TL;DR: PKI is still the trust layer behind secure email, device authentication, TLS, VPNs, and digital signatures, but the article argues that failures come from treating certificates as a static task instead of a living identity system. Its practical case is that modern PKI only works when lifecycle, automation, and visibility are managed continuously.
At a glance
What this is: This is an analysis of why PKI remains central to digital trust and why operational neglect, not cryptography, is the real failure mode.
Why it matters: It matters to IAM, PAM, and NHI practitioners because certificates, keys, devices, and workloads all depend on identity lifecycle governance, rotation discipline, and visibility.
👉 Read GlobalSign's analysis of why PKI governance still matters
Context
PKI, or public key infrastructure, is often dismissed as legacy technology, but that framing misses the identity governance problem. The core issue is not whether PKI works, but whether organisations manage certificates, keys, and trust chains as a living identity system across humans, devices, and workloads.
When certificate lifecycle tasks are handled manually or left fragmented across teams, expiry, blind spots, and uncontrolled credential spread become inevitable. For IAM and NHI programmes, PKI is less a back-end utility than a trust control that must be governed alongside lifecycle, automation, and Zero Trust design.
Key questions
Q: How should security teams govern PKI in cloud-native environments?
A: Security teams should govern PKI as an identity lifecycle function, not as a one-time infrastructure setup. That means automating issuance and renewal, assigning clear ownership, maintaining complete certificate inventory, and linking revocation to asset offboarding. In cloud-native environments, the control objective is continuous trust maintenance, not periodic clean-up.
Q: Why do certificate failures keep happening even when PKI is cryptographically sound?
A: Certificate failures usually happen because organisations manage the process badly, not because the cryptography is weak. Expiry, hidden certificate sprawl, and fragmented ownership create the failure point. When no one owns the lifecycle, the trust model collapses operationally even though the math still works.
Q: What do security teams get wrong about PKI and Zero Trust?
A: They often assume PKI is a supporting utility rather than a primary trust control. In Zero Trust designs, certificate-backed identity is central because devices and workloads need continuous verification. If PKI is manual, invisible, or siloed, it cannot support the verification model that Zero Trust depends on.
Q: Who should own certificate lifecycle risk in an organisation?
A: Ownership should sit with the identity or security function, but the operating responsibilities must extend into infrastructure, platform, and application teams. Certificate lifecycle risk is shared, yet accountability must be explicit. If ownership is vague, expiry, revocation gaps, and orphaned certificates become inevitable.
Technical breakdown
Why certificate lifecycle breaks before cryptography does
PKI failures usually come from lifecycle breakdown, not broken mathematics. Certificates expire, keys drift into untracked locations, and renewal responsibilities are split across teams that do not share a single source of truth. In practice, that turns PKI into a governance problem: the trust model remains sound, but the operating model cannot keep pace with modern device counts, short-lived workloads, and distributed ownership. When certificate management is manual, visibility drops and renewal latency rises, which is why outages often appear as simple expiry events even though the root cause is process failure. Practical implication: treat certificate lifecycle as an identity control with ownership, inventory, and renewal enforcement.
Practical implication: Treat certificate lifecycle as an identity control with ownership, inventory, and renewal enforcement.
How cloud PKI changes the trust model for devices and workloads
Cloud-native PKI changes PKI from a static issuance function into a programmable identity service. Certificates can be issued, renewed, and revoked through APIs and policy automation, which matters because modern environments include IoT devices, ephemeral workloads, and machine-to-machine communication that cannot wait for manual intervention. This is especially relevant where Zero Trust relies on continuous verification rather than one-time trust establishment. The key architectural shift is that identity becomes cryptographically anchored and operationally managed at scale, rather than delegated to a certificate team working ticket by ticket. Practical implication: align PKI automation with device onboarding, workload identity, and short-lived credential policy.
Practical implication: Align PKI automation with device onboarding, workload identity, and short-lived credential policy.
Why visibility and policy enforcement are now the control plane
The article's central technical point is that PKI only behaves like a trust fabric when every certificate, key, and policy is visible and governed. Spreadsheets, fragmented tools, and hidden issuance paths create blind spots that attackers and outages can both exploit. Once certificates are embedded in CI/CD pipelines, device manufacturing flows, and cloud services, enforcement has to happen as part of the control plane, not after the fact. That means ownership, renewal rules, and revocation paths must be auditable and consistently applied. Practical implication: build one operational view for certificate inventory, policy status, and revocation readiness.
Practical implication: Build one operational view for certificate inventory, policy status, and revocation readiness.
NHI Mgmt Group analysis
PKI is not obsolete, but it is frequently governed like a one-time setup rather than an identity lifecycle. That framing is the real failure, because certificates, keys, and trust chains change continuously while many operating models still assume they do not. The discipline problem is not cryptography, it is lifecycle ownership across security, infrastructure, and application teams. Practitioners should treat PKI as a standing governance surface, not a completed project.
