By NHI Mgmt Group Editorial TeamPublished 2026-06-29Domain: Workload IdentitySource: Keyfactor

TL;DR: Legacy PKI deployments built for a few internal applications are being stretched across cloud workloads, DevOps pipelines, IoT devices, and machine identities, with one survey finding only 47% of companies have enough staff dedicated to PKI, according to Keyfactor. PKI modernization is no longer just infrastructure refresh, it is governance for certificate sprawl, ownership, automation, and crypto-agility.


At a glance

What this is: This is an analysis of why legacy PKI now fails under modern machine identity demand and what modernization needs to change.

Why it matters: It matters because PKI is a control plane for NHI, workload identity, and lifecycle governance, so weak certificate operations become access, outage, and audit risk across identity programmes.

By the numbers:

👉 Read Keyfactor's blog on why PKI modernization matters for machine identity governance


Context

PKI modernization is the shift from legacy certificate infrastructure to a more flexible, automated certificate management model that can support cloud workloads, DevOps pipelines, IoT devices, and machine identities. The first problem is not technology choice, it is that older PKI was built for a much smaller and more stable estate than most organisations run today.

For identity teams, that mismatch turns PKI into a governance issue. When certificate ownership is unclear, policies vary by team, and renewals depend on manual tracking, the result is shadow PKI, outages, and weak auditability across non-human identities and workload trust chains.

The source article argues for modernization as a strategic response rather than a rip-and-replace project. In practice, that means treating certificate lifecycle, deployment flexibility, and crypto-agility as part of identity governance, not as isolated infrastructure tasks.


Key questions

Q: How should security teams modernize PKI without breaking existing workloads?

A: Start by identifying the certificate flows that are already business-critical, then add a modern PKI layer that can run alongside legacy systems. Incremental migration works best when new workloads move first, ownership is explicit, and renewal, revocation, and policy enforcement are automated before old infrastructure is retired.

Q: Why do legacy PKI environments create machine identity risk?

A: Legacy PKI often fails because it was designed for fewer systems, slower change, and more manual administration. Once cloud workloads, IoT devices, and DevOps pipelines depend on it, the organisation inherits certificate sprawl, unclear ownership, and renewal failures that directly affect availability and trust.

Q: What do teams get wrong about certificate automation?

A: They often automate issuance but leave discovery, ownership, renewal, and revocation fragmented. That creates the illusion of control while manual exceptions continue underneath. Effective automation must cover the full certificate lifecycle across all issuers, otherwise the organisation still depends on spreadsheets and firefighting.

Q: What is the difference between PKI modernization and PKI as a service?

A: PKI modernization is the broader governance and architecture shift to make certificate infrastructure flexible, scalable, and automatable. PKI as a service is one deployment model inside that shift, useful when organisations want to reduce internal maintenance burden without giving up lifecycle control or policy oversight.


Technical breakdown

Why legacy PKI breaks under machine identity scale

Legacy PKI models were designed around a limited number of internal applications and long-lived server estates. Modern environments add ephemeral workloads, cloud-native services, and API-driven automation, which increases certificate volume and the number of systems that depend on fast issuance and renewal. When the CA model is rigid, the operational burden shifts to teams, spreadsheets, and exceptions. That creates misconfiguration risk, delayed renewals, and fragmented trust boundaries.

Practical implication: Practitioners should map where certificate demand now exceeds manual CA operations and identify which workload classes need automation first.

Certificate sprawl and shadow PKI

When central PKI cannot serve fast enough, teams often create their own certificate authorities or ad hoc certificate processes. That solves immediate delivery pressure but fragments policy, ownership, and visibility. Shadow PKI makes it harder to know which certificates exist, who issued them, and what lifecycle controls apply. It also weakens response capability when expirations, audits, or revocations occur because no single control plane sees the full estate.

Practical implication: Identity teams should inventory all certificate issuers and require every CA to roll up into a governed lifecycle process.

Automation and crypto-agility as identity controls

Certificate lifecycle automation covers discovery, issuance, renewal, and revocation across multiple CA environments. Crypto-agility is the ability to change cryptographic methods and CA dependencies without redesigning the whole trust stack. For identity governance, these are not convenience features. They are the controls that keep machine identities usable, auditable, and adaptable when standards or workloads change, including the transition toward post-quantum cryptography.

Practical implication: Security teams should prioritise automated lifecycle workflows and verify that certificate architectures can change algorithms and issuers without disruption.


Threat narrative

Attacker objective: The practical outcome is not a single breach event but a weakened trust environment where certificate failures can disrupt services or expose machine identity governance gaps.

  1. Entry occurs when legacy PKI cannot support new workloads cleanly, so teams introduce ad hoc certificate processes or separate authorities to keep delivery moving.
  2. Escalation follows as unmanaged certificate sources multiply, ownership becomes unclear, and certificate renewal or revocation depends on manual tracking.
  3. Impact appears as outages, audit failures, and weaker trust boundaries because the organisation no longer has a single, governed view of machine identity lifecycle risk.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

PKI modernization has become machine identity governance, not just infrastructure replacement. The article is right to frame modernization as a strategic shift because certificate systems now sit behind cloud workloads, DevOps pipelines, and IoT estates. That means the real issue is whether identity teams can maintain control over issuance, renewal, ownership, and revocation at scale. Practitioners should stop treating PKI as a background utility and manage it as part of the broader non-human identity programme.

