TL;DR: PKI remains the trust layer for TLS, device authentication, signed code, and encrypted traffic, but the article argues that most failures come from manual handling, expired certificates, fragmented tooling, and weak lifecycle ownership rather than from cryptography itself, according to GlobalSign. The governance problem is no longer whether PKI works, but whether organisations can operate it as a living identity system instead of a set-and-forget control.
At a glance
What this is: This article argues that PKI is still foundational for digital trust, but enterprise failure usually comes from poor lifecycle management, not weak cryptography.
Why it matters: It matters because certificate sprawl, manual renewals, and hidden dependencies now affect human identity, machine identity, and workload identity governance across the estate.
👉 Read GlobalSign's analysis of why PKI governance, not cryptography, is the real issue
Context
Public-key infrastructure is not a legacy edge control. It is the trust fabric behind encrypted sessions, device authentication, code signing, and many machine identity flows, which is why poor certificate governance becomes a security and availability problem rather than just an operations issue. In identity programmes, PKI sits directly alongside secrets management and workload identity because certificates are credentials.
The article’s core claim is that PKI usually fails through neglect, fragmentation, and manual lifecycle handling, not through a weakness in the underlying cryptography. That is a genuine governance issue for IAM, PAM, and NHI teams, because the same blind spots that leave service accounts unmanaged also leave certificates, private keys, and renewal ownership unclear.
Key questions
Q: How should security teams manage certificate lifecycle risk in PKI environments?
A: Security teams should treat certificates like governed credentials, not static configuration. That means central inventory, named ownership, automated renewal, clear revocation paths, and regular reconciliation across cloud and on-premises systems. If teams cannot explain who owns a certificate and when it expires, they do not have control.
Q: Why do expired certificates cause security and availability problems?
A: Expired certificates break trust relationships that applications, devices, and users rely on for authentication and encrypted transport. The immediate impact is often outage, but the deeper issue is that manual lifecycle management hides ownership gaps and delayed renewal processes. Those are governance failures that also weaken identity assurance.
Q: What do organisations get wrong about PKI governance?
A: They often assume PKI is a one-time setup task handled by infrastructure teams. In practice, PKI is a living identity system that needs visibility, policy enforcement, and exception handling. When organisations separate PKI from IAM and workload governance, certificates become invisible credentials.
Q: Which controls matter most when PKI supports workloads and devices?
A: The most useful controls are inventory, automation, least privilege for issuance, and continuous monitoring for expiry or orphaned assets. Those controls reduce the risk of standing trust in devices and workloads that should be revalidated through lifecycle events. They also support auditability and faster incident response.
Technical breakdown
Why PKI becomes fragile when certificate lifecycles are manual
PKI depends on issuance, renewal, revocation, and visibility working as one control loop. When teams manage certificates through spreadsheets, separate tools, or ad hoc approvals, the cryptography still works, but governance breaks down. Expiry windows, orphaned certificates, and unclear ownership create both outage risk and trust risk. The failure is rarely the algorithm. It is the absence of an operating model that treats certificates as continuously managed credentials rather than one-time setup artefacts.
Practical implication: centralise certificate inventory and lifecycle ownership before expiry becomes an operational incident.
How cloud PKI and automation change identity governance
Cloud PKI shifts the problem from manual administration to policy-driven issuance and renewal. That matters because certificate-based identity is increasingly used for devices, microservices, and short-lived cloud workloads, where human handling does not scale. Automation can enforce renewal rules, apply policy consistently, and reduce the need for privileged intervention. It also aligns PKI with Zero Trust thinking, where identity must be revalidated continuously instead of assumed after initial setup.
Practical implication: use policy automation to bind certificate issuance and renewal to workload and device identity workflows.
Why PKI is now an identity control, not just encryption plumbing
Modern PKI does more than protect traffic. It proves identity, supports access control decisions, and helps establish integrity for software, devices, and communications. That makes it relevant to IAM and NHI governance because certificates are credentials, and private keys are secrets. Once teams recognise PKI as identity infrastructure, they can connect it to lifecycle controls, offboarding, and compliance evidence instead of leaving it isolated in infrastructure operations.
Practical implication: include certificates and private keys in the same governance model used for other credentials and non-human identities.
NHI Mgmt Group analysis
PKI is a lifecycle governance problem before it is a cryptography problem. The article is right to reject the idea that PKI has become obsolete, but the real failure mode is organisational: certificates are still handled as static artefacts instead of credentials with owners, expiry dates, and revocation rules. That creates a governance gap that looks technical on the surface and operational underneath. Practitioners should treat certificate lifecycle control as a first-class identity discipline.
Certificate sprawl is the PKI analogue of NHI sprawl. When enterprises cannot see every certificate, private key, and renewal path, they lose the same kind of control failure that appears with unmanaged service accounts and tokens. The named concept here is certificate lifecycle debt: every manual exception, hidden renewal path, and orphaned certificate increases the future burden of recovery. Practitioners should eliminate undocumented certificate ownership before scale turns it into outage risk.
