TL;DR: The middle third of organisations are more vulnerable than they think, even when they avoid the lowest-performing group, according to DigiCert’s State of Digital Trust 2024 survey of 300 enterprise leaders. The gap is less about awareness than execution, and it now affects identity, device, software, and certificate governance alike.
At a glance
What this is: This survey argues that many enterprise leaders overestimate their digital trust maturity, leaving important control gaps in communications, devices, software, and eSignature governance.
Why it matters: It matters because identity, certificate, and device governance all fail faster when leaders mistake partial progress for security readiness across human, NHI, and connected-system programmes.
By the numbers:
- DigiCert’s State of Digital Trust 2024 survey gathered responses from 300 enterprises across North America, Europe, the Middle East, Africa, and the Asia-Pacific region.
- Enterprises that scored within the top 33% of the survey categories were classified as Digital Trust Leaders, while those in the bottom third were classed as Digital Trust Laggards.
👉 Read DigiCert's survey on why enterprise digital trust maturity is lagging
Context
Digital trust is the governance condition that determines whether communications, devices, software, and documents can be trusted to behave as intended. This survey’s core finding is that enterprise leaders often read their own maturity too generously, especially in the middle of the pack where weakness is masked by partial competence.
That matters for identity programmes because digital trust depends on the same control disciplines that govern NHI credentials, software signing, certificate integrity, and access accountability. When organisations mistake visible activity for measurable assurance, they leave gaps that can spread across human, machine, and supply-chain identity surfaces.
Key questions
Q: How should security teams prove digital trust maturity instead of assuming it?
A: Security teams should tie digital trust claims to operational evidence: certificate health, device update visibility, software signing status, and incident response performance. If a control cannot be shown in telemetry or lifecycle records, it should not be counted as mature. Mature digital trust is measured by enforcement, not by confidence.
Q: Why do siloed trust programmes create hidden identity risk?
A: Siloed programmes let each team optimise its own control set while missing the dependencies between identity, devices, software, and cryptography. That creates a false sense of security because weak points in one domain can undermine the others. The safest model is shared governance with one control view across all trust surfaces.
Q: What do organisations get wrong about digital trust readiness?
A: They often mistake partial success for overall readiness. A strong email policy or a decent device process does not mean the enterprise is trusted end to end. Readiness requires proof that the trust chain works across certificates, signing, update integrity, and access governance under real operating conditions.
Q: How can organisations prioritise trust improvements without overloading teams?
A: Start with the controls most likely to break the chain of assurance: certificate lifecycle, device identity monitoring, code-signing discipline, and incident response measurement. Then fold those into a single governance cycle so teams are not operating separate improvement plans. That approach gives leaders a clearer risk view and a realistic execution path.
Technical breakdown
Why digital trust becomes brittle when governance is siloed
Digital trust is not a single control. It is the combined reliability of identity, cryptographic, device, and software trust decisions across the enterprise. When operations are siloed, each domain may look acceptable in isolation while the overall trust fabric weakens. A team can have decent email controls, for example, while still lacking certificate lifecycle discipline or device identity monitoring. The result is a programme that reports activity, not assurance, and that gap is what overconfident leadership tends to miss.
Practical implication: map digital trust ownership across identity, device, code-signing, and communications controls before leaders claim maturity.
How weak device and software trust creates hidden identity exposure
IoT devices and software releases behave like identities because they authenticate, sign, connect, and update within trust frameworks. If field devices are difficult to monitor or software can be tampered with in transit, attackers can exploit the trust relationship rather than the endpoint itself. That shifts the problem from simple perimeter security to integrity governance. In practice, many organisations underweight the lifecycle management of these machine-facing trust anchors even though they are part of the identity surface.
Practical implication: treat device identity, code signing, and update integrity as governed identities, not side issues.
Post-quantum readiness is now part of digital trust planning
The survey links stronger digital trust with better post-quantum cryptography preparedness, which is a reminder that trust programmes are forward-looking as well as operational. Cryptographic assurance is not static. If certificate and key management remain fragmented, organisations will struggle to pivot as algorithmic risk changes. Digital trust leaders are separating themselves from laggards by connecting today’s certificate governance to tomorrow’s migration decisions, instead of treating PQC as a future-only problem.
Practical implication: fold certificate lifecycle and PQC readiness into the same governance programme instead of running them as separate initiatives.
NHI Mgmt Group analysis
Overconfidence is the governance failure, not just a cultural problem. DigiCert’s survey shows a middle third of enterprises that are not at the bottom of the pack but still materially exposed. That is the classic failure mode of partial maturity: controls exist, yet leadership reads them as assurance rather than coverage. The practitioner lesson is that digital trust must be measured by end-to-end control integrity, not by internal optimism.
