TL;DR: Fragmented certificate ownership, inconsistent revocation tracking, and certificate sprawl create governance blind spots across hybrid and multi-cloud environments, according to eMudhra. Centralized PKI management is now an identity control problem, because certificate lifecycle, ownership, and policy enforcement determine whether machine trust is visible or merely assumed.
NHIMG editorial — based on content published by eMudhra: Digital trust in modern enterprises and the case for centralized PKI management
By the numbers:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
Questions worth separating out
Q: How should security teams govern certificate lifecycle across hybrid and multi-cloud environments?
A: Start by centralising discovery, ownership, issuance policy, renewal thresholds, and revocation evidence in one programme.
Q: Why do fragmented certificate processes create identity governance risk?
A: Because certificates often authenticate services, devices, and applications, fragmentation creates hidden trust relationships that no one team fully owns.
Q: What breaks when certificate revocation is not tightly managed?
A: Compromised or decommissioned certificates can remain trusted long after their purpose has ended, especially in distributed environments with multiple CAs.
Practitioner guidance
- Map certificate ownership across the enterprise Create a single inventory that records certificate owner, business system, CA source, expiry date, and deployment location across on-prem, cloud, containers, and edge assets.
- Standardise issuance and renewal policy Define approved CAs, key lengths, algorithm requirements, and validity periods so local teams cannot create inconsistent trust rules for the same environment.
- Automate expiry and revocation workflows Tie renewal alerts, revocation lists, and OCSP checks into operational workflows so compromised or decommissioned certificates can be removed from trust quickly.
What's in the full article
eMudhra's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step certificate lifecycle stages from discovery through revocation and compliance reporting
- Operational guidance for deploying certificates across load balancers, Kubernetes clusters, and cloud-native applications
- Practical automation considerations for renewal alerts, approval workflows, and revocation evidence
- The source's own business case framing for centralised PKI management in hybrid and multi-cloud environments
👉 Read eMudhra's article on centralized PKI strategy and certificate lifecycle governance →
PKI governance and certificate lifecycle control for IAM teams?
Explore further
PKI sprawl is really identity sprawl. Certificates are not isolated cryptographic artefacts when they control workload authentication, service-to-service trust, and device access. Once ownership, issuance, and revocation are distributed across teams, PKI becomes a governance problem that IAM and infrastructure teams both inherit. The practical conclusion is that certificate inventory belongs inside the broader identity programme, not outside it.
A few things that frame the scale:
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to the 2026 Infrastructure Identity Survey.
- 53% of security leaders expect AI to run major portions of their infrastructure autonomously within the next three years, which is why certificate governance can no longer live only inside platform operations.
A question worth separating out:
Q: Who should be accountable for enterprise PKI governance?
A: Accountability should sit with the identity or security function, but operational ownership must extend to infrastructure, DevOps, and application teams that issue or consume certificates. If no one owns lifecycle decisions end to end, the enterprise inherits blind spots in trust management.
👉 Read our full editorial: Centralized PKI governance is now an identity security requirement