TL;DR: Zero Trust depends on continuously verified digital identity, and DigiCert argues PKI supplies the authentication, encryption, and integrity layer needed to make that model workable across users, devices, systems, and apps. The practical issue is not whether Zero Trust is desirable, but whether enterprises can inventory, automate, and lifecycle-manage certificates fast enough to support it.
NHIMG editorial — based on content published by DigiCert: PKI as the foundation for Zero Trust
By the numbers:
- 96% of IT security executives believe that PKI is essential to building a Zero-Trust architecture.
- Only 5.7% of organisations have full visibility into their service accounts.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
Questions worth separating out
Q: How should security teams use PKI to support Zero Trust in mixed human and machine environments?
A: Use PKI to provide verifiable identity for devices, workloads, and services, then connect that trust layer to access policy and lifecycle controls.
Q: Why do certificate lifecycle failures create more risk than certificate issuance alone?
A: Issuing a certificate is only the beginning of trust.
Q: What breaks when organisations try to run Zero Trust without full certificate visibility?
A: Verification breaks because the programme cannot confidently distinguish active, expired, shadow, or orphaned certificates.
Practitioner guidance
- Inventory all certificate-bearing identities Build a complete catalogue of certificates across endpoints, applications, services, and cloud workloads, then assign ownership for each trust object.
- Automate certificate issuance and revocation Remove manual renewal and ad hoc revocation from the critical path by using policy-driven automation for creation, rotation, and invalidation.
- Tie PKI operations to lifecycle governance Integrate certificates into joiner, mover, leaver and offboarding workflows so identities cannot outlive their approved business use.
What's in the full article
DigiCert's full blog covers the operational detail this post intentionally leaves for the source:
- Certificate lifecycle management workflows for rotating and revoking identities at scale
- Implementation detail on using PKI to support hybrid and cloud-connected Zero Trust environments
- Visibility and automation considerations for large certificate inventories across enterprise systems
👉 Read DigiCert's analysis of PKI as the foundation for Zero Trust →
PKI and zero trust identity verification: are your controls ready?
Explore further
PKI becomes governance infrastructure when Zero Trust depends on certificate-backed identity. The article is right to move PKI out of the narrow crypto bucket and into identity architecture. Zero Trust is a governance model that demands continuous proof, and PKI is one of the few mechanisms that can support that proof at machine scale. For IAM and NHI teams, the implication is that identity assurance now extends to every device, app, and workload that participates in access decisions.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: How do IAM and NHI teams know whether PKI is actually improving access governance?
A: Look for shorter certificate rotation cycles, fewer unmanaged certificates, and tighter ownership of certificate-bearing identities across applications and workloads. If renewal is still manual, if unknown certificates keep appearing, or if revocation lags behind business change, PKI is not yet functioning as a governance control.
👉 Read our full editorial: PKI as the foundation for zero trust identity verification