Notifications
Clear all
Topic starter
25/06/2026 2:59 pm
TL;DR: IoT security blind spots persist when critical infrastructure deployments rely on PKI and lifecycle operations without end-to-end governance, according to DigiCert’s partner-program post on Eonti’s work. The real issue is not certificate presence but whether trust, support, and lifecycle controls are operated consistently across devices and environments.
NHIMG editorial — based on content published by DigiCert: How Eonti & DigiCert Eliminate IoT Security Blind Spots
Questions worth separating out
Q: How should teams govern IoT device identities with PKI?
A: Teams should govern IoT device identities as managed identities with explicit ownership, lifecycle states, and revocation processes.
Q: What breaks when IoT certificates are not lifecycle-managed?
A: When IoT certificates are not lifecycle-managed, devices can keep trusted access long after business ownership, vendor relationships, or security intent has changed.
Q: Why do critical infrastructure environments need stronger device identity governance?
A: Critical infrastructure needs stronger device identity governance because downtime, safety, and trust failure are tightly linked.
Practitioner guidance
- Define ownership for every device identity Assign a named business and technical owner for each certificate-backed device identity so renewal, revocation, and retirement cannot drift between teams.
- Tie certificates to a lifecycle state Track each IoT identity through issuance, active use, renewal, suspension, and decommissioning so stale trust is visible before it becomes a control gap.
- Review revocation and recovery procedures Test whether revocation works during outages, vendor exits, and emergency replacement scenarios, since critical infrastructure cannot wait for manual cleanup.
What's in the full article
DigiCert's full blog covers the operational detail this post intentionally leaves for the source:
- How Eonti positions consulting, strategy, governance, and lifecycle operations across IoT deployments
- The critical infrastructure use cases behind the partner narrative, including transport, healthcare, and communications
- The specific trust-management context that explains why PKI operations matter in always-on environments
- The vendor framing around support, global infrastructure, and 24/7/365 operational expectations
👉 Read DigiCert's partner story on Eonti and IoT security blind spots →
IoT security blind spots: what PKI governance teams miss?
Explore further
25/06/2026 4:16 pm
IoT security failures are usually lifecycle failures first and cryptography failures second. The article places emphasis on trust management and PKI operations because that is where device identity either stays governable or becomes invisible. When certificates are created without durable ownership, renewal discipline, and revocation handling, the security model becomes brittle. Practitioners should read IoT identity as a governance lifecycle, not a one-time issuance event.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
A question worth separating out:
Q: How do organisations keep IoT trust visible across large device fleets?
A: Organisations keep IoT trust visible by inventorying all certificate-bearing devices, linking them to owners and systems, and reviewing their lifecycle status regularly. Visibility must include expiry dates, revocation status, and whether the device is still in active service, otherwise the fleet will contain trusted assets nobody can explain.
👉 Read our full editorial: PKI blind spots in IoT security show why lifecycle matters
