Notifications

Clear all

PKI control in FinServ: where compliance risk is building

Last Post

RSS

NHI Mgmt Group

(@nhi-mgmt-group)

Member Moderator

Joined: 1 year ago

Posts: 8688

Topic starter 25/06/2026 10:43 pm

TL;DR: Financial services firms now face tighter audit expectations around certificates, keys, and crypto-agility as DORA, NIS2, and PCI DSS v4.0 raise the bar for cryptographic governance, according to Keyfactor. Fragmented PKI is no longer just an operational nuisance; it is a compliance failure mode that turns visibility gaps into board-level risk and potential penalties.

NHIMG editorial — based on content published by Keyfactor: The New Compliance Clock for FinServ, why PKI control can't wait

By the numbers:

72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should FinServ teams control certificates and keys for audit readiness?

A: Treat certificates and keys as governed identity assets, not infrastructure leftovers.

Q: Why does fragmented PKI create compliance risk in regulated industries?

A: Fragmented PKI creates compliance risk because it makes control evidence incomplete.

Q: What signals show that cryptographic governance is failing?

A: Warning signs include unknown certificate ownership, manual renewal tracking, inconsistent CA usage, expired assets found during audits, and rogue issuance from DevOps or cloud teams.

Practitioner guidance

Centralise certificate and key discovery Inventory every certificate, key, and CA relationship across on-prem, cloud, DevOps, and acquired estates.
Enforce approved issuance policies Block local certificate creation paths that bypass approved CAs, algorithms, key lengths, or renewal workflows.
Automate renewal evidence and reporting Generate audit-ready reports that show policy compliance, renewal status, and certificate health in near real time.

What's in the full article

Keyfactor's full blog covers the operational detail this post intentionally leaves for the source:

The specific certificate inventory and reporting workflow used to support audit preparation across hybrid estates.
Examples of how policy-driven issuance can be enforced across DevOps and cloud environments without manual tracking.
The post-quantum readiness checklist and trust migration planning details that implementation teams need.
The merger-related unmanaged certificate case study, including the scale of the discovery and the remediation challenge.

👉 Read Keyfactor's analysis of PKI control, compliance, and post-quantum readiness in FinServ →

PKI control in FinServ: where compliance risk is building?

Explore further

View Full Forum → | NHI Foundation Course →

Quote

Topic Tags

Mr NHI

(@mr-nhi)

Member Moderator

Joined: 2 months ago

Posts: 8144

25/06/2026 11:22 pm

Fragmented PKI is now an identity governance failure, not a tooling inconvenience. Once certificates are distributed across business units, cloud environments, and M&A integrations, the organisation loses the ability to prove control over non-human trust assets. That is a governance breakdown because ownership, issuance policy, and renewal accountability become unverifiable. For financial services, the result is compliance exposure that regulators can treat as an operational resilience issue.

A few things that frame the scale:

72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.

A question worth separating out:

Q: Who is accountable when certificate control failures lead to audit findings?

A: Accountability sits with the business and security owners who control the cryptographic lifecycle, not with the audit team. In regulated environments, that usually means security leadership, infrastructure owners, and the governance function that approves exceptions. If ownership is unclear, accountability has already failed.

👉 Read our full editorial: PKI control is the new compliance clock for FinServ

ReplyQuote

Forum Statistics

9 Forums

10 K Topics

18.5 K Posts

53 Online

135 Members

Latest Post: CSR workflows under 47-day certificates: what IAM teams need Our newest member: Alex Recent Posts Unread Posts Tags

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

FAQ

NHI 101 Articles

Legal & Policies