Digital trust is a cross-domain identity issue, not a certificate-only issue. The survey spans enterprise access, IoT, software, and eSignature trust because these controls reinforce one another. A weak device identity posture can undermine communications trust, while poor code-signing discipline can bypass software assurance. NIST-CSF and zero trust framing are useful here because they force organisations to treat trust as a system property, not a single product category. Practitioners should evaluate the whole trust chain, not isolated controls.
Weak confidence creates a blind spot in machine and supply-chain governance. The report’s emphasis on IoT practices and software supply chain compromises shows that modern trust failures increasingly happen where systems, not people, exchange authority. That makes NHI-style thinking relevant even in a broader digital trust discussion: issued credentials, signing keys, and device identities all need lifecycle control. The practitioner conclusion is that machine trust must be governed with the same discipline as human access.
Certificate lifecycle management is now part of resilience, not administration. The article’s broader message is that organisations cannot separate trust assurance from operational upkeep. If certificates, signatures, and device identities are not continuously monitored and refreshed, confidence becomes a lagging indicator. The practical conclusion is straightforward: leaders need evidence that trust controls are actually being enforced, not just documented.
Confidence without telemetry is the digital trust equivalent of standing privilege. The middle third of organisations believed they were safer than the data suggested, which mirrors a wider identity problem: persistent assumptions survive long after real control has decayed. That pattern is visible across human IAM, NHI governance, and device trust. Practitioners should treat self-assessed maturity as a hypothesis until telemetry proves otherwise.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, which shows that identity risk often persists well after teams believe it has been addressed.
- That is why the 52 NHI breaches Report remains the best next step for understanding how weak identity governance turns into real-world compromise.
What this signals
Digital trust programmes now need the same discipline that NHI teams apply to service accounts and keys. When leaders overstate readiness, the gap usually sits in lifecycle control, visibility, and accountability. Organisations should expect more pressure to prove trust with telemetry, not policy language, especially where device identity and signing infrastructure underpin business operations.
One useful concept here is trust-chain integrity: the idea that communications, certificates, software signing, and device identity must all remain governable for trust to hold. If one control slips out of lifecycle management, the whole chain weakens. That is already visible in NHI governance and will increasingly shape broader identity programmes.
The survey’s middle-third overconfidence pattern maps directly to programme risk. If your team cannot show how trust is monitored across human access, workload identity, and certificate usage, your assurance model is probably ahead of your evidence.
For practitioners
- Reconcile trust claims to control evidence Require each business unit to show operational proof for digital trust claims, including certificate status, device update visibility, code-signing checks, and incident response evidence. Score maturity on observed control performance rather than self-assessment.
- Unify ownership across identity-related trust surfaces Assign named owners for communications trust, device identity, software integrity, and eSignature assurance so siloed teams cannot each declare success independently. Use a shared control register to expose overlaps and gaps.
- Treat software and device trust as governed identities Include update channels, signing keys, and connected devices in lifecycle review cycles, with explicit monitoring for tampering, expiry, and unapproved changes. This brings machine-facing trust anchors into standard identity governance.
- Benchmark readiness against future-state crypto risk Add post-quantum migration planning to certificate lifecycle reviews now, especially where long-lived trust chains or regulated communications depend on stable cryptography. Waiting until the migration deadline compresses the change window too far.
Key takeaways
- Digital trust fails when leaders confuse partial control coverage with real assurance across identity, devices, software, and certificates.
- The survey shows that middle-tier organisations can be more exposed than clear laggards because confidence outpaces operational evidence.
- Practitioners should unify trust governance, telemetry, and lifecycle controls before asking leadership to trust the programme’s maturity claims.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.RM-01 | Digital trust overconfidence is a risk-management and governance issue. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Trust across devices and software depends on enforcing access and identity verification. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Machine-facing credentials and signing keys need lifecycle control and rotation. |
Review non-human credentials for lifecycle ownership, rotation, and revocation gaps.
Key terms
- Digital Trust: Digital trust is the confidence that communications, devices, software, and documents will behave as intended because their identity and integrity controls are working. In practice, it depends on monitoring, lifecycle management, and assurance across multiple domains, not on a single control or tool.
- Certificate Lifecycle Management: Certificate lifecycle management is the process of issuing, tracking, renewing, revoking, and retiring digital certificates before they expire or become unsafe. It matters because broken certificate hygiene can disrupt services, weaken trust chains, and create blind spots in identity governance.
- Device Identity: Device identity is the trust record that allows a connected device to authenticate and be managed as a known entity. For digital trust programmes, it includes monitoring, update control, and integrity checks so devices cannot quietly drift out of governance.
- Code Signing: Code signing is the practice of attaching cryptographic proof to software so recipients can verify authenticity and integrity before execution or distribution. It is a control over software trust, and it fails when keys are unmanaged, processes are siloed, or verification is inconsistent.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by DigiCert: Survey says: 1/3 of leaders are more vulnerable than they think. Read the original.
Published by the NHIMG editorial team on 2025-10-01.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
