TL;DR: RBI PKI compliance and SEBI CSCRF now make certificate inventory, renewal, revocation, and immutable audit trails central to financial trust in India, with automated lifecycle management positioned as the operational response, according to eMudhra. The real challenge is not certificate ownership alone, but whether identity governance can keep pace with expiring credentials across regulated systems.
NHIMG editorial — based on content published by eMudhra: RBI PKI compliance and SEBI CSCRF requirements for certificate lifecycle management
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities , 46% confirmed, 26% suspected.
Questions worth separating out
Q: How should security teams govern certificate lifecycles across hybrid environments?
A: Treat certificate lifecycles as identity governance, not ad hoc operations.
Q: Why do certificates create identity governance risk when they are not revoked quickly?
A: Certificates create risk because they act as credentials for systems and services.
Q: What do organisations get wrong about cloud PKI?
A: They often assume automation alone creates compliance.
Practitioner guidance
- Inventory every certificate as a governed asset Create a complete inventory of certificates, owners, issuers, validity dates, and dependent services.
- Automate renewal before expiry windows close Trigger renewal workflows well before certificate expiration and make exception handling visible to compliance owners.
- Log certificate events as audit evidence Preserve issuance, deployment, renewal, and revocation records in an immutable log that supports inspection and incident review.
What's in the full article
eMudhra's full article covers the operational detail this post intentionally leaves for the source:
- Certificate issuance and renewal workflow specifics for RBI and SEBI aligned environments
- eMCA and CertiNext deployment details for certificate discovery, logging, and automation
- Practical control examples for HSM integration, role-based access, and compliance dashboards
- The compliance timing and audit expectations that shape implementation planning
👉 Read eMudhra's guidance on RBI PKI compliance and SEBI CSCRF →
RBI PKI compliance and SEBI CSCRF: what should IAM teams change?
Explore further
Certificate governance is now a non-human identity problem. Certificates behave like governed machine identities because they are issued, scoped, renewed, revoked, and audited. RBI PKI compliance and SEBI CSCRF both push institutions toward lifecycle discipline rather than one-time deployment. The practitioner conclusion is that certificate oversight belongs in the same governance model as other non-human credentials.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable when an expired certificate causes a service outage?
A: Accountability sits with the team that owns certificate lifecycle governance, not only with infrastructure operations. The failure usually reflects missing ownership, weak inventory, and lack of automated renewal controls, which makes the issue a programme problem as much as a technical one.
👉 Read our full editorial: RBI PKI compliance and SEBI CSCRF raise the bar for certificate governance