PKI now sits inside the broader identity fabric of machines, workloads, and people. The article’s strongest point is that certificates are no longer only for websites and email, they are identity anchors for devices, microservices, and cloud workloads. That makes PKI governance adjacent to NHI, secrets, and workload identity management. Practitioners should align PKI policy with the same lifecycle and least-privilege expectations used elsewhere in IAM.
Automation is only useful when it is tied to governance, not convenience. Cloud PKI and API-driven issuance solve scale, but they do not solve accountability by themselves. If renewal policies, revocation triggers, and inventory reconciliation remain fragmented, automation simply accelerates bad process. Practitioners should pair automation with explicit ownership, auditability, and exception handling.
The market signal is a convergence between PKI, IAM, and machine identity control. The article reflects a wider shift in which cryptographic trust, access control, and operational resilience are converging around lifecycle-managed identities. That means security programmes need fewer silos between certificate management, NHI governance, and Zero Trust design. Practitioners should expect PKI to be evaluated as part of identity architecture, not as a standalone infrastructure utility.
What this signals
PKI is converging with workload identity and non-human identity governance, which means teams should stop treating certificate management as an infrastructure afterthought. The programme risk is not just expiry. It is the accumulation of unmanaged trust objects across cloud, device, and application estates, which weakens both visibility and response.
Certificate lifecycle debt: this is the governance burden created when expired, orphaned, or manually renewed certificates are allowed to accumulate. As environments scale, the debt shows up as outages, blind spots, and fragmented accountability. Teams should expect certificate governance to become part of wider identity architecture reviews, not just infrastructure housekeeping.
For identity programmes, the practical next step is to align PKI policy with IAM, secrets governance, and workload onboarding. That makes certificate ownership, rotation, and revocation visible in the same operational model used for other credentials. Where teams already use NIST SP 800-63 Digital Identity Guidelines for assurance thinking, the same discipline should extend to machine trust flows.
For practitioners
- Build a complete certificate inventory Create a single inventory for certificates, private keys, issuance systems, renewal dates, and owners. Reconcile data from cloud, on-premises, and application teams so no certificate lives only in a spreadsheet or local admin tool.
- Automate renewal and revocation workflows Replace manual renewal steps with policy-driven automation for issuance, rotation, renewal, and revocation. Tie each workflow to an owning team and a defined exception path so failures are visible before expiry becomes an incident.
- Treat certificates as credentials Include certificates and private keys in the same governance controls used for secrets, service accounts, and other non-human identities. That means ownership, scope, expiry, and offboarding must be explicit and auditable.
- Embed PKI into Zero Trust and CI/CD Connect certificate issuance and validation to CI/CD pipelines, workload onboarding, and device registration. This reduces reliance on ad hoc human intervention and gives Zero Trust architecture a stronger cryptographic identity layer.
- Run expiry and orphan checks continuously Monitor for expiring, duplicated, unused, and orphaned certificates as part of routine security operations. Prioritise assets whose certificate failure would cause service disruption or identity exposure.
Key takeaways
- PKI is still foundational to digital trust, but most failures come from lifecycle neglect, not broken cryptography.
- Manual certificate handling creates hidden ownership gaps, expiry risk, and the same kind of sprawl seen in unmanaged non-human identities.
- The right response is to govern certificates as credentials through inventory, automation, and continuous reconciliation across identity systems.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | PKI underpins identity assurance and access decisions in this article. |
| NIST SP 800-53 Rev 5 | IA-5 | IA-5 directly relates to authenticator management and certificate lifecycle control. |
| NIST Zero Trust (SP 800-207) | Zero Trust thinking is central to revalidating certificate-based trust continuously. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Certificate sprawl and unmanaged keys map to non-human identity lifecycle failures. |
Map certificate governance to PR.AC-1 and require explicit identity assurance for workloads and devices.
Key terms
- Certificate Lifecycle Debt: The accumulated risk created when certificates, keys, renewals, and revocation paths are handled manually or inconsistently. Over time, the organisation inherits hidden ownership gaps, renewal delays, and orphaned trust objects that can trigger outages or weaken identity assurance.
- Cloud PKI: A PKI operating model delivered through cloud services and automation rather than manual local administration. It is designed to issue, renew, and revoke certificates at scale while supporting policy enforcement, API integration, and distributed machine identity use cases.
- Machine Identity: A cryptographic identity used by a device, workload, service, or application to prove who or what it is. In practice, machine identity is often established through certificates and keys, which means lifecycle management is part of identity governance, not just infrastructure hygiene.
What's in the full article
GlobalSign's full article covers the operational detail this post intentionally leaves for the source:
- The article's practical examples of certificate failure modes, including expired SSL certificates and manual lifecycle breakdowns.
- Its discussion of cloud PKI, API-driven issuance, and policy-based renewal for large-scale environments.
- The IoT and device-authentication use cases where certificate automation becomes a scale requirement.
- Its argument for tying PKI into DevOps and identity governance workflows rather than leaving it isolated.
👉 GlobalSign's full post covers lifecycle management, cloud PKI, and IoT trust at scale
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and identity lifecycle control. It is suitable for practitioners who need to connect credential governance across human and non-human identity programmes.
Published by the NHIMG editorial team on 2026-02-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org