TL;DR: PKI audits fail less because cryptography breaks than because certificate and key governance cannot keep pace with sprawl, hybrid complexity, and manual operating models, according to eMudhra. Continuous control, central visibility, and lifecycle automation are now the difference between audit-ready PKI and unmanaged trust infrastructure.
At a glance
What this is: This is an analysis of why PKI implementations fail compliance audits, with certificate sprawl, key sprawl, and fragmented governance emerging as the main causes.
Why it matters: It matters because certificates, keys, and machine identities sit inside the same governance problem space as NHI, PAM, and lifecycle controls, and audit failure often exposes the absence of central identity control.
By the numbers:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
👉 Read eMudhra's analysis of PKI compliance, certificate sprawl, and lifecycle governance
Context
PKI is the trust layer that underpins certificates, keys, and digital trust across cloud workloads, APIs, VPNs, endpoints, and IoT devices. The governance failure is not usually the cryptographic primitive itself, but the inability to prove that issuance, renewal, revocation, and key protection are controlled consistently across environments.
In hybrid estates, certificate and key sprawl quickly outruns manual oversight. That creates a classic identity governance problem: if no one can inventory the trust objects, enforce consistent policy, and produce audit evidence, the PKI may be technically functional while still failing compliance.
For teams already dealing with service accounts, workload identity, and lifecycle governance, PKI is the same problem in another form. The control question is whether trust artifacts are governed continuously or only cleaned up when an audit is imminent.
Key questions
Q: How should security teams reduce PKI audit failure in hybrid environments?
A: They should treat PKI as a lifecycle governance problem, not a one-time deployment. Start with complete certificate and key inventory, then standardise issuance, renewal, and revocation across cloud and on-prem systems. If the organisation cannot produce consistent evidence for each trust object, the audit problem will persist even when encryption is technically sound.
Q: Why does certificate sprawl increase operational risk?
A: Certificate sprawl increases risk because every additional certificate adds another trust object that can expire, duplicate, or go unowned. In distributed environments, sprawl expands the number of places where outages and control failures can start. It also makes manual tracking less reliable, which is why governance must shift from counting certificates to managing their lifecycle.
Q: What do organisations get wrong about cloud PKI?
A: They often assume automation alone creates compliance. In reality, cloud PKI only improves governance when it is tied to policy, reporting, and lifecycle rules. Without those guardrails, automation can accelerate inconsistent issuance and hidden trust sprawl rather than reducing it.
Q: Who is accountable when a PKI audit fails or certificates cause outages?
A: Accountability should sit with the identity and infrastructure owners who govern certificate lifecycle, not with auditors after the fact. Compliance frameworks expect control ownership, evidence, and repeatable process. When certificates are unmanaged, the failure is governance-wide, so responsibility must extend beyond the PKI team.
Technical breakdown
Why certificate sprawl breaks PKI governance
Certificate sprawl happens when certificates are issued faster than they are inventoried, renewed, revoked, and retired. In hybrid environments, that sprawl spans cloud services, load balancers, Kubernetes clusters, APIs, email systems, and IoT devices. The technical failure is operational, not cryptographic: policy cannot be enforced uniformly when ownership is distributed and visibility is partial. A certificate can be valid from a crypto standpoint and still represent unmanaged trust if no system can prove who owns it, where it lives, or when it should be removed.
Practical implication: build a complete certificate inventory with ownership and expiry metadata before trying to optimise rotation or reporting.
How key management and issuance policy become audit evidence
Auditors are not only checking whether certificates exist. They want evidence that key storage, issuance rules, reissue thresholds, validity periods, and revocation workflows are centrally controlled and consistently applied. When those controls differ by team or platform, the audit trail fragments. That matters because compliance requires repeatable governance, not one-off operational heroics. The enterprise must be able to demonstrate who issued what, under which policy, and with what approval path.
Practical implication: standardise issuance and revocation workflows so every certificate change produces a consistent evidence trail.
Why cloud PKI shifts the control plane, not just the tooling
Cloud PKI changes PKI from a manually operated infrastructure service into a policy-driven governance layer. That shift matters because automation is only useful when it is tied to lifecycle rules for provisioning, renewal, revocation, and reporting. Without that policy layer, automation can simply accelerate inconsistency. In practice, cloud PKI becomes a control plane for trust objects, giving security teams a place to centralise visibility across environments that would otherwise remain isolated.
Practical implication: treat cloud PKI as a governance platform and tie it to lifecycle rules, reporting, and access separation.
Threat narrative
Attacker objective: The objective is to exploit weak trust governance so that certificates or keys can be used, abused, or left to cause operational and regulatory harm.
- Entry occurs through unmanaged certificate or key sprawl across cloud and on-prem systems, where ownership and renewal responsibilities are unclear.
- Escalation follows when expired certificates, weak issuance discipline, or exposed private keys are left in place long enough to disrupt trust decisions or enable misuse.
- Impact lands as failed audits, outages, regulatory exposure, and increased risk that sensitive data or services are accessed through compromised trust artifacts.
Breaches seen in the wild
- Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
- Codefinger AWS S3 ransomware attack — Codefinger used compromised AWS credentials to encrypt S3 buckets via SSE-C.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
PKI audit failure is an identity governance failure, not a cryptography failure. The article’s core point is that certificates, keys, and revocation decisions become non-compliant when ownership and lifecycle control fragment across teams. That places PKI in the same governance class as NHI sprawl and access review drift. Practitioners should treat audit readiness as an identity control problem, not an infrastructure cleanup task.
