By NHI Mgmt Group Editorial TeamPublished 2026-04-20Domain: Workload IdentitySource: Vintegris

TL;DR: Digital certificate usage and transaction volumes have risen 30% since 2021, while poor storage, duplicate copies on devices, weak auditing, and lifecycle gaps continue to expose organisations to identity theft, key theft, forgery, and service disruption, according to Vintegris. The governance problem is no longer certificate availability but certificate custody, traceability, and revocation discipline.


At a glance

What this is: This analysis says digital certificates are becoming harder to govern as usage grows, and the main failure mode is weak custody, duplicate copies, and lifecycle control rather than the technology itself.

Why it matters: It matters because certificates are NHI credentials, so gaps in issuance, storage, renewal, and revocation can undermine both machine trust and human signing workflows.

By the numbers:

  • 2021, e 2021, the number of transactions and digital certificates managed by organizations has increased by 30%.

👉 Read Vintegris' analysis of hidden risks in digital certificate management


Context

Digital certificates are non-human identities used for authentication, signing, and trust in electronic transactions. As organisations scale their use, the governance problem shifts from simple issuance to custody, renewal, revocation, and proof of use across many devices and locations.

The article argues that certificate sprawl creates risk when copies migrate across devices, inventory becomes incomplete, and auditing becomes expensive. That is a familiar NHI pattern: controls built for small, stable certificate populations struggle when certificates behave like distributed operational credentials rather than static assets.


Key questions

Q: How should security teams govern digital certificates across multiple devices?

A: Security teams should treat certificates as governed identities, not portable files. The practical goal is to control custody, prevent uncontrolled copies, and ensure every certificate has an owner, an expiry path, and a revocation process. Without that, device migration and shared storage create silent trust duplication that undermines authentication and digital signing.

Q: Why do digital certificates create compliance and audit risk when they scale?

A: Certificates become a compliance risk when organisations cannot trace who used them, where they were stored, or when they were revoked. That breaks accountability for signed transactions and weakens evidence for GDPR, NIS2, DORA, and ISO 27001-style obligations. Scale magnifies the gap between technical validity and governance control.

Q: What breaks when certificate renewal and revocation are handled manually?

A: Manual renewal and revocation usually fail first at the edges, where certificates are distributed across teams, devices, and business processes. Expiry is missed, stale copies remain active, and ownership becomes unclear. The result is either avoidable outages or lingering trust in credentials that should already have been retired.

Q: Who is accountable when a digitally signed document is forged or misused?

A: Accountability sits with the organisation that issued, stored, and governed the certificate, not just the person who used it. If custody is unclear or revocation is delayed, the organisation cannot prove control over the signing authority. That is why certificate governance belongs in identity and compliance oversight, not only in infrastructure operations.


Technical breakdown

Certificate custody and duplicate-copy risk

Digital certificates are often copied to new devices or used from multiple locations, which creates a custody problem as much as a cryptographic one. If previous copies are not deleted, the organisation loses confidence in which copy is authoritative. This is not just storage hygiene. It is an identity governance failure because the same signing authority may exist in multiple uncontrolled places, each capable of authenticating or signing on behalf of the organisation.

Practical implication: Track every certificate copy and remove stale instances when devices change hands or migrate.

Lifecycle management for issuance, renewal, and revocation

Certificate lifecycle management covers issuance, renewal, and revocation, and all three need traceability to keep trust intact. Renewal without ownership creates certificate expiry risk, while delayed revocation leaves credentials usable after they should have been retired. In NHI terms, the problem is standing privilege in credential form: a valid certificate continues to confer trust until its lifecycle is actively governed.

Practical implication: Tie certificate lifecycle events to ownership, expiry monitoring, and revocation authority.

Evidence of use and auditability in certificate operations

The article highlights the need to record date, time, location, and application use for certificates. That matters because digital signatures and authentication are only defensible when use can be traced back to a specific actor and purpose. Without evidence of use, organisations cannot reliably demonstrate compliance or investigate misuse, especially in environments with multiple users, devices, or delegated signing workflows.

Practical implication: Require tamper-evident logs for certificate use and keep them aligned to audit and compliance needs.


Threat narrative

Attacker objective: The attacker aims to use a valid-looking certificate or key to impersonate the owner, sign documents, or bypass trust checks.

  1. Entry occurs when certificates are copied to multiple devices or transmitted over insecure channels, creating uncontrolled access points for abuse.
  2. Escalation follows when stolen keys or duplicate certificate copies are used to sign, authenticate, or impersonate the legitimate owner.
  3. Impact appears as forged signatures, compromised document integrity, or service disruption when revocation and monitoring are too weak to catch abuse quickly.
  • Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
  • Coupang Signing Key Breach — Unrevoked signing key credentials expose 33.7 million records after employee offboarding failure at Coupang.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Certificate custody is the real control plane, not certificate storage. The article’s central failure mode is not that certificates exist, but that they are copied, moved, and reused without clear authoritative control. Once multiple copies exist on endpoints and shared devices, the organisation can no longer prove which instance is legitimate. Practitioners should treat certificate custody as an identity governance issue, not a file-management task.

