PKI security under machine identity pressure: what teams should fix

TL;DR: Legacy PKI, manual certificate processes, and rapid machine identity growth are driving outages, weak cryptography exposure, and low confidence in compliance across nearly 2,000 practitioners globally, according to CyberArk’s commissioned Ponemon study. The governance problem is no longer certificate volume alone; it is the mismatch between certificate lifecycle demand and human-led operating models.

NHIMG editorial — based on content published by CyberArk: Trends in PKI Security: A Global Study of Trends, Challenges & Business Impact

By the numbers:

• 56% have suffered unplanned outages due to expired certificates or configuration errors.
• 60% experienced security exploits as a result of weak cryptography.

Questions worth separating out

Q: How should security teams govern certificate lifecycle at machine identity scale?

A: Security teams should centralise certificate ownership, automate renewal and revocation, and maintain a complete inventory of every certificate that supports production services.

Q: Why do expired certificates still cause outages in mature environments?

A: Expired certificates still cause outages because many environments rely on manual tracking, fragmented ownership, and renewal processes that do not match certificate growth.

Q: What breaks when PKI visibility is incomplete?

A: Incomplete PKI visibility breaks enforcement, auditability, and incident response.

Practitioner guidance

• Build an authoritative certificate inventory Map every internal certificate to an owner, system, expiry date, and renewal path.
• Automate renewal and revocation workflows Remove manual renewal queues for certificates that support production services, and create auditable workflows for revocation, replacement, and exception handling.
• Review weak cryptography exposure paths Identify certificates, keys, and CA dependencies that still rely on outdated algorithms or fragile trust chains.

What's in the full report

CyberArk's full report covers the operational detail this post intentionally leaves for the source:

• Practitioner survey breakouts on how PKI confidence varies across regions and organisation sizes
• The full set of findings on certificate inventory, renewal practice, and compliance confidence
• Data on how automation and AI adoption correlate with stronger PKI confidence
• Additional study findings on outage causes, weak cryptography, and third-party CA compromise

👉 Read CyberArk's report on PKI security trends and certificate management →

PKI security under machine identity pressure: what teams should fix?

Explore further

View Full Forum →  |  NHI Foundation Course →