Certificate sprawl creates identity blast radius. Every unmanaged certificate expands the set of trust relationships that can silently outlive their intended scope. In hybrid estates, that blast radius is amplified because discovery, ownership, and evidence collection are all split across cloud and on-prem operations. The implication is that central visibility is not optional when trust objects are distributed.
Lifecycle control is the real compliance boundary. The article shows that issuance, renewal, revocation, and key protection have to be governed as one system if the enterprise wants repeatable evidence. That is why manual cleanups fail: they do not create durable control. Practitioners should measure whether certificate lifecycle events are policy-driven end to end.
Machine identity governance belongs inside the PKI conversation. APIs, containers, service meshes, and IoT devices are not edge cases, they are the operating environment for modern trust. When they sit outside the same governance model as human identity and NHI control, audit gaps appear in the seams. Teams should align PKI ownership with broader identity governance rather than leaving it as a separate technical silo.
Continuous control is the new audit standard for trust infrastructure. Annual evidence collection cannot keep pace with certificate turnover and hybrid deployment complexity. The field is moving toward operating models where proof is generated continuously, not reconstructed after the fact. Practitioners should assume the burden of evidence now sits in live governance, not periodic remediation.
From our research:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
- That pattern is why readers should also review NHI Lifecycle Management Guide for how lifecycle discipline closes the control gap.
What this signals
Certificate governance is converging with NHI governance. As enterprises expand cloud PKI, the same failure mode appears repeatedly: assets exist, but control evidence does not. That is why teams should align PKI inventory, ownership, and lifecycle governance with their broader identity programme rather than leaving trust objects as a separate operations domain.
With 67% of organisations still relying heavily on static credentials despite the risks they pose to agentic AI deployments, per the 2026 Infrastructure Identity Survey, the market signal is clear: identity teams are being pushed toward continuous control models, not periodic review cycles.
Identity blast radius is the concept to watch. When certificates, keys, service identities, and human access all feed the same trust model, any inventory gap becomes a governance gap. Teams that can tie PKI evidence into NIST Cybersecurity Framework 2.0 functions will find audit preparation much less reactive.
For practitioners
- Map every certificate to an owner and lifecycle state Build a complete inventory that covers cloud, on-prem, APIs, Kubernetes, IoT, and internal machine-to-machine flows. Record owner, issuing policy, expiry date, renewal path, and revocation authority so audit evidence is available without manual hunting.
- Standardise issuance and revocation policy across teams Remove team-by-team differences in key length, algorithm choice, validity period, and reissue triggers. Make those rules centrally enforceable so the same control produces the same evidence regardless of platform or business unit.
- Automate lifecycle events with evidence generation Tie certificate creation, renewal, revocation, and decommissioning to workflow records and reporting. The goal is not just faster operations, but a durable audit trail that proves governance happened at each step.
- Bring machine identities into the same governance model Include service identities, APIs, containers, and IoT certificates in the same control review as user identities and NHI programmes. Separate ownership models create blind spots that audits will expose.
- Test audit readiness before the next review cycle Run internal checks for expired certificates, orphaned keys, and inconsistent revocation records. Focus on whether the enterprise can produce evidence quickly, not whether the certificate authority still functions.
Key takeaways
- PKI failures usually reflect weak governance, not broken cryptography.
- Certificate and key sprawl turn audit readiness into an ongoing identity control problem.
- Enterprises need continuous lifecycle evidence if they want PKI to stand up in hybrid audits.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Certificate and key sprawl map directly to NHI lifecycle and credential governance. |
| NIST CSF 2.0 | PR.AC-4 | PKI audit failure is a control and entitlement governance problem. |
| NIST SP 800-53 Rev 5 | IA-5 | Authenticator and key management are central to certificate lifecycle control. |
| NIST Zero Trust (SP 800-207) | PKI underpins continuous verification in zero-trust environments. | |
| ISO/IEC 27001:2022 | A.8.5 | Authentication information management aligns with certificate and key governance. |
Inventory all certificates and keys, then enforce renewal and revocation as governed lifecycle events.
Key terms
- Certificate Sprawl: Certificate sprawl is the uncontrolled growth of certificates across systems, teams, and environments. It becomes a governance problem when the organisation cannot prove ownership, expiry, renewal, or revocation status for each certificate, leaving valid trust objects unmanaged and audit evidence incomplete.
- Credential Lifecycle Governance: Credential lifecycle governance is the set of controls that manage creation, assignment, monitoring, rotation, and retirement of credentials. For machine identities, it prevents secrets from becoming permanent access artifacts and ensures every identity has a defined owner, purpose, and end state.
- Machine Identity: Machine identity is the identity assigned to non-human systems such as workloads, APIs, containers, IoT devices, and service accounts. In PKI-heavy environments, machine identities often depend on certificates or keys, so their security depends on the same lifecycle and governance controls as any other trust object.
- Audit Readiness: Audit readiness is the state where an organisation can produce current, traceable evidence that controls are designed and operating as intended. In practice, it depends on timely identity data, clean ownership, and workflows that preserve proof as changes happen, not after the fact.
What's in the full article
eMudhra's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step PKI compliance checks for certificate inventory, renewal, and revocation workflows.
- Cloud PKI implementation details for centralised visibility across hybrid environments.
- Audit reporting examples that show how issuance, expiry, and administrative actions are evidenced.
- Enterprise packaging details for centralising certificate management across multiple identity types.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or identity governance programme, it is worth exploring.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org