PGP fails enterprise file security because trust and keys break

At a glance

What this is: This is an analysis of why PGP struggles in enterprise file security and what changes when encryption is tied to directory identity, policy, and compliance workflows.

Why it matters: It matters because IAM and security teams need encryption controls that align with NHI, human access, and lifecycle governance instead of pushing trust, key handling, and collaboration burden onto end users.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read SSH Communications Security's analysis of why PGP breaks enterprise file security

Context

PGP is a file encryption model that puts key handling and trust validation in the hands of individual users. In enterprise settings, that creates a governance problem as much as a usability problem, because security controls depend on people doing the right thing every time they encrypt, share, or revoke access.

For IAM and security teams, the deeper issue is alignment. File protection needs to follow identity, policy, onboarding, offboarding, and audit requirements, while still supporting collaboration across internal users and external partners. When encryption sits outside those processes, the control may be strong in theory but weak in operations.

The article's core argument is that enterprise file security should be embedded in directory-based identity and policy enforcement rather than manual trust decisions. That is a familiar pattern in NHI governance too: the more a control depends on human memory and handoffs, the more fragile it becomes.

Key questions

Q: How should security teams govern encrypted file access in enterprise environments?

A: Security teams should anchor encrypted file access in authoritative identity systems, policy rules, and lifecycle controls. That means access should follow directory-backed identity, not user-managed keys, and revocation should occur through the same offboarding and certification processes used elsewhere in IAM. This gives compliance teams evidence, reduces user burden, and prevents encryption from becoming a parallel control plane.

Q: Why do manual trust models fail for enterprise file encryption?

A: Manual trust models fail because they depend on consistent human verification across a large and changing population of users and partners. In practice, key validation is skipped, inconsistently documented, or impossible to audit. Once trust is informal, encryption no longer delivers enterprise assurance, because the organisation cannot reliably prove who is authorised to decrypt a file.

Q: What breaks when users manage their own encryption keys?

A: What breaks is the lifecycle. Users forget passphrases, lose keys during device changes, and leave old credentials behind when their role changes. That creates support overhead, weakens revocation, and makes audit trails unreliable. The control is technically strong but operationally fragile, which is why it fails in enterprise governance.

Q: How do organisations make file encryption easier without weakening control?

A: Organisations should embed encryption into the identity systems people already use, such as directory login and policy enforcement. That way, users do not have to handle keys directly, collaboration can stay simple, and security teams retain visibility into who can access what. The right design reduces friction without moving authority away from the enterprise.

Technical breakdown

Why manual key management breaks enterprise encryption

PGP relies on each user generating, storing, distributing, and revoking their own keys. That makes the control plane external to the enterprise identity stack, so support teams inherit lost keys, expired credentials, and device migration issues instead of a governed lifecycle. In practice, the encryption layer becomes a set of user-specific exceptions rather than a centrally enforced policy. For enterprises, that is not just inconvenient. It weakens assurance because the organisation cannot reliably prove who holds what key, where it is stored, or whether it has been retired when access changes.

Practical implication: tie file encryption to centrally managed identity and lifecycle controls so key ownership, revocation, and auditability are not manual tasks.

Why trust models fail when verification is left to individuals

PGP's web of trust depends on people verifying each other's keys, but enterprise assurance cannot rest on informal validation. A trust model is only as strong as its weakest manual step, and in large organisations those steps are usually skipped, inconsistent, or impossible to evidence for audit. Policy-driven trust changes the model by making access decisions depend on identity systems and data classification, not on personal confidence in a key fingerprint. That shifts encryption from a social trust problem to a governance problem, which is where it belongs in regulated environments.

Practical implication: replace ad hoc trust validation with policy-driven access controls linked to directory identity and data classification.

How directory integration changes file collaboration and compliance

When encryption integrates with Active Directory or LDAP, file access can follow enterprise identity rather than local key exchange. That matters for onboarding, offboarding, and third-party access because the same identity source that governs access can also support audit trails and access removal. The technical value is not simply convenience. It is that the encryption system stops creating a parallel identity universe that security teams have to reconcile later. For compliance-driven programmes, that removes one of the most common causes of drift between policy and practice.

