TL;DR: IoT security has lagged adoption for a decade because devices were prioritised for connectivity over resilience, and the result is a fragmented ecosystem of weak passwords, outdated firmware, and inconsistent lifecycle control, according to GlobalSign. Identity, certificates, and lifecycle governance now define whether connected devices can be trusted at scale.
NHIMG editorial — based on content published by GlobalSign: IoT security maturity in 2026 and the trust problem behind connected devices
Questions worth separating out
Q: How should organisations govern IoT device identities at scale?
A: Treat each device as a revocable identity with an owner, lifecycle state, and cryptographic credential.
Q: Why do insecure IoT devices create broader enterprise risk?
A: Because once connected devices are inside a trusted environment, they can be used as entry points, persistence platforms, or sources of false data.
Q: What do teams get wrong about IoT security maturity?
A: They often confuse connectivity with control.
Practitioner guidance
- Define device identity ownership Assign a business owner, technical custodian, and revocation path for every connected device class.
- Tie procurement to lifecycle controls Require signed firmware, patch support commitments, end-of-life dates, and revocation capabilities in procurement language.
- Build revocation into onboarding Use certificate issuance and device enrolment workflows that allow quarantine, suspension, and revocation without manual field intervention.
What's in the full article
GlobalSign's full article covers the operational detail this post intentionally leaves for the source:
- How the article frames the shift from device connectivity to lifecycle accountability.
- The regulatory implications of Cyber Resilience Act style requirements for manufacturers and buyers.
- Why certificates, PKI, and hardware-backed trust are presented as the practical foundation for IoT authentication.
- How AI-driven detection may change IoT monitoring while expanding the integrity risks around telemetry and models.
👉 Read GlobalSign's analysis of why IoT security maturity still depends on identity and trust →
IoT security maturity in 2026: is identity finally becoming the baseline?
Explore further
Identity is becoming the missing operating layer for IoT trust. The article correctly frames certificates and PKI as the basis for device confidence, but the deeper point is governance: every connected device is an identity that needs issuance, rotation, revocation, and offboarding. That is familiar territory for IAM and NHI teams, even when the device is not a traditional workload. The organisations that treat IoT as an identity problem will be better positioned to control risk at scale.
A question worth separating out:
Q: Who is accountable when an insecure IoT device causes an incident?
A: Accountability should be shared across procurement, security, operations, and the vendor, but it must be defined before deployment. If ownership is vague, security gaps persist because no one is responsible for patch support, revocation, or retirement. Governance frameworks should make device identity and lifecycle control explicit procurement requirements.
👉 Read our full editorial: IoT security maturity in 2026 still depends on identity and trust