TL;DR: As governments expand digital services, the article argues that PKI certificates have become the trust layer for identity verification, encryption, and auditability across citizen portals, smart cities, and cross-border workflows, according to eMudhra. The governance shift is that digital trust now depends on certificate lifecycle control, not just authentication strength.
NHIMG editorial — based on content published by eMudhra: PKI services as the backbone of digital governance and trust
By the numbers:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: How should organisations govern reusable digital identity across multiple services?
A: Treat reusable digital identity as a governed trust decision, not a convenience feature.
Q: Why do PKI failures create identity risk as well as encryption risk?
A: PKI failures create identity risk because a certificate is a credential that proves who or what a system believes it is.
Q: What do security teams get wrong about machine identities in PKI programmes?
A: Teams often focus on issuance and forget the lifecycle.
Practitioner guidance
- Map every certificate to a named business owner Require an accountable owner, issuing authority, and revocation path for each certificate, including certificates used by ministries, devices, and automated services.
- Build certificate lifecycle controls into identity governance Treat issuance, renewal, expiry, and revocation as governed identity events rather than infrastructure maintenance.
- Extend NHI inventory to machine certificates Include IoT devices, service accounts, integration certificates, and signing identities in the same inventory model.
What's in the full article
eMudhra's full article covers the operational detail this post intentionally leaves for the source:
- How its PKI services are positioned across government digital IDs, e-signatures, and national trust frameworks.
- The specific SecurePass IAM capabilities mentioned for identity governance, PAM, directory control, and certificate management.
- How the PKI platform is described for machine and IoT identity management in public-sector environments.
- The article's own framing of data sovereignty, local certificate authorities, and cross-border trust interoperability.
👉 Read eMudhra's article on PKI services for digital government trust →
PKI for digital government identity: what IAM teams need to know?
Explore further
PKI is not just encryption infrastructure, it is identity governance for cryptographic actors. Governments often describe certificates as technical plumbing, but the article shows they now function as the trust backbone for citizen access, device access, and service-to-service exchange. That makes certificate ownership, issuance policy, and revocation discipline part of identity governance, not separate from it. The practitioner implication is that certificate trust should be governed with the same rigour as privileged access.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how quickly identity inventory breaks down at machine scale.
A question worth separating out:
Q: Who should be accountable when certificate abuse leads to domain compromise?
A: Accountability should sit with the teams that govern identity trust, template policy, and privileged enrolment, not only with Windows administrators. AD CS compromise is an identity governance failure because it converts a certificate decision into domain-level authority.
👉 Read our full editorial: PKI is becoming the trust layer for digital government identity