Practical implication: anchor encryption in directory identity so collaboration, audit evidence, and offboarding all use the same authoritative control source.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

PGP creates an identity governance problem before it creates an encryption problem. The article is right to focus on key management, but the deeper failure is that user-managed keys pull file protection outside the enterprise control model. Once key ownership, sharing, and revocation depend on individuals, the organisation loses lifecycle visibility and audit confidence. The practitioner conclusion is that encryption must be governed as an identity process, not treated as a standalone security feature.

Manual trust validation is a broken premise for enterprise assurance. PGP's web of trust assumes people will reliably verify keys and maintain their own trust relationships. That assumption does not scale across employees, contractors, and external partners, especially where audit evidence matters. The named concept here is trust delegation drift: trust is handed to individuals, but accountability remains with the enterprise. Practitioners should treat that drift as a structural governance flaw, not a user-training problem.

Directory-backed encryption is a lifecycle control, not just a usability improvement. By tying file access to enterprise identity systems, the article points to a model where onboarding, offboarding, and access certification can govern encrypted data consistently. That is where NHI governance and human IAM intersect, because the same lifecycle logic applies whether the identity is a person, a partner, or a service context. The practitioner conclusion is to align encryption with authoritative identity sources and lifecycle processes.

Enterprise file security fails when compliance and collaboration are bolted on after the fact. PGP leaves too much of the control path in user hands, which makes audit trails incomplete and collaboration slow. A more durable model is policy-enforced access that can be proven, reviewed, and revoked centrally. The practitioner conclusion is to measure encryption by governance fit, not by cryptographic strength alone.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs shows why lifecycle offboarding matters when access must be revoked cleanly across identities and systems.

What this signals

Trust delegation drift: enterprise encryption breaks down when personal key verification is expected to carry governance weight. That pattern mirrors NHI risk more broadly, where human discipline is often asked to compensate for missing lifecycle controls. Teams should treat any security control that depends on repeated user action as a candidate for identity integration instead.

Directory-backed encryption is becoming the more defensible enterprise pattern because it keeps access, audit, and revocation in the same system of record. For practitioners, the signal is clear: if encrypted files cannot inherit offboarding and review processes, the control will drift away from policy over time.

With 96% of organisations storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, governance gaps rarely stay isolated. File encryption, secret handling, and identity lifecycle are converging problems, so teams should plan controls that share the same authoritative identity source and review path.

For practitioners

• Map file encryption to authoritative identity sources Use Active Directory or LDAP as the control point for who can open confidential files, and remove user-managed key exchange from the normal workflow. The goal is to make access decisions inherit the same identity state used for onboarding, offboarding, and review.
• Replace manual trust checks with policy-driven access rules Define which data classifications can be opened by which approved identities, then enforce those rules centrally instead of relying on users to verify key fingerprints. This reduces the chance that trust becomes an undocumented exception.
• Build encryption into offboarding and audit routines Ensure key revocation, partner removal, and access evidence are part of the same lifecycle workflow. If a file can remain decryptable after the relationship ends, the control has failed its governance test.
• Standardise collaboration for external parties Create a controlled process for external access that does not require partners to set up their own PGP environment. This avoids parallel security practices and keeps collaboration aligned with enterprise policy.

Key takeaways

• PGP fails in the enterprise when encryption depends on individual users to manage keys, trust, and sharing decisions.
• The operational evidence points to a governance gap, not a cryptographic one, because manual trust and lifecycle handling do not scale.
• Identity-integrated encryption is the control pattern that best aligns file protection with onboarding, offboarding, audit, and collaboration requirements.

Key terms

• Policy-Driven Trust: A trust model where access is granted or denied through centrally defined rules rather than personal verification. In enterprise encryption, it replaces informal key validation with identity-aware controls, so data classification, directory identity, and auditability determine who can decrypt sensitive files.
• Trust Delegation Drift: The gap that appears when an organisation delegates trust decisions to individuals but still expects enterprise-grade accountability. In file encryption, it shows up when users manage keys and share decisions themselves, while the security team remains responsible for compliance, offboarding, and evidence.
• Lifecycle-Aligned Encryption: Encryption designed to follow the same joiner, mover, leaver and review processes as the rest of IAM. It connects access, revocation, and audit to authoritative identity sources so encrypted files do not outlive the people or partners who should open them.

Deepen your knowledge

File encryption governance and lifecycle-aligned access control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are rethinking how identity and encryption should work together, it is worth exploring.

This post draws on content published by SSH Communications Security: why PGP fails enterprise file security and what to use instead. Read the original.