Notifications
Clear all
Topic starter
06/06/2026 1:39 am
TL;DR: Unknown certificates, keys, and machine identities remain a major source of outages and blind spots, with one industry survey finding only 17% of organisations have full real-time visibility and 86% experienced at least one certificate-related outage in the past year, according to Keyfactor. Continuous discovery is no longer an inventory exercise; it is the control layer that makes machine identity governance, renewal, and policy enforcement possible.
NHIMG editorial — based on content published by Keyfactor: Stage One, Continuous Observability in a Zero-Blindspot World
By the numbers:
- Only 17% of organizations have full real-time visibility into all their certificates.
- 86% suffered at least one outage in the past year due to expired or mismanaged certificates.
- 69% of organisations now have more machine identities than human ones.
Questions worth separating out
Q: How should security teams build a continuous inventory for machine identities?
A: They should combine active discovery, endpoint telemetry, and API integrations into one authoritative record, then keep ownership and expiry data updated continuously.
Q: Why do machine identities create more governance risk than many teams expect?
A: Machine identities move faster than human review cycles and often lack clear ownership, which makes them easy to miss and hard to govern.
Q: What breaks when certificate discovery is only done once in a while?
A: Point-in-time discovery goes stale as soon as new instances, containers, or certificates are created.
Practitioner guidance
- Build a continuously refreshed machine identity inventory Combine active scanning, endpoint discovery, and API-fed inventory into one authoritative record for certificates, keys, and related cryptographic assets.
- Track ownership and dependency before automating renewal Do not push renewal automation until each asset has an accountable owner and a mapped business dependency.
- Expand discovery beyond certificates to the full crypto estate Include secrets, SSH keys, code-signing keys, HSM and vault inventories, and cryptographic library versions in the same control view.
What's in the full article
Keyfactor's full product post covers the operational detail this post intentionally leaves for the source:
- How the Trust Control Plane stages discovery across network scanning, endpoint telemetry, and API integrations
- The metadata model for ownership, expiration, and business criticality that turns inventory into observability
- The broader crypto asset scope, including keys, secrets, vaults, and cryptographic library versions
- The staged transition from visibility to policy enforcement and automation
👉 Read Keyfactor's analysis of continuous discovery for machine identity governance →
Machine identity observability: what IAM teams need to fix now?
Explore further
06/06/2026 2:53 am
Continuous discovery is now a governance control, not an inventory convenience. Machine identity estates change too quickly for periodic scans to remain authoritative. The operational issue is not simply missing data, but governance built on stale data that cannot support renewal, revocation, or audit decisions. Practitioners should treat discovery quality as a control objective, not a reporting metric.
A few things that frame the scale:
- 57% of organisations lack a complete inventory of their machine identities, according to The Critical Gaps in Machine Identity Management report.
- 66% report that managing machine identities requires significantly more manual intervention compared to human identity management.
A question worth separating out:
Q: Who should be accountable for machine identity assets that have no clear owner?
A: No asset should be left in governance limbo. If a certificate, key, or secret cannot be tied to a responsible team, it should be escalated as an ownership defect and placed under temporary control until the service owner is identified or the asset is removed.
👉 Read our full editorial: Continuous discovery is the missing layer in machine identity governance
