TL;DR: SGP.32 is pushing zero-touch eSIM provisioning for IoT devices, but many SM-DP+ platforms still only support JSON while device flows increasingly rely on ASN.1, creating interoperability gaps that only surface in integration or live testing, according to Workz Group. The governance issue is not connectivity alone but whether NHI-style device identity workflows can survive heterogeneous provisioning stacks without hidden translation layers.
At a glance
What this is: This is an analysis of how SGP.32 zero-touch eSIM provisioning runs into interoperability gaps when ASN.1-based IoT device flows meet JSON-only SM-DP+ platforms.
Why it matters: It matters because IAM and NHI teams need device identity, provisioning, and lifecycle controls that work across mixed vendor stacks, not just in clean lab environments.
By the numbers:
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
👉 Read Workz Group's analysis of SGP.32 interoperability in IoT eSIM provisioning
Context
SGP.32 is the GSMA specification shaping zero-touch eSIM provisioning for IoT devices, but interoperability depends on more than protocol adoption. The practical issue is that fully automated device flows can use ASN.1 while many commercial SM-DP+ platforms were built around JSON-based consumer eSIM patterns, so the control plane does not always line up with the device side.
For IAM and NHI practitioners, this is a lifecycle and governance problem as much as a transport problem. If device identity, provisioning, and operational handoff depend on assumptions inherited from smartphone-era tooling, then the real question is whether the provisioning stack can govern machine identities consistently across heterogeneous environments.
The article’s core point is that the gap often appears only during integration or live testing, which makes pre-production confidence unreliable. That is typical of IoT rollout complexity, where standards compliance does not automatically equal cross-platform operability.
Key questions
A: Teams should test the full provisioning path before rollout and not assume that standards compliance guarantees interoperability. If devices speak ASN.1 and platforms still expect JSON, a translation layer may be needed, but it must be governed as part of the identity control plane. The key is proving end-to-end onboarding across every intended platform, not just in one lab environment.
Q: Why do IoT identity programmes still fail even when the standard is implemented?
A: They fail because the standard does not remove downstream variability. A device can be SGP.32-aligned and still break if a subscription platform, middleware layer, or operating process does not support the same message contract. In practice, interoperability is a lifecycle issue, because onboarding only works when every handoff in the provisioning chain can execute consistently.
Q: What do security teams get wrong about zero-touch eSIM provisioning?
A: They often treat zero-touch as a guarantee of scale rather than a claim that still depends on compatible infrastructure. The mistake is assuming that automated onboarding removes the need for validation. In reality, the more automated the process, the more important it is to confirm that every supported device, platform, and region can complete the same provisioning flow.
Q: What is the difference between protocol translation and device identity governance?
A: Protocol translation solves message compatibility, while device identity governance decides whether the provisioning flow is trusted, observable, and consistent enough to operate at scale. A translation layer can make two systems talk, but it does not by itself prove lifecycle control, accountability, or supportability across the fleet.
Technical breakdown
Why ASN.1 and JSON create an eSIM provisioning mismatch
SGP.32 device flows can rely on IPAe logic and ASN.1 messaging, while older SM-DP+ implementations often expect JSON. That is not a simple syntax difference. It changes how provisioning requests are encoded, parsed, and validated across the device, the orchestration layer, and the subscription manager. In practice, interoperability failures often arise when one side assumes a consumer-style message contract and the other side is built for an IoT-specific automation path. The result is a standards-compliant device that still cannot complete provisioning in a live environment.
Practical implication: test ASN.1 and JSON compatibility explicitly across every SM-DP+ path before rollout.
What a translation middleware layer changes in IoT identity operations
A middleware translation layer sits between the eSIM IoT Manager and the SM-DP+ platform, converting message formats while preserving the protocol flow. Architecturally, this reduces dependency on every downstream platform adopting the same encoding at the same time. It also introduces a governance point, because the middleware becomes part of the trust boundary for device provisioning. If translation is not observable, versioned, and validated, it can hide defects until scale exposes them. For NHI programmes, that means the control plane must be treated as identity infrastructure, not just integration plumbing.
Practical implication: treat translation services as governed identity infrastructure with change control and testing.
Why zero-touch provisioning still needs operational validation
Zero-touch provisioning reduces manual handling, but it does not eliminate operational risk. The more automated the flow, the more important it is to validate that subscription allocation, message translation, and certificate or profile delivery work consistently across environments. In IoT, the business case for scale can mask the fact that a single unsupported message format breaks the whole onboarding path. That makes interoperability testing a lifecycle control, not just a QA exercise. For practitioners, the lesson is that automation must be proven across the full device estate, not assumed from the standard itself.
Practical implication: embed interoperability testing into provisioning governance, not only into engineering QA.
NHI Mgmt Group analysis
Interoperability is becoming an identity governance control, not just an engineering concern. SGP.32 shows that device identity does not fail only when credentials are weak or stolen. It also fails when the provisioning contract between device, middleware, and subscription platform is inconsistent. For NHI programmes, that means the control objective is reliable lifecycle execution across heterogeneous systems, not just standard adoption.
