TL;DR: IoT security remains fragmented because weak passwords, outdated firmware, inconsistent standards, and unclear lifecycle accountability still leave devices exposed, while PKI, certificates, and hardware trust are becoming the foundation for scalable device authentication, secure updates, and revocation, according to GlobalSign. The critical shift is that IoT maturity is now an identity and governance problem, not just a device hardening problem.
NHIMG editorial — based on content published by GlobalSign: an analysis of whether 2026 could mark a turning point for IoT security maturity
By the numbers:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
Questions worth separating out
Q: What fails when IoT devices do not have cryptographic identity controls?
A: Without cryptographic identity, devices can be impersonated, cloned, or silently replaced in the network.
Q: Why do IoT devices create the same governance problems as non-human identities?
A: IoT devices need credentials, trust anchors, renewal, and revocation just like service accounts or API keys.
Q: How should organisations govern IoT devices that are distributed across vendors and resellers?
A: They should assign lifecycle ownership at the operator level, standardise certificate issuance, and require revocation at retirement regardless of who manufactured or resold the device.
Practitioner guidance
- Implement device identity as a mandatory onboarding gate Require cryptographic proof of identity, such as certificate-based authentication or hardware-backed keys, before any IoT device joins production networks or management planes.
- Tie certificate renewal to device lifecycle ownership Assign a named owner for every device class and make certificate renewal, firmware update rights, and revocation part of that owner’s control set.
- Automate offboarding and revocation for retired devices Build retirement workflows that revoke credentials, remove trust anchors, and disable update channels as soon as a device is decommissioned or replaced.
What's in the full article
GlobalSign's full blog covers the operational detail this post intentionally leaves for the source:
- How the article frames EU Cyber Resilience Act pressure on device makers and why lifecycle update obligations matter.
- The article's discussion of PKI, certificates, TPMs, and secure elements as the trust foundation for large IoT fleets.
- Its examples of how AI can both improve anomaly detection and expand the attack surface for manipulated telemetry.
- The article's broader argument about standards such as ETSI EN 303 645 and ISO/IEC 27400 in reducing fragmentation.
👉 Read GlobalSign's analysis of IoT security maturity, PKI, and device trust →
IoT security maturity in 2026: where are identity controls still missing?
Explore further
IoT security maturity is really device identity maturity. The article is strongest when it moves past firmware and instead points to trust anchors, certificates, and revocation as the basis of safe scale. That maps directly to NHI governance because unmanaged devices behave like unmanaged machine identities, and the governance model must follow the trust relationship rather than the hardware category. Practitioners should treat device identity as core security architecture, not infrastructure decoration.
A question worth separating out:
Q: Who is accountable when an IoT device with stale credentials is used in an attack?
A: The accountable party is the organisation that controls the active trust relationship, not just the hardware supplier. Regulators and auditors will look for ownership of onboarding, update enforcement, and revocation. If those controls are not assigned and documented, the organisation owns the risk.
👉 Read our full editorial: IoT security maturity still hinges on identity and lifecycle control