Compliance as trust baseline: what IAM teams need to do differently

TL;DR: Compliance is not a passive checkbox but the baseline that makes trust possible, according to DigiCert. The practical implication is that identity programmes need compliance to function as a living control surface, not a periodic review exercise, and DigiCert says its own audit and standards work lets it spot emerging risk earlier and drive better governance across certificates, policies, and industry bodies.

NHIMG editorial — based on content published by DigiCert: Compliance is the root of trust

By the numbers:

• DigiCert runs 26 annual audits that span the full scope of its business and global footprint.

Questions worth separating out

Q: How should security teams turn compliance into a working trust baseline?

A: Security teams should define compliance as the minimum operational state for identity, certificate, and access controls, then verify that state continuously against real production conditions.

Q: Why do audits matter beyond passing assurance checks?

A: Audits matter because they expose control drift, repeated exceptions, and weak ownership patterns that are otherwise invisible in policy documents.

Q: How can organisations use standards work to improve identity security?

A: Organisations can use standards participation to influence the trust baseline before it hardens into industry practice.

Practitioner guidance

• Turn compliance into a living baseline Map the minimum trust requirements for certificates, identities, and approvals, then test them against current operating conditions rather than annual snapshots.
• Use audit findings as control-design input Track repeated exceptions, recurring control failures, and slow remediation patterns so audit output feeds directly into policy and architecture updates.
• Tie standards ownership to security accountability Assign a named owner for standards monitoring so changes in external requirements are reviewed alongside internal policy, certificate, and identity controls.

What's in the full article

DigiCert's full article covers the operational detail this post intentionally leaves for the source:

• Specific examples of how DigiCert structures its audit and standards participation across its global footprint
• The way its compliance approach uses pattern analysis to inform product, policy, and process decisions
• The list of standards and governing bodies it references as part of its trust model
• The vendor's own framing of how proactive compliance supports digital trust at scale

👉 Read DigiCert's perspective on proactive compliance and digital trust →

Compliance as trust baseline: what IAM teams need to do differently?

Explore further

View Full Forum →  |  NHI Foundation Course →