PKI as the foundation for zero trust identity verification

At a glance

What this is: This is a PKI and Zero Trust analysis arguing that certificate-based identity is the control layer that makes continuous verification practical.

Why it matters: It matters because identity teams managing NHI, autonomous, and human access all need a verifiable trust fabric, not just stronger authentication at the edge.

By the numbers:

• 96% of IT security executives believe that PKI is essential to building a Zero-Trust architecture.
• Only 5.7% of organisations have full visibility into their service accounts.
• NHIs outnumber human identities by 25x to 50x in modern enterprises.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

👉 Read DigiCert's analysis of PKI as the foundation for Zero Trust

Context

PKI is the certificate-backed identity layer that lets organisations verify devices, systems, apps, and users before granting access. In a Zero Trust model, that matters because the programme depends on continuous proof of identity rather than assumptions based on network location or perimeter membership.

For IAM, NHI, and workload identity teams, the deeper question is whether identity trust can be automated across a large and changing estate. The article’s core point is that Zero Trust fails operationally if certificate inventory, issuance, revocation, and visibility are still handled as manual exceptions.

Key questions

Q: How should security teams use PKI to support Zero Trust in mixed human and machine environments?

A: Use PKI to provide verifiable identity for devices, workloads, and services, then connect that trust layer to access policy and lifecycle controls. Human MFA can support the model, but it does not replace certificate-backed verification for machine identities. The priority is to eliminate implicit trust and ensure every access path can be proven and revoked.

Q: Why do certificate lifecycle failures create more risk than certificate issuance alone?

A: Issuing a certificate is only the beginning of trust. If an organisation cannot rotate, revoke, and retire certificates quickly, the identity remains valid longer than intended and may outlive the business process it protects. That creates stale access, hidden trust paths, and operational exposure across workloads and connected systems.

Q: What breaks when organisations try to run Zero Trust without full certificate visibility?

A: Verification breaks because the programme cannot confidently distinguish active, expired, shadow, or orphaned certificates. Without full visibility, security teams may trust identities they do not know exist or fail to revoke identities that should no longer be active. Zero Trust becomes partial enforcement rather than continuous verification.

Q: How do IAM and NHI teams know whether PKI is actually improving access governance?

A: Look for shorter certificate rotation cycles, fewer unmanaged certificates, and tighter ownership of certificate-bearing identities across applications and workloads. If renewal is still manual, if unknown certificates keep appearing, or if revocation lags behind business change, PKI is not yet functioning as a governance control.

Technical breakdown

How PKI supplies verifiable identity for Zero Trust

Public Key Infrastructure creates a cryptographic identity layer by issuing certificates that bind a subject to a trusted public key. That identity can be used to authenticate devices, workloads, services, and users without relying on a shared secret or network position. In Zero Trust terms, PKI supports mutual verification because each side can prove identity before data flows. The practical advantage is not just stronger login security. It is that trust becomes machine-readable and revocable, which is essential when identity spans endpoints, cloud services, and automation pipelines.

Practical implication: map certificate issuance and revocation to the access paths that currently depend on implicit trust.

Why certificate lifecycle management is the control point

The article correctly shifts attention from cryptography to operations. A certificate is only useful if organisations can issue it, track it, rotate it, and revoke it before trust expires or is abused. Manual certificate handling creates delay, and delay creates exposure, especially when environments include thousands of apps and devices. This is the same structural problem seen in machine identity governance: trust can be technically sound but operationally stale. Zero Trust therefore depends on lifecycle discipline, not just on the existence of PKI tooling.

Practical implication: treat certificate lifecycle management as an access control function, not an infrastructure task.

Why visibility matters more as identity objects multiply

Zero Trust assumes every identity object can be verified, which means unknown certificates are a direct governance failure. When organisations cannot see the full certificate inventory, they cannot know which identities are valid, expired, or shadowed in forgotten systems. That mirrors broader NHI risk: the scale of machine identities outpaces human oversight. Visibility is therefore a prerequisite for trust decisions, because you cannot verify what you cannot inventory. In large enterprises, the control gap is usually not the protocol. It is the incomplete picture of what is already trusted.

Practical implication: establish complete certificate inventory before expanding Zero Trust enforcement to more systems.

Threat narrative

Attacker objective: The attacker aims to turn a single identity failure into wider network access and operational disruption.

1. Entry occurs when an attacker abuses a compromised password or another weak identity check to enter a network that still relies on implicit trust.
2. Escalation follows when the attacker moves through systems that were not continuously verified, taking advantage of missing certificate-backed trust and weak identity assurance.
3. Impact arrives when broad access allows disruption of critical services, credential exposure, or lateral movement across connected environments.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

PKI becomes governance infrastructure when Zero Trust depends on certificate-backed identity. The article is right to move PKI out of the narrow crypto bucket and into identity architecture. Zero Trust is a governance model that demands continuous proof, and PKI is one of the few mechanisms that can support that proof at machine scale. For IAM and NHI teams, the implication is that identity assurance now extends to every device, app, and workload that participates in access decisions.

