TL;DR: As certificate lifetimes compress from years to months and toward 47 days, unmanaged and unknown certificates become a growing availability and governance risk, according to GlobalSign. The operational fix is not just faster renewal, but discovery, ownership, and lifecycle control that can keep pace with machine identity sprawl.
At a glance
What this is: The article argues that shrinking certificate lifetimes are exposing a hidden class of unknown and shadow certificates that organisations cannot reliably track or renew.
Why it matters: For IAM, NHI, and security teams, certificate sprawl turns machine identity governance into an availability problem as much as a cryptographic one, because expired or unowned certificates can take services down and undermine trust.
By the numbers:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
👉 Read GlobalSign's analysis of unknown certificates and shrinking PKI lifetimes
Context
Certificate governance is a machine identity problem before it is a tooling problem. When certificates expire without ownership, inventory, or rotation workflows, the failure is usually not cryptographic weakness but lifecycle blindness, especially as certificate lifetimes shorten and unmanaged assets multiply across cloud, legacy systems, and third-party environments.
That is why this topic sits close to NHI governance even though it is framed through PKI. Certificates are one form of non-human identity, and the same control gaps that affect service accounts and API keys appear here: poor visibility, weak ownership, delayed revocation, and no reliable offboarding path.
Key questions
Q: What breaks when certificate lifetimes become too short for manual tracking?
A: Manual tracking breaks first, then ownership, then renewal timing. When certificates move from years to months, spreadsheets and ad hoc reminders miss dependencies, especially in legacy, cloud, and inherited environments. The practical failure is not cryptographic weakness but lifecycle blindness, where valid services go dark because no one can reliably see or renew the certificate in time.
Q: Why do unknown certificates create both security and availability risk?
A: Unknown certificates are risky because they can expire without warning, remain unowned, or hide in systems that no team actively monitors. That creates an availability failure, but it also weakens trust governance because expired or unmanaged machine credentials are still part of the identity estate. Discovery and assignment are the controls that turn hidden risk into manageable risk.
Q: How do security teams know whether certificate governance is actually working?
A: Look for evidence that every certificate is discovered, owned, and tied to an automated renewal path. If teams still find certificates in spreadsheets, orphaned test systems, or acquired platforms after the fact, governance is not working. A healthy programme can show inventory completeness, low renewal exceptions, and rapid removal of unneeded certificates.
Q: Who should be accountable for certificate expiry incidents?
A: Accountability should sit with the team that owns the service and the certificate lifecycle, not only with central security. If a certificate supports a production system, the service owner must be able to prove discovery, renewal, and retirement controls exist. Security can set policy and oversight, but operational ownership must be explicit.
Technical breakdown
Why shrinking certificate lifetimes break manual PKI processes
Certificate validity windows are compressing, which changes the operating model rather than just the renewal schedule. A yearly certificate may survive manual tracking, but a 100-day or 47-day certificate exposes every dependency on spreadsheets, email reminders, and informal ownership. The risk is not only expiry. Shorter lifetimes increase the number of renewal events, the chances of missed dependencies, and the likelihood that orphaned certificates remain outside governance. In machine identity terms, certificates behave like ephemeral credentials only if renewal, issuance, and revocation are automated and attributed to a clear owner.
Practical implication: Practitioners should treat renewal frequency as a control design problem and remove any certificate path that still depends on manual tracking.
What certificate discovery changes in machine identity governance
Discovery is the inventory layer that turns unknown certificates into managed assets. It identifies certificates across servers, cloud workloads, containers, endpoints, and legacy systems, then maps them to expiry dates, owners, algorithms, and trust chains. Without discovery, lifecycle management is reactive and partial. With it, teams can see duplicated certificates, forgotten test environments, inherited assets from acquisitions, and certificates embedded in systems no one monitors. For identity teams, this is the same governance pattern used for NHI visibility: no inventory means no assurance that access has a valid owner or a defensible lifecycle.
Practical implication: Build continuous discovery into certificate governance so every certificate can be tied to an owner, a system, and a renewal path.
How certificate lifecycle management reduces outage risk
Certificate lifecycle management, or CLM, connects discovery, assignment, renewal, replacement, and retirement into a repeatable process. It prevents outages by ensuring certificates are renewed before expiry, replaced without service interruption, and removed when systems are decommissioned. The key architectural point is that lifecycle control must span the whole environment, not just well-known public-facing services. Internal APIs, test systems, and acquired platforms often create the most operational risk because they are least visible. In security terms, CLM is an availability control with identity implications, because the certificate is both a trust credential and a service dependency.
Practical implication: Standardise CLM across internal and external systems so expired certificates cannot become a hidden outage trigger.
NHI Mgmt Group analysis
Certificate sprawl is a machine identity governance problem, not just a PKI maintenance issue. The article shows how expired or unknown certificates become operational failures only after organisations lose track of ownership and lifecycle. That is the same pattern seen across NHI programmes: a credential is only governable when inventory, responsibility, and rotation are all present. Practitioners should treat certificate governance as part of the broader machine identity estate.
