TL;DR: Digital transactions need more than convenience: certificate-based digital signatures and identity verification reduce fraud, preserve integrity, and support legally recognised trust in regulated workflows, according to GlobalSign. The governance issue is that electronic speed does not remove the need for strong identity assurance, tamper evidence, and accountable issuance.
NHIMG editorial — based on content published by GlobalSign: digital signatures, identity verification, and transaction trust
By the numbers:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
Questions worth separating out
Q: How should security teams choose the right digital signature assurance level?
A: Start with the transaction's legal, financial, and regulatory impact.
Q: Why do digital signatures still require identity governance?
A: Because a signature is only trustworthy if the signer was correctly identified, authorised for the action, and tied to a valid certificate at the moment of signing.
Q: What is the main risk of using low-assurance e-signatures in regulated workflows?
A: The risk is weak evidentiary value.
Practitioner guidance
- Classify signature workflows by assurance level Separate low-risk acknowledgements, advanced signatures, and qualified signatures into distinct policy tiers so the method matches the legal and business impact of the transaction.
- Treat certificate issuance as identity governance Put issuance, storage, revocation, and renewal of signing certificates under formal ownership, approval, and lifecycle controls rather than leaving them inside the document workflow team.
- Bind tamper evidence to the approval record Require signed documents to verify against the issuing trust chain and fail closed when the document changes, so post-signature alteration cannot be mistaken for a valid approval.
What's in the full article
GlobalSign's full article covers the operational detail this post intentionally leaves for the source:
- A breakdown of certificate-based signing, advanced signatures, and qualified signatures in practical compliance terms
- The standards and legal regimes referenced by the source, including eIDAS, ESIGN, UETA, SOX, and related trust frameworks
- The document-security guarantees the vendor attributes to PKI-backed signatures and seal workflows
- The specific ways GlobalSign positions its trust services for regulated transaction environments
👉 Read GlobalSign's analysis of digital signatures and identity assurance →
Digital signatures and identity assurance: what IAM teams need to know?
Explore further
Certificate-based signing is an identity control, not a formatting feature. The article is really about binding identity to action in a way that can survive legal and regulatory scrutiny. That is an IAM problem because the trust value sits in issuance, authentication, revocation, and proof, not in the file type itself. Practitioners should treat signing infrastructure as part of identity governance, not as a separate document tool.
A few things that frame the scale:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to the Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: What should organisations verify before relying on certificate-based signatures?
A: They should verify the trust service provider, the certificate chain, the signer identity binding, revocation handling, and whether the signature type matches the workflow's regulatory requirement. If any of those pieces are missing, the signature may still be usable but it is not equally defensible.
👉 Read our full editorial: Digital signatures need stronger identity assurance in regulated transactions