TL;DR: Integrating DSPM with PKI changes how teams find, classify, and govern certificate-related risk across data and trust infrastructure, according to GlobalSign. For identity and security programmes, the shift is less about better inventory and more about connecting certificate exposure to broader access, lifecycle, and governance controls.
NHIMG editorial — based on content published by GlobalSign: Gestion des risques : l'intégration DSPM et PKI change la donne
Questions worth separating out
Q: What breaks when attestation certificates are not managed like identities?
A: The attestation model loses operational value if issuance, renewal, expiry, and revocation are handled ad hoc.
Q: Why do certificates create risk in cloud and automation environments?
A: Certificates create risk when they outlive the workloads, pipelines, or data paths they were meant to protect.
Q: How should security teams measure whether certificate governance is actually working?
A: Use operational signals, not policy statements.
Practitioner guidance
- Map certificates to workload and data dependencies Build an inventory that links each certificate to the service, API, or dataset it authenticates.
- Treat certificate renewal as lifecycle governance Set renewal, revocation, and replacement thresholds based on usage and risk, not only expiration.
- Unify certificate telemetry with DSPM findings Correlate exposed data locations with the certificates and trust chains that protect them.
What's in the full article
GlobalSign's full blog post covers the operational detail this post intentionally leaves for the source:
- How DSPM and PKI are being combined in practice to identify certificate-related exposure paths.
- The specific governance questions teams should ask before renewing or replacing certificates tied to sensitive data.
- How certificate inventories can be aligned with workload identity and machine trust ownership.
- The operational trade-offs between certificate visibility, lifecycle automation, and trust revocation.
👉 Read GlobalSign's analysis of how DSPM and PKI reshape certificate risk management →
DSPM and PKI integration: what it means for certificate governance?
Explore further
Certificate sprawl is an identity governance problem, not just a PKI problem. Certificates now behave like durable machine identities across cloud and application estates, so their exposure cannot be managed with expiry tracking alone. When visibility stops at the certificate object, teams miss the access path, workload dependency, and data trust relationship behind it. Practitioners should treat certificate sprawl as part of NHI governance, not a separate infrastructure task.
A question worth separating out:
Q: Should organisations fold certificates into NHI programmes?
A: Yes, when certificates are used to authenticate services, APIs, workloads, or automation, they function as non-human credentials and should be governed as such. Folding them into NHI programmes improves lifecycle control, ownership, and offboarding discipline. It also avoids the common failure mode where machine trust is managed as infrastructure rather than identity.
👉 Read our full editorial: DSPM and PKI integration is reshaping certificate risk management