Certificate lifecycle is the real control surface, not certificate issuance. A certificate that cannot be tracked, rotated, or revoked on time becomes a stale trust object, which is an identity risk rather than a cryptographic one. This is especially relevant for non-human identities, where long-lived credentials often outlive the business process that created them. Practitioners should read the problem as lifecycle governance, not as a PKI deployment question.

Zero Trust for machines collapses if visibility is partial. The article’s own logic depends on knowing every certificate on the network, because hidden certificates undermine verification. That is the same failure mode seen in NHI programmes that cannot inventory service accounts or secrets. The practitioner conclusion is clear: hidden trust objects are hidden access paths.

Shadow certificate inventory: Zero Trust assumes the full trust set is known at decision time, but that assumption fails when certificates are created outside central governance or remain undiscovered in legacy systems. The implication is not just better tooling, but a redefinition of who owns machine identity accountability across infrastructure, security, and application teams.

Human MFA alone does not solve machine trust. The article acknowledges MFA, but the deeper lesson is that human authentication controls do not govern service-to-service trust, workload identity, or device identity on their own. The field should treat PKI as part of a broader identity fabric spanning human, NHI, and workload access paths. Practitioners need one trust model, not separate silos for each actor type.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• For a deeper lifecycle lens, see the NHI Lifecycle Management Guide for provisioning, rotation, and offboarding patterns that Zero Trust programmes depend on.

What this signals

Shadow certificate inventory: Zero Trust programmes will stall wherever teams cannot see every certificate and ownership boundary. The operational challenge is no longer whether PKI is sound in principle, but whether certificate governance is accurate enough to support continuous verification at scale.

NHI and IAM teams should expect the biggest failure mode to be lifecycle lag, not protocol weakness. When revocation and rotation do not keep pace with system change, trust objects remain valid after the business need has ended, which creates a control gap that policy alone cannot close.

Treat certificate governance as part of the broader identity programme, not a separate infrastructure island. The most resilient architectures will link PKI operations to lifecycle management, access reviews, and Zero Trust policy enforcement across human, machine, and workload identities.

For practitioners

• Inventory all certificate-bearing identities Build a complete catalogue of certificates across endpoints, applications, services, and cloud workloads, then assign ownership for each trust object. Hidden certificates are hidden access paths, so inventory must be authoritative and continuously refreshed.
• Automate certificate issuance and revocation Remove manual renewal and ad hoc revocation from the critical path by using policy-driven automation for creation, rotation, and invalidation. The goal is to shorten the time between trust change and enforcement across all certificate populations.
• Tie PKI operations to lifecycle governance Integrate certificates into joiner, mover, leaver and offboarding workflows so identities cannot outlive their approved business use. This is especially important for service accounts, workloads, and third-party connections that often persist after the original need ends.
• Verify Zero Trust coverage by access path Map which access paths are actually enforced by certificate-backed verification and which still depend on implicit trust, shared secrets, or network location. Close the gaps first where privileged systems and production workloads still bypass strong identity checks.

Key takeaways

• PKI matters here because Zero Trust needs a verifiable trust layer for devices, workloads, services, and users, not just stronger login controls.
• The scale problem is operational, not theoretical, because unmanaged certificates and weak visibility create hidden access paths that undermine continuous verification.
• Practitioners should focus on certificate inventory, lifecycle automation, and revocation speed if they want PKI to function as an identity control rather than a crypto dependency.

Key terms

• Public Key Infrastructure: Public Key Infrastructure is the system that issues, manages, validates, and revokes digital certificates used to prove identity. In security programmes, it provides a cryptographic trust layer for users, devices, workloads, and services, but only when the certificate lifecycle is actively governed.
• Zero Trust Architecture: Zero Trust Architecture is an access model that assumes no identity or network location is trusted by default. Each request must be verified continuously using strong identity, context, and policy enforcement, which makes certificate-backed verification a practical building block.
• Certificate Lifecycle Management: Certificate Lifecycle Management is the governance process for issuing, renewing, rotating, revoking, and retiring certificates. It turns PKI from a static technology into an operational control, because stale certificates create trust that persists longer than the business need behind it.
• Machine Identity: Machine Identity is the identity assigned to devices, workloads, services, and other non-human actors that authenticate to systems. It is governed differently from human identity because its scale, rotation cadence, and exposure patterns are operational, automated, and often hidden unless inventory is complete.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by DigiCert: PKI as the foundation for Zero Trust. Read the original.