TL;DR: Zero Trust depends on public key infrastructure, MFA, and SSO to verify every user, device, service, and document at each connection, making continuous verification the basis of digital trust, according to DigiCert. The governance question is no longer whether to trust identities less, but whether current controls can prove identity reliably across every access path.
NHIMG editorial — based on content published by DigiCert: Zero Trust and PKI as the foundation of digital trust
Questions worth separating out
Q: How should security teams implement Zero Trust for both human and machine identities?
A: Security teams should use Zero Trust as an identity verification model, not just a network segmentation model.
Q: Why do service and workload identities need PKI in Zero Trust environments?
A: Service and workload identities often need to authenticate without a human present, which makes passwords and one-time logins a poor fit.
Q: What breaks when certificate lifecycle management is weak?
A: Weak certificate lifecycle management creates stale trust, expired access, and revocation gaps.
Practitioner guidance
- Map trust points to cryptographic identity proof Identify every place where users, devices, services, and documents are accepted on the basis of a trust decision.
- Align MFA and SSO with workload identity controls Use MFA and SSO for human access, but pair them with certificate-based identity for workloads, services, and remote systems that must authenticate without human interaction.
- Put certificate lifecycle under governance Track issuance, renewal, rotation, expiration, and revocation as governed identity events.
What's in the full article
DigiCert's full article covers the operational detail this post intentionally leaves for the source:
- How DigiCert positions PKI inside a Zero Trust architecture for apps, services, and devices
- The operational role of certificate lifecycle management in centralizing visibility and control
- The vendor's explanation of how MFA and SSO complement certificate-backed verification
- The product framing around trust lifecycle management for identity and access environments
👉 Read DigiCert's overview of Zero Trust, PKI, and digital trust →
PKI and zero trust: are your identity controls verifying every connection?
Explore further
Zero Trust is only as strong as the identity proof behind each connection. The article is correct that perimeter trust has failed as a security model, but the deeper issue is that Zero Trust depends on trustworthy identity artefacts at runtime. If the certificate, token, or session assertion is stale or unmanaged, continuous verification becomes a slogan rather than a control. Practitioners should treat identity proof as the operational core of Zero Trust, not a supporting detail.
A few things that frame the scale:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity assurance breaks before Zero Trust can work as intended.
A question worth separating out:
Q: Who is accountable when a trusted certificate is misused?
A: Accountability should sit with the team that owns certificate issuance, lifecycle governance, and identity policy for the affected environment. Zero Trust depends on continuous verification, so ownership must extend beyond deployment to renewal, revocation, and monitoring. NIST Cybersecurity Framework 2.0 can help map those governance responsibilities.
👉 Read our full editorial: Zero Trust and PKI define identity verification across digital systems