TL;DR: As certificate lifetimes shrink from years toward 47 days, unknown and undocumented certificates become a rapid-fire availability and governance risk, especially for lean teams that cannot rely on manual tracking, according to GlobalSign. The real issue is not rotation itself but the identity ownership and lifecycle controls that determine whether certificates stay visible, attributable, and remediable.
At a glance
What this is: This is an analysis of how shrinking certificate lifetimes turn unknown and shadow certificates into a governance and availability problem for PKI teams.
Why it matters: It matters because certificate lifecycle management is now an identity governance discipline, and teams that cannot inventory, assign, and rotate certificates will accumulate outages, blind spots, and unmanaged trust.
By the numbers:
- The validity duration of certificates is moving from 10 years to 47 days, creating an 8- to 10-fold increase in rotation workload.
👉 Read GlobalSign's analysis of unknown certificates and shrinking validity periods
Context
Certificate management is an identity governance problem when the environment changes faster than the process that tracks ownership, renewal, and revocation. When certificate lifetimes collapse toward weeks rather than years, the old model of occasional manual renewal stops being viable, and the first failure is usually not attack activity but an expired trust relationship that nobody was watching.
The article's core point is that shadow certificates behave like unmanaged non-human identities: they exist, they authenticate, and they break systems when lifecycle discipline is missing. That makes discovery, assignment, and automation part of the security baseline, not an optional maturity exercise for PKI teams.
Key questions
Q: What breaks when certificate discovery is missing in PKI operations?
A: Without certificate discovery, teams cannot reliably inventory trust assets, assign ownership, or spot expiry risk before it affects services. The result is hidden certificates, delayed renewals, and outages that appear to come from nowhere. Discovery is the control that turns unknown certificates into manageable identity objects instead of invisible operational liabilities.
Q: Why do short-lived certificates increase governance risk for infrastructure teams?
A: Short-lived certificates compress the time available to notice, validate, and renew trust objects, so governance moves from periodic review to continuous lifecycle control. If ownership and automation are weak, each renewal cycle becomes a chance for service interruption. The shorter the lifetime, the less room there is for manual correction.
Q: How do security teams know if certificate lifecycle management is actually working?
A: Lifecycle management is working when every certificate is discoverable, owned, renewed on schedule, and revoked without creating service disruption. Warning signs include unassigned certificates, renewal work handled in spreadsheets, repeated expiry incidents, and teams that cannot say how many certificates exist. Measurable ownership and low exception volume are the strongest signals.
Q: Who is accountable when an unknown certificate causes an outage?
A: Accountability should sit with the team that owns the underlying system and with the identity or PKI function that governs renewal policy. If neither can name the certificate before it fails, the organisation has a lifecycle governance gap, not just a technical issue. The fix is clear ownership, not post-incident blame.
Technical breakdown
Why certificate discovery becomes the control plane for PKI
Certificate discovery is the inventory function that tells teams where certificates exist, who owns them, and which ones are nearing expiry. In short-lifetime environments, discovery is not a reporting layer after the fact. It is the control plane that enables renewal scheduling, duplicate detection, and remediation. Without it, the organisation cannot distinguish active trust assets from abandoned ones, which is why shadow certificates become operational hazards rather than theoretical risks.
Practical implication: build continuous discovery across servers, cloud workloads, endpoints, containers, and legacy systems before shortening renewal cycles.
How short-lived certificates change identity lifecycle management
When certificate validity drops from years to months or days, lifecycle management shifts from periodic administration to continuous governance. That means ownership, renewal triggers, and exception handling must exist before expiry, not after an outage. This is the same structural problem seen in non-human identity programmes: if the credential lifecycle is not explicitly governed, the organisation accumulates unmanaged trust objects that outlive the teams that created them.
Practical implication: treat certificate issuance, ownership, renewal, and revocation as lifecycle events with named accountability and automation hooks.
Why manual renewal fails in heterogeneous infrastructure
Manual renewal breaks first in mixed environments because different platforms, legacy systems, and cloud services expose certificates through different workflows and alerting patterns. A spreadsheet or ticket queue cannot reliably absorb a 4x, 8x, or 10x increase in renewal activity. The real failure is not human effort alone, but the assumption that administrators will always notice every renewal window across every stack. That assumption collapses under scale and speed.
Practical implication: replace manual renewal with policy-driven automation for standard endpoints and reserve human review for exceptions and high-risk systems.
NHI Mgmt Group analysis
Unknown certificates are unmanaged non-human identities in disguise. A certificate is not just cryptography, it is a trust-bearing identity object that authenticates systems, services, and applications. When it is undiscovered, it becomes a governance blind spot that can break availability without any attacker being present. The practitioner conclusion is straightforward: inventory is the first identity control, even in PKI.
The certificate lifecycle assumption was designed for slow-moving infrastructure. That assumption fails when certificate validity falls from years to weeks because the environment now changes faster than manual ownership and renewal processes can track. The implication is not simply to automate more, but to rethink whether existing governance cadences can still observe the identity before it expires.
Shadow certificates create identity blast radius because their owners are often unknown. A certificate with no clear owner is difficult to renew, revoke, or audit, which means failure propagates into service disruption and recovery delay. This is the same accountability gap that appears in other unmanaged non-human identity programmes, and the practitioner conclusion is that ownership mapping must be enforced as a control, not a clean-up task.
