Notifications
Clear all
Topic starter
04/06/2026 6:44 pm
TL;DR: Trust programs need continuous measurement, not periodic checks, to prove control, surface drift, and prioritize remediation across certificate, cryptography, and machine-identity estates, according to Keyfactor. Hard evidence is now the operational requirement, because unmanaged gaps only become visible when teams can quantify them.
NHIMG editorial — based on content published by Keyfactor: Stage Two - Analyze & Measure, continuous insight for continuous improvement
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
Questions worth separating out
Q: How should security teams measure whether trust controls are actually working?
A: Security teams should measure trust controls through a small set of operational indicators that show scope, compliance, lifecycle performance, and anomaly trends.
Q: Why do machine identities need continuous measurement instead of periodic review?
A: Machine identities change too quickly for periodic review to provide reliable assurance.
Q: How do organisations know if lifecycle controls for certificates are effective?
A: They know by tracking renewal success rate, time to issuance, remediation speed, and unplanned expirations over time.
Practitioner guidance
- Define control indicators before expanding dashboards Limit reporting to a small set of metrics that show scope, compliance, lifecycle performance, and anomalies.
- Tie renewal and remediation metrics to operational ownership Track time to issuance, renewal success rate, exception rates, and unplanned expirations as operational controls.
- Use discovery data to challenge inventory assumptions Compare known assets against newly discovered items every reporting cycle, including hidden or unmanaged systems that fall outside standard enrolment.
What's in the full article
Keyfactor's full product post covers the operational detail this post intentionally leaves for the source:
- Dashboard and reporting workflow examples for trust telemetry across certificate and machine-identity estates
- Role-based views for CISOs, PKI managers, and operational teams that the post only summarises at a high level
- Examples of lifecycle metrics such as issuance timing, renewal success, and change failure rate in a live platform context
- The article's own trust control plane framing for teams that want the full implementation narrative
👉 Read Keyfactor's Stage Two analysis of trust control plane measurement →
Trust control plane measurement: what IAM teams need to watch?
Explore further
04/06/2026 6:55 pm
Continuous measurement is the control that makes trust governance real. Policy statements do not prove control, and occasional audits do not show drift as it happens. This stage matters because identity and cryptography programmes fail when they are run from assumptions instead of evidence. Practitioners should treat telemetry quality as a governance requirement, not a reporting feature.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who should own trust telemetry when reporting spans NHI and cryptography controls?
A: Ownership should sit with the team that can act on the signal, not the team that merely receives the report. Operators need asset-level visibility, while CISOs and executives need trend lines and exception summaries. Clear ownership prevents metrics from becoming passive dashboards and turns them into governance inputs.
👉 Read our full editorial: Analyze and measure trust control plane performance for NHI risk
