and change-control model.

With 96% of organisations still storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, the trust problem is already broader than certificates alone. The programme signal is clear: operational trust hygiene now spans every place credentials and keys can leak.

Teams that already manage identity lifecycle well will find the transition easier because certificate renewal, revocation, and validation are lifecycle questions at core. The gap is not the existence of policy, but whether policy is actually executable at machine speed.

For practitioners

• Inventory every certificate and trust dependency Create a living inventory of TLS certificates, internal PKI assets, embedded keys, and application dependencies so renewal and migration can be planned centrally.
• Automate issuance, renewal, and revocation Replace manual renewal flows with automated certificate lifecycle management, including alerts for expiring assets and revocation paths for compromised trust material.
• Map cryptographic dependencies before PQC migration Identify which applications, libraries, devices, and identity systems depend on each algorithm so you can sequence quantum-safe changes without breaking service.
• Harden high-risk approval workflows Require stronger validation for account recovery, access changes, and payment instructions so AI-generated phishing has fewer opportunities to convert trust into compromise.

Key takeaways

• DigiCert’s 2025 outlook frames digital trust as an operational lifecycle problem shaped by PQC, automation, and AI-enabled deception.
• The evidence points to a governance gap between shrinking certificate lifespans and still-common manual management practices.
• Identity teams should respond by automating trust lifecycles, hardening verification steps, and inventorying cryptographic dependencies now.

Key terms

• Post-quantum cryptography: Cryptographic algorithms designed to remain secure against attacks from future quantum computers. In practice, PQC is a migration problem as much as a maths problem, because organisations must inventory where cryptography is used, sequence replacements, and preserve service continuity during the transition.
• Crypto-agility: The ability to change cryptographic algorithms, certificates, and trust dependencies without redesigning the whole system. It matters because security standards and threat models change over time, and organisations that cannot swap cryptography quickly tend to accumulate hidden operational risk.
• Certificate lifecycle management: The operational process for issuing, renewing, monitoring, and revoking certificates before they fail or are abused. For modern enterprises, this is a continuous control rather than a periodic task, because certificates often sit inside applications, automation, and machine identity flows.
• Digital trust: The set of technical and governance controls that allow users, systems, and devices to verify one another with confidence. It spans identity assurance, cryptography, certificates, and policy enforcement, and it only works when the underlying assets are visible and manageable.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or lifecycle governance in your organisation, it is worth exploring.

This post draws on content published by DigiCert: DigiCert’s 2025 security predictions. Read the original.