Shorter certificate lifetimes expose the hidden cost of manual control planes. Every reduction in validity increases the rate at which renewals, revocations, and replacements must succeed. Manual processes do not scale linearly when the lifecycle compresses from years to months, and the result is missed expiries, shadow assets, and avoidable service outages. The governance lesson is that lifecycle speed is now a control requirement, not an operational convenience.
Discovery is the decisive control because you cannot secure what you cannot inventory. The strongest concept in this topic is certificate visibility debt, the gap between what exists in the environment and what the organisation can account for. That debt accumulates across cloud, legacy, test, and inherited environments until expiry becomes a surprise event. Teams should use continuous discovery as the baseline for any certificate governance programme.
Flexibility in renewal economics matters because machine identity volumes are rising faster than budgets and staff. The article’s focus on small and mid-sized organisations reflects a broader reality: certificate governance often fails where generalist teams are expected to manage specialist controls. As environments become more dynamic, organisations need lifecycle processes that reduce manual effort and align commercial models with renewal frequency. Practitioners should align tooling, process, and budget around constant rotation, not occasional replacement.
What this signals
Certificate expiry events are becoming a governance test for machine identity programmes, not just an operational nuisance. The organisations that cope best will be the ones that can prove inventory completeness, ownership, and automated renewal across all environments, including inherited systems and internal services.
visibility debt: the gap between certificates that exist and certificates the organisation can actually account for will widen as lifetimes shorten. That debt is best addressed with continuous discovery and explicit ownership, not periodic clean-up exercises.
For teams building broader identity governance, the lesson aligns with the OWASP Non-Human Identity Top 10 and the NIST Cybersecurity Framework 2.0: inventory, protect, detect, and recover must all apply to machine credentials as well as human accounts.
For practitioners
- Inventory every certificate continuously Scan servers, cloud workloads, containers, endpoints, and legacy systems on a recurring basis, then map each certificate to an owner, expiry date, and trust chain.
- Replace spreadsheet-driven renewal with CLM workflows Automate renewal, replacement, and retirement so no certificate depends on email reminders or informal knowledge to survive a shorter validity window.
- Assign ownership to shadow and inherited certificates Create a remediation queue for certificates found in acquired platforms, test environments, and undocumented services, then force a named owner before the next renewal.
- Tie certificate governance to machine identity policy Treat certificates as part of the non-human identity estate, and align expiry, revocation, and offboarding rules with your broader identity lifecycle controls.
Key takeaways
- Shrinking certificate lifetimes turn hidden certificate sprawl into a governance and availability problem, not just a renewal task.
- Visibility and ownership are the decisive controls, because unmanaged certificates fail silently until an outage exposes them.
- Automation matters most when paired with lifecycle discipline, since renewal speed without discovery still leaves shadow certificates in place.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Certificate renewal gaps mirror improper credential rotation and lifecycle control. |
| NIST CSF 2.0 | PR.AC-1 | Inventory and access control are central to certificate discovery and ownership. |
| NIST SP 800-53 Rev 5 | IA-5 | Authenticator management applies directly to certificate issuance, renewal, and revocation. |
| CIS Controls v8 | CIS-5 , Account Management | Lifecycle governance for certificates mirrors account and credential management discipline. |
| NIST Zero Trust (SP 800-207) | Zero Trust depends on continuously verified machine identity credentials. |
Map certificate renewal and retirement workflows to NHI-03 and automate anything still tracked manually.
Key terms
- Certificate Discovery: Certificate discovery is the process of finding every digital certificate in an environment, including those embedded in cloud workloads, endpoints, legacy systems, and test assets. It creates the inventory baseline needed to assign ownership, track expiry, and reduce the risk of hidden or orphaned credentials.
- Certificate Lifecycle Management: Certificate lifecycle management is the operational process of issuing, renewing, replacing, and retiring certificates in a controlled way. In practice, it combines inventory, ownership, automation, and offboarding so certificate expiry does not become an unplanned outage or a trust failure.
- Shadow Certificate: A shadow certificate is a certificate that exists outside formal tracking and governance processes. It may be hidden in an old service, inherited from an acquisition, or created during temporary work that became permanent, making it difficult to renew, revoke, or attribute responsibly.
- Machine Identity: Machine identity is the identity used by non-human systems such as services, workloads, certificates, tokens, and API keys to authenticate and communicate. It is governed through lifecycle, privilege, visibility, and revocation controls, much like human identity but at a much larger scale.
What's in the full article
GlobalSign's full article covers the operational detail this post intentionally leaves for the source:
- Commercial licence models and SAN-based pricing considerations for frequent certificate renewal
- The practical implications of 47-day certificate validity for small and midsized teams
- How discovery and automation tooling changes day-to-day certificate operations
- The post-quantum transition angle and why the vendor frames it as a future planning issue
Deepen your knowledge
NHI Mgmt Group covers identity security, NHI governance, and agentic AI through independent research, practitioner guides, and the NHI Foundation Level course, the industry's only accredited NHI security programme. It is designed for practitioners who need to connect lifecycle control, access governance, and machine identity risk across their programme.
Published by the NHIMG editorial team on 2026-04-20.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org