Certificate discovery is the named control gap this article exposes. The article shows that organisations cannot secure what they have not found, and cannot automate what they have not classified. That makes discovery the prerequisite for any credible certificate lifecycle model, especially in small teams with limited PKI capacity. The practitioner conclusion is that unseen certificates are already operational debt.
Flexible licensing models are now part of identity resilience. When renewal frequency rises sharply, commercial rigidity becomes a technical risk because teams delay rotations to avoid budget shock. That does not change the cryptographic need, but it does shape whether organisations can actually sustain the lifecycle. The practitioner conclusion is that governance and procurement now intersect in certificate management.
From our research:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- A separate finding from the same survey shows that systems with least-privileged AI access had a 17% incident rate versus 76% for over-privileged systems.
- For a deeper view on unmanaged identity exposure, see The 52 NHI breaches Report for real breach patterns that track back to hidden or over-provisioned identity objects.
What this signals
Shadow certificates should now be treated as workload identity debt. The same governance logic that applies to non-human identities applies here: if the identity object is not inventoried, owned, and lifecycle-managed, its failure becomes a production problem before it becomes a security problem. For teams formalising this discipline, the challenge is less about finding tooling and more about defining accountability across platform, infrastructure, and security owners.
With 88.5% of organisations already saying their non-human IAM practice lags human IAM, per the 2024 Non-Human Identity Security Report, certificate management should be folded into the broader NHI programme rather than treated as a separate PKI exercise. That shift matters because certificate discovery, lifecycle automation, and exception governance are all variations of the same identity control problem.
If renewal frequency continues to compress, teams will need processes that can prove every certificate is visible, owned, and replaceable at machine speed. The practical signal to watch is not just expiry volume, but whether the organisation can absorb rotation without manual heroics or hidden exceptions.
For practitioners
- Inventory every certificate continuously Scan servers, cloud workloads, containers, endpoints, and legacy systems on a recurring basis so every certificate has an owner, an expiry date, and an exception path. Use discovery results to eliminate hidden trust assets before shortening renewal intervals.
- Assign lifecycle ownership to each certificate Map each certificate to a business system and an accountable team, then require renewal responsibility in the same workflow that records issuance. If ownership is ambiguous, treat the certificate as unmanaged until resolved.
- Automate standard renewals and replacements Move recurring renewal tasks into policy-driven automation for common platforms, while keeping human review for legacy systems, unusual key sizes, and exceptions. Manual handling should be reserved for cases automation cannot classify safely.
- Treat shadow certificates as operational debt Create a backlog for unknown or unassigned certificates and close it with the same urgency as expired credentials or broken access controls. Visibility gaps should be managed as service risk, not just hygiene.
- Align procurement to renewal frequency Review whether the current licensing model supports faster certificate rotation without introducing budget friction. If the commercial model punishes good lifecycle behaviour, the organisation will eventually delay the controls it needs.
Key takeaways
- Certificate expiry is becoming an identity governance issue because short lifetimes expose every ownership gap in PKI.
- The biggest operational risk is not cryptography failure but unknown certificates that nobody can inventory, assign, or rotate in time.
- Continuous discovery and automated lifecycle control are now the baseline for keeping certificate-driven services stable.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207), NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Short-lived, unmanaged certificates fit the same lifecycle and visibility problems as other NHI credentials. |
| NIST CSF 2.0 | PR.AC-1 | Identity and credential management applies to certificate ownership and renewal control. |
| NIST Zero Trust (SP 800-207) | Zero Trust relies on continuous verification, which certificate sprawl can undermine. | |
| NIST SP 800-53 Rev 5 | IA-5 | Authenticator management covers the lifecycle of certificates used for machine authentication. |
| CIS Controls v8 | CIS-5 , Account Management | Account and credential oversight extends to certificates as machine identities. |
Inventory certificates as identity assets and enforce lifecycle ownership before reducing renewal windows.
Key terms
- Certificate Discovery: Certificate discovery is the process of finding every digital certificate in an environment and mapping it to a system, owner, and expiry state. In modern PKI, it is the prerequisite for automation because you cannot renew, revoke, or report on certificates you have not identified.
- Certificate Lifecycle Management: Certificate lifecycle management is the governance and automation of certificate issuance, renewal, replacement, and revocation. For NHI operations, it turns certificates from isolated technical artifacts into managed identity objects with explicit ownership, timing, and exception handling.
- Shadow Certificates: Shadow certificates are certificates that exist outside formal inventory, ownership, or monitoring processes. They often come from forgotten test systems, legacy services, cloud defaults, or acquired environments, and they create outage risk because no one is responsible for their renewal or removal.
What's in the full article
GlobalSign's full article covers the operational detail this post intentionally leaves for the source:
- Practical examples of how certificate lifetimes shorten from years to 200 days, 100 days, and 47 days across the renewal lifecycle.
- Examples of how shadow certificates emerge in development, acquisitions, legacy systems, and cloud provisioning workflows.
- Discussion of SAN licensing as a commercial model for teams facing frequent certificate renewal.
- Guidance on how smaller teams can adapt PKI operations without building a dedicated certificate function.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or lifecycle governance, it is worth exploring.
Published by the NHIMG editorial team on 2026-05-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org