Certificate visibility is the hidden control that determines whether PKI scales safely. When teams cannot see every issued certificate, embedded key, and renewal dependency, they cannot enforce policy or recover quickly from expiry events. This is where PKI intersects directly with NHI governance, because certificates are one of the most persistent forms of machine identity. Practitioners should assume any inventory gap becomes a trust gap.
Short-lived certificates are becoming a governance requirement, not just an operational convenience. The article’s logic is clear: long-lived credentials accumulate risk, especially in cloud-native and IoT environments where assets are distributed and frequently replicated. The more identities that depend on PKI, the less defensible static renewal practices become. Practitioners should move from exception-based renewal to lifecycle automation as the default operating model.
PKI now sits inside the same identity fabric as human IAM, NHI, and workload identity. That means certificate policy can no longer be isolated inside infrastructure teams or treated as a niche cryptographic function. The broader identity programme must connect issuance, rotation, revocation, and auditability across all actor types. Practitioners should align PKI governance with the rest of the identity stack rather than managing it in a silo.
From our research:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to the Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- Follow the lifecycle angle in the Ultimate Guide to NHIs when certificate governance needs to connect with broader machine identity and offboarding control.
What this signals
Certificate governance is now part of the broader NHI control surface. When PKI is treated as infrastructure plumbing, renewal failures and blind spots are almost guaranteed. The more distributed the environment becomes, the more certificate ownership, inventory, and revocation need to be managed like any other identity lifecycle process.
With 96% of organisations storing secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, the operational lesson is clear: trust material tends to spread faster than teams can govern it. That makes certificate visibility and policy enforcement a programme-level issue, not a local admin task.
The practical signal for IAM leaders is that PKI modernisation should be measured alongside workload identity and lifecycle governance, not separately from it. If a programme cannot inventory and revoke trust material quickly, it is not ready for cloud-native scale or Zero Trust enforcement.
For practitioners
- Inventory every certificate and key location Create a single authoritative inventory that includes certificates in applications, CI/CD pipelines, device fleets, and cloud services. Include renewal owner, expiry date, issuance source, and revocation path for each item.
- Automate issuance, renewal, and revocation Replace manual renewal workflows with policy-based automation for short-lived certificates where possible. Tie renewal to asset ownership and remove human ticket handling from standard certificate rotation.
- Map certificate governance to identity lifecycle controls Treat certificates as governed identities, then map their issuance and offboarding to lifecycle processes used for other NHIs. Use the same ownership and review model across devices, workloads, and service integrations.
- Establish one control plane for PKI policy Consolidate policy, visibility, and revocation monitoring into a single operating view so that drift, expiry risk, and unmanaged issuance paths are detected before they affect production.
- Align PKI with Zero Trust verification Use certificate-backed identity as part of continuous verification for devices and workloads, especially where passwords and static tokens are weak or impractical.
Key takeaways
- PKI is still foundational, but its failure mode is governance drift rather than cryptographic weakness.
- Certificate sprawl, manual renewal, and poor visibility are the real reasons PKI breaks in modern environments.
- Identity teams should manage PKI as part of lifecycle, automation, and Zero Trust control design.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Certificate lifecycle neglect maps to unmanaged non-human identity credentials. |
| NIST CSF 2.0 | PR.AC-1 | PKI establishes and verifies identity before access is granted. |
| NIST Zero Trust (SP 800-207) | The article ties PKI directly to continuous verification in Zero Trust. | |
| NIST SP 800-53 Rev 5 | IA-5 | IA-5 covers authenticator management, including certificate lifecycle controls. |
Apply IA-5 to manage certificate issuance, renewal, and revocation as formal authenticator controls.
Key terms
- Public Key Infrastructure: Public key infrastructure is the system that issues, manages, validates, and revokes digital certificates used to establish trust. In practice, it binds cryptographic identity to devices, services, and users, but only works safely when lifecycle, ownership, and revocation are actively governed.
- Certificate Lifecycle: Certificate lifecycle is the full sequence from issuance through renewal, replacement, and revocation. In identity programmes, it is the control surface that determines whether machine trust remains valid, visible, and recoverable as environments scale and assets change.
- Machine Identity: Machine identity is the cryptographic identity assigned to a non-human actor such as a device, workload, or service. PKI often underpins that identity, which makes certificate governance a core part of NHI security rather than a separate infrastructure concern.
- Zero Trust Verification: Zero trust verification is the practice of continuously checking identity and context before granting access. For PKI, that means certificates become part of ongoing trust validation, not a one-time proof that can be assumed to remain valid forever.
What's in the full article
GlobalSign's full article covers the operational detail this post intentionally leaves for the source:
- How certificate lifecycle management is handled in cloud-native and IoT environments
- Why manual renewal breaks down at scale across distributed device estates
- Where PKI fits into secure email, TLS, device authentication, and Zero Trust deployments
- What modern certificate automation changes for DevOps and infrastructure teams
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-02-17.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org