TL;DR: PKI is still the trust layer behind secure email, device authentication, TLS, VPNs, and digital signatures, but the article argues that failures come from treating certificates as a static task instead of a living identity system. Its practical case is that modern PKI only works when lifecycle, automation, and visibility are managed continuously.
NHIMG editorial — based on content published by GlobalSign: PKI governance, cloud automation, and the case for modern trust management
Questions worth separating out
Q: How should security teams govern PKI in cloud-native environments?
A: Security teams should govern PKI as an identity lifecycle function, not as a one-time infrastructure setup.
Q: Why do certificate failures keep happening even when PKI is cryptographically sound?
A: Certificate failures usually happen because organisations manage the process badly, not because the cryptography is weak.
Q: What do security teams get wrong about PKI and Zero Trust?
A: They often assume PKI is a supporting utility rather than a primary trust control.
Practitioner guidance
- Inventory every certificate and key location Create a single authoritative inventory that includes certificates in applications, CI/CD pipelines, device fleets, and cloud services.
- Automate issuance, renewal, and revocation Replace manual renewal workflows with policy-based automation for short-lived certificates where possible.
- Map certificate governance to identity lifecycle controls Treat certificates as governed identities, then map their issuance and offboarding to lifecycle processes used for other NHIs.
What's in the full article
GlobalSign's full article covers the operational detail this post intentionally leaves for the source:
- How certificate lifecycle management is handled in cloud-native and IoT environments
- Why manual renewal breaks down at scale across distributed device estates
- Where PKI fits into secure email, TLS, device authentication, and Zero Trust deployments
- What modern certificate automation changes for DevOps and infrastructure teams
👉 Read GlobalSign's analysis of why PKI governance still matters →
PKI governance gaps: what IAM teams are missing?
Explore further
PKI is not obsolete, but it is frequently governed like a one-time setup rather than an identity lifecycle. That framing is the real failure, because certificates, keys, and trust chains change continuously while many operating models still assume they do not. The discipline problem is not cryptography, it is lifecycle ownership across security, infrastructure, and application teams. Practitioners should treat PKI as a standing governance surface, not a completed project.
A few things that frame the scale:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to the Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
A question worth separating out:
Q: Who should own certificate lifecycle risk in an organisation?
A: Ownership should sit with the identity or security function, but the operating responsibilities must extend into infrastructure, platform, and application teams. Certificate lifecycle risk is shared, yet accountability must be explicit. If ownership is vague, expiry, revocation gaps, and orphaned certificates become inevitable.
👉 Read our full editorial: PKI governance is the real issue, not PKI obsolescence