Protocol translation creates a new trust boundary that must be governed. A middleware layer that bridges ASN.1 and JSON can solve immediate compatibility problems, but it also becomes a critical part of the provisioning path. If its behaviour is opaque or poorly versioned, organisations lose visibility into where identity assertions are transformed. Practitioners should treat that translation layer as governed infrastructure, because identity integrity now depends on it.
SGP.32 exposes a classic hidden-compatibility problem in machine identity programmes. The standard promises scale, but real deployments depend on whether every downstream platform can interpret the same device onboarding language. That variability makes advance assurance difficult, which is why many IoT programmes only discover the gap in integration testing or production pilots. The implication is clear: lifecycle governance for connected devices must include interoperability validation as a first-class control.
Device identity programmes need a broader definition of readiness. Readiness is not whether the standard exists, but whether the provisioning ecosystem can execute it consistently across vendors, regions, and message formats. This is where machine identity governance overlaps with architecture, operations, and procurement. Teams that do not account for mixed-format environments will keep discovering the same issue at the worst possible time: during rollout.
Identity blast radius: when one unsupported provisioning path prevents a whole class of devices from onboarding, the failure is not isolated to a single platform. It affects fleet deployment timing, operational support load, and the organisation’s confidence in zero-touch automation. Practitioners should read this as a signal to design for heterogeneity from the start, not as a retrofit task.
From our research:
- Companies are dedicating an average of 32.4% of their security budgets to secrets management and code security, with US organisations leading at 40.8%, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
- For broader machine identity context, review NHI Lifecycle Management Guide for how provisioning, rotation, and offboarding should be governed across non-human identities.
What this signals
Identity readiness for IoT is shifting from specification compliance to ecosystem proof. Teams that treat SGP.32 as a box-ticking exercise will miss the operational risk hidden in message-format mismatches, platform version drift, and uneven support across suppliers. The practical programme question is whether your onboarding path is validated across real vendors, not just against the standard on paper.
The wider pattern is that machine identity governance now depends on the control plane being as observable as the devices it serves. If translation, subscription management, and provisioning assurance are not logged and tested together, the organisation will discover interoperability failures only when deployment pressure is highest. That is exactly where lifecycle governance needs to be stronger than engineering optimism.
As the industry pushes more zero-touch flows into production, the assurance model needs to move upstream. Use NHI Lifecycle Management Guide to frame provisioning and offboarding as governed stages, and align device onboarding validation with NIST SP 800-63 Digital Identity Guidelines where identity proofing and authentication boundaries matter.
For practitioners
- Validate ASN.1 and JSON interoperability early Build integration tests that exercise SGP.32 device flows against every SM-DP+ platform you expect to use, including live message exchange and error handling.
- Govern translation middleware as identity infrastructure Place any protocol translation layer under the same change control, logging, and version validation you would apply to other provisioning control plane components.
- Map provisioning dependencies across the full device estate Document which device models, regions, and subscription platforms depend on ASN.1, JSON, or both, so procurement and rollout plans reflect actual support boundaries.
- Include interoperability in rollout readiness gates Make successful provisioning across representative vendors a release criterion, not a post-deployment troubleshooting step.
Key takeaways
- SGP.32 does not eliminate interoperability risk, because ASN.1-based IoT device flows can still collide with JSON-only SM-DP+ platforms.
- The real governance issue is not just transport compatibility, but whether the device identity control plane is visible and testable across vendors.
- Practitioners should make cross-platform provisioning success a release gate and treat translation middleware as governed identity infrastructure.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Provisioning and access control are central to SGP.32 device onboarding. |
| NIST SP 800-53 Rev 5 | AC-3 | Device access enforcement depends on consistent provisioning outcomes. |
| NIST Zero Trust (SP 800-207) | Zero-touch provisioning depends on continuous trust validation across platforms. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | Machine identity sprawl and inconsistent lifecycle handling are the underlying NHI risks here. |
Use NHI-01 and NHI-03 to govern onboarding consistency and lifecycle visibility across device identities.
Key terms
- SGP.32: SGP.32 is the GSMA specification for remote eSIM management in IoT environments. It changes how devices are provisioned and managed at scale, which makes integration, workflow assurance and identity governance central to deployment success rather than secondary implementation details.
- SM-DP+: The subscription management platform that delivers and manages eSIM profiles. In IoT provisioning, it is the system that must interpret device requests correctly, which means format compatibility and lifecycle support matter as much as nominal standards compliance.
- ASN.1: A structured message encoding used in many telecom and machine-to-machine systems. In SGP.32 flows, it can create interoperability friction when downstream platforms expect JSON instead, because the same provisioning intent is represented in a different machine-readable form.
- Protocol Translation: Protocol translation converts one identity language into another without losing trust context. For tactical systems, that usually means bridging LDAP expectations on the application side with OIDC or other enterprise identity assertions on the directory side.
What's in the full article
Workz Group's full article covers the operational detail this post intentionally leaves for the source:
- The specific role of the eIM middleware layer in bridging JSON-only SM-DP+ platforms with ASN.1-based IoT devices.
- The practical deployment benefits claimed for zero-touch provisioning across globally distributed device fleets.
- The GSMA SAS certification context and how it supports scalable IoT provisioning assurance.
- The product and rollout framing behind the universal interoperability approach for SGP.32 environments.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org