Digital certificates behave like high-value NHI credentials with long tails of trust. A certificate may be technically valid long after the operational relationship or device context has changed. That makes renewal, revocation, and proof of use central controls, especially where certificates are used for signing and authentication across public administration or intercompany workflows. The implication is simple: lifecycle discipline is the trust boundary.

Traceability of certificate use is a compliance requirement, not an optional audit luxury. The article correctly links certificate governance to GDPR-style accountability, NIS2, DORA, and ISO 27001 expectations. If organisations cannot show who used a certificate, when, and for what purpose, they cannot defend the authenticity of the transaction or the adequacy of technical and organisational measures. Practitioners should align certificate controls to audit evidence from the start.

Centralised certificate management is a governance model, not just a tooling choice. The value proposition here is not convenience. It is that central control can reduce duplicate copies, enforce authorisation, and create evidence trails that local-device storage cannot provide. For identity teams, the practical takeaway is to decide where certificate authority, custody, and revocation live before certificate volume scales beyond manual oversight.

From our research:

What this signals

Certificate governance will keep converging with broader NHI lifecycle management. As certificate volumes rise, teams will need the same discipline they already apply to service accounts, tokens, and workload identities: ownership, rotation, revocation, and proof of use. The governance model matters more than the storage location, especially once credentials move across devices and business units.

When identity artefacts are portable, the attack surface becomes organisational rather than technical. That means IAM, PAM, and compliance teams need a shared control view, or certificate trust will continue to fragment across local device practices, manual inventories, and incomplete audit trails.

With 57% of organisations lacking a complete inventory of their machine identities, according to our machine identity research, certificate estates will keep outpacing manual governance unless ownership and expiry control become non-negotiable.


For practitioners

  • Map certificate inventory to authoritative owners Build a single inventory that links each certificate to a business owner, technical owner, issuing authority, and current usage context. Treat orphaned certificates and unclear ownership as governance defects, not administrative noise.
  • Eliminate unmanaged local copies Prohibit certificate storage on shared or personal devices unless the copy is explicitly controlled, logged, and revocable. When devices are replaced or moved, verify that previous copies are deleted and no longer usable.
  • Automate expiry, renewal, and revocation workflows Set renewal thresholds and revocation triggers that are tied to the certificate owner and service dependency. Manual reminders are not enough when certificate counts rise and operational teams are distributed.
  • Capture evidence of certificate use Log the date, time, location, application, and signer or system context for every certificate use. Make the logs tamper-evident so audit, incident response, and legal review can rely on them.

Key takeaways

  • Digital certificates become a governance problem when copies, owners, and revocation paths are unclear.
  • The scale signal is already visible in the 30% growth in managed certificates and transactions since 2021.
  • The control that matters most is lifecycle accountability, because trust without traceability cannot survive audit or incident response.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, and ISO/IEC 27001:2022 and GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03The article centers on credential custody, renewal, and revocation failures for certificates.
NIST CSF 2.0PR.AC-1Certificate use and authorisation map to access control and identity governance.
NIST SP 800-53 Rev 5IA-5IA-5 governs authenticator management, including certificates and rotation discipline.
ISO/IEC 27001:2022A.5.15Access control policy is directly implicated by certificate use and authorisation.
GDPRArt.32The article ties certificate governance to technical and organisational measures.

Tie certificate issuance and use to PR.AC-1 and verify every certificate has a defined owner.


Key terms

  • Digital Certificate Custody: Digital certificate custody is the controlled handling of certificates so the organisation always knows where they are, who can use them, and which copy is authoritative. For NHIs, custody is a governance control because a certificate can authenticate or sign even when the original owner no longer has operational control.
  • Certificate Lifecycle Management: Certificate lifecycle management covers issuance, renewal, validation, and revocation from creation to retirement. In NHI practice, it prevents long-lived trust from outliving its business purpose and gives security teams a way to align technical validity with current ownership and risk.
  • Evidence of Use: Evidence of use is the audit trail showing when, where, and by whom a certificate was used. It matters because digital trust is only defensible when the organisation can prove access, signing, and authorisation events after the fact, especially in regulated or cross-border workflows.

What's in the full article

Vintegris' full article covers the operational detail this post intentionally leaves for the source:

  • How centralized certificate custody reduces duplicate copies on shared and mobile devices.
  • The specific risks tied to certificate migration, insecure transmission, and weak storage practices.
  • How evidence of use supports auditability, compliance, and dispute handling in signed workflows.
  • The practical role of qualified trust service providers in certificate issuance and custody.

👉 The full Vintegris article covers certificate custody, lifecycle controls, and compliance implications in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-20.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org