TL;DR: AI is being adopted broadly in cybersecurity, with 93% of security leaders reporting GenAI use and 91% using it for cyber work, while certificate management teams are increasingly using it to automate issuance, renewal, revocation, and anomaly detection, according to GlobalSign. That efficiency also creates a new governance problem: machine assistance can weaken trust assumptions in PKI if data poisoning, prompt injection, or over-automated approvals are not constrained.
NHIMG editorial — based on content published by GlobalSign: AI risks and benefits in certificate management
By the numbers:
- 93% of security leaders reported that their organisations used generative AI in 2024, and 91% used it specifically for cybersecurity purposes.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should security teams govern AI-assisted certificate issuance and renewal?
A: Treat AI as a decision-support layer, not the trust authority.
Q: Why do AI systems create new risk in certificate management?
A: AI creates risk because certificate workflows depend on inputs that can be poisoned, manipulated, or imitated.
Q: What breaks when certificate approval becomes too automated?
A: When approval becomes too automated, the organisation loses the ability to prove why a certificate was trusted at a specific moment.
Practitioner guidance
- Separate recommendation from approval in PKI workflows Allow AI to flag anomalies or prioritise review, but keep issuance, renewal, and revocation decisions tied to explicit policy checks and human-owned approval paths.
- Validate training and telemetry inputs before they influence certificate decisions Use independent data validation for training sets, log sources, and certificate inventory feeds so poisoned inputs cannot shape trust outcomes without detection.
- Constrain prompt access to PKI details and certificate actions Limit what generative systems can see and do, and require separate verification for requests that would expose PKI metadata or create trusted credentials.
What's in the full article
GlobalSign's full article covers the operational detail this post intentionally leaves for the source:
- Practical examples of AI use in certificate issuance, renewal, revocation, and compliance workflows.
- Expanded discussion of data poisoning, prompt injection, and how those risks can affect PKI trust decisions.
- Examples of anomaly detection and monitoring patterns for certificate activity at scale.
- The article's guidance on combining AI with Zero Trust and delegated credentials in CDN environments.
👉 Read GlobalSign's analysis of AI risks and benefits in certificate management →
AI in certificate management: are your PKI controls keeping up?
Explore further
AI in certificate management is an NHI governance problem, not just an efficiency story. Certificate issuance, renewal, revocation, and compliance checks are identity operations that decide what is trusted inside the environment. Once AI is allowed to assist those decisions, the control question shifts from speed to assurance. The right lens is OWASP-NHI and Zero Trust, because the workflow is now mediated by machine identities and machine decisions.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: How do Zero Trust principles apply to certificate operations?
A: Zero Trust means every certificate request should be verified continuously for identity, context, and least privilege, even when a machine is making the request. For AI-assisted workflows, that means checking the requesting entity, constraining the action scope, and requiring independent policy enforcement before trust is extended.
👉 Read our full editorial: AI in certificate management changes PKI risk and governance