Certificate sprawl is the clearest sign that governance has failed. When teams spin up separate certificate authorities, the organisation is not scaling PKI, it is exporting risk into shadow processes that security cannot see. The warning sign is not only operational duplication, but the loss of policy consistency and lifecycle visibility across different business units. Practitioners should treat fragmented CA estates as a governance defect, not an architecture preference.

Automation and crypto-agility define whether PKI can keep pace with the enterprise. Manual certificate management cannot survive the volume and tempo of modern identity systems. Automation is now the control that keeps machine identities live, and crypto-agility is what prevents tomorrow's standards shift from becoming a forced rebuild. Practitioners should evaluate PKI on whether it can support change without reintroducing manual steps.

Modern PKI should be measured by how much identity friction it removes. If teams still rely on spreadsheets, ad hoc renewals, or one-off CAs, the programme remains reactive no matter how modern the tooling appears. The discipline is to reduce exception handling and make certificate lifecycle observable end to end. Practitioners should judge PKI modernisation by control consistency, not by feature lists.

PKI is now one of the places where workload identity, NHI governance, and infrastructure resilience meet. That intersection matters because certificate failure can become an access failure, an outage, or an audit problem. The article reinforces a broader point for identity leaders: machine identity governance only works when lifecycle, deployment model, and policy enforcement are designed together. Practitioners should align PKI with the same governance standards they apply to other NHI classes.

From our research:

  • 53% of organisations have experienced a security incident directly related to machine identity management failures, according to The Critical Gaps in Machine Identity Management report.
  • Only 38% have automated certificate lifecycle management in place, which shows how much of the market still relies on manual control paths.
  • The next step is not just automation, but policy clarity, and the Ultimate Guide to NHIs , Standards is the best starting point for mapping PKI work to identity governance.

What this signals

PKI teams should expect machine identity governance to move closer to IAM operating models. When certificates underpin workload access, lifecycle discipline matters as much as cryptography. The practical signal for programmes is that PKI can no longer sit outside identity governance, especially when certificate ownership, renewal, and revocation still depend on human memory or team-specific processes.

With 69% of organisations now having more machine identities than human ones, the control problem has already shifted. That scale means certificate operations are no longer a niche infrastructure concern, and identity teams need visibility into where every credential is issued, renewed, and retired. The programme question becomes whether PKI can support that volume without creating shadow governance.

Crypto-agility will become a board-level resilience topic before it becomes a migration project. If organisations cannot switch algorithms or trust anchors without rebuilding the estate, they are locking future security decisions into today’s architecture. Teams should prepare architecture, lifecycle, and standards work now so post-quantum transitions do not become emergency programmes later.


For practitioners

  • Inventory every certificate authority and issuer Build a complete register of internal, cloud, and team-owned CAs, then tie each one to a named owner, renewal process, and policy set. If a CA cannot be linked to an accountable team, treat it as shadow PKI and bring it into governance before the next renewal cycle.
  • Automate certificate lifecycle operations Move discovery, issuance, renewal, and revocation out of manual tracking and into a governed workflow that covers every CA in scope. Prioritise high-churn workloads first, especially where certificates are consumed by APIs, containers, or CI/CD pipelines.
  • Consolidate fragmented CA estates Reduce the number of separate PKI stacks by defining a central governance model for policy, escalation, and exception handling. Consolidation should preserve business-specific requirements, but it must remove duplicated control planes that prevent consistent oversight.
  • Test crypto-agility before standards force the change Validate that your PKI can change algorithms, issuers, and trust anchors without a full rebuild. Include post-quantum readiness in architecture reviews so the organisation can move when standards mature rather than during a crisis.

Key takeaways

  • Legacy PKI is now a machine identity governance problem because cloud, IoT, and DevOps have outgrown the certificate models many organisations still run.
  • Certificate sprawl, shadow PKI, and manual lifecycle tracking are the strongest indicators that PKI no longer has a single governed control plane.
  • Automation and crypto-agility are the practical tests of modern PKI maturity because they determine whether the platform can scale and adapt without disruption.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Certificate lifecycle automation directly addresses NHI credential renewal and revocation gaps.
NIST CSF 2.0PR.AC-4PKI modernization improves access control consistency for machine identities and workloads.
NIST Zero Trust (SP 800-207)SC-7Modern PKI supports segmented trust and continuous verification across hybrid workloads.

Map certificate issuance and renewal to NHI-03 and automate every lifecycle step that still depends on manual tracking.


Key terms

  • Certificate lifecycle automation: Certificate lifecycle automation is the managed process of discovering, issuing, renewing, and revoking certificates without relying on spreadsheets or ad hoc reminders. In modern identity programmes it is the control that keeps machine identities current, observable, and less dependent on manual intervention.
  • Shadow PKI: Shadow PKI is any certificate authority or certificate process created outside central governance. It usually appears when teams need speed but lack a shared platform, and it weakens ownership, policy consistency, and incident response because no single team can see the full certificate estate.
  • Crypto-agility: Crypto-agility is the ability to change cryptographic algorithms, trust anchors, or CA dependencies without rebuilding the entire trust environment. For identity teams, it is a resilience property that reduces migration risk when standards, threats, or compliance requirements change.
  • Machine identity: Machine identity is the credentialed identity used by workloads, devices, services, and automated systems to authenticate and establish trust. In PKI programmes it is often certificate-backed, and its lifecycle must be governed with the same discipline used for other non-human identities.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or operational governance, it is worth exploring.

This post draws on content published by Keyfactor: 5 Reasons to Modernize Your PKI. Read the original.

NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-29.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org