Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

PKI security under machine identity pressure: what teams should fix


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Legacy PKI, manual certificate processes, and rapid machine identity growth are driving outages, weak cryptography exposure, and low confidence in compliance across nearly 2,000 practitioners globally, according to CyberArk’s commissioned Ponemon study. The governance problem is no longer certificate volume alone; it is the mismatch between certificate lifecycle demand and human-led operating models.

NHIMG editorial — based on content published by CyberArk: Trends in PKI Security: A Global Study of Trends, Challenges & Business Impact

By the numbers:

Questions worth separating out

Q: How should security teams govern certificate lifecycle at machine identity scale?

A: Security teams should centralise certificate ownership, automate renewal and revocation, and maintain a complete inventory of every certificate that supports production services.

Q: Why do expired certificates still cause outages in mature environments?

A: Expired certificates still cause outages because many environments rely on manual tracking, fragmented ownership, and renewal processes that do not match certificate growth.

Q: What breaks when PKI visibility is incomplete?

A: Incomplete PKI visibility breaks enforcement, auditability, and incident response.

Practitioner guidance

  • Build an authoritative certificate inventory Map every internal certificate to an owner, system, expiry date, and renewal path.
  • Automate renewal and revocation workflows Remove manual renewal queues for certificates that support production services, and create auditable workflows for revocation, replacement, and exception handling.
  • Review weak cryptography exposure paths Identify certificates, keys, and CA dependencies that still rely on outdated algorithms or fragile trust chains.

What's in the full report

CyberArk's full report covers the operational detail this post intentionally leaves for the source:

  • Practitioner survey breakouts on how PKI confidence varies across regions and organisation sizes
  • The full set of findings on certificate inventory, renewal practice, and compliance confidence
  • Data on how automation and AI adoption correlate with stronger PKI confidence
  • Additional study findings on outage causes, weak cryptography, and third-party CA compromise

👉 Read CyberArk's report on PKI security trends and certificate management →

PKI security under machine identity pressure: what teams should fix?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Legacy PKI has become a machine identity governance problem, not just a certificate operations problem. When certificate demand grows faster than human-led administration, the organisation is no longer managing trust. It is managing backlog, exceptions, and hidden ownership gaps. The practical conclusion is that PKI must be governed as part of machine identity lifecycle control, not left as a separate infrastructure function.

A few things that frame the scale:

  • 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, which shows how weak lifecycle discipline still is in many identity programmes.

A question worth separating out:

Q: Who should own PKI risk inside an identity programme?

A: PKI risk should sit jointly with identity governance, infrastructure, and application owners, because certificate failure affects access, availability, and trust. The wrong model is to leave it as a low-level operational task owned only by infrastructure teams. Ownership must be explicit, because certificate lifecycle failures are identity failures with business impact.

👉 Read our full editorial: PKI security is straining under machine identity growth



   
ReplyQuote
Share: