Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Shadow certificates and short-lived certs: what IAM teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: As certificate lifetimes shrink from years toward 47 days, unknown and undocumented certificates become a rapid-fire availability and governance risk, especially for lean teams that cannot rely on manual tracking, according to GlobalSign. The real issue is not rotation itself but the identity ownership and lifecycle controls that determine whether certificates stay visible, attributable, and remediable.

NHIMG editorial — based on content published by GlobalSign: Unknown certificates are becoming the new PKI risk problem

By the numbers:

  • The validity duration of certificates is moving from 10 years to 47 days, creating an 8- to 10-fold increase in rotation workload.

Questions worth separating out

Q: What breaks when certificate discovery is missing in PKI operations?

A: Without certificate discovery, teams cannot reliably inventory trust assets, assign ownership, or spot expiry risk before it affects services.

Q: Why do short-lived certificates increase governance risk for infrastructure teams?

A: Short-lived certificates compress the time available to notice, validate, and renew trust objects, so governance moves from periodic review to continuous lifecycle control.

Q: How do security teams know if certificate lifecycle management is actually working?

A: Lifecycle management is working when every certificate is discoverable, owned, renewed on schedule, and revoked without creating service disruption.

Practitioner guidance

  • Inventory every certificate continuously Scan servers, cloud workloads, containers, endpoints, and legacy systems on a recurring basis so every certificate has an owner, an expiry date, and an exception path.
  • Assign lifecycle ownership to each certificate Map each certificate to a business system and an accountable team, then require renewal responsibility in the same workflow that records issuance.
  • Automate standard renewals and replacements Move recurring renewal tasks into policy-driven automation for common platforms, while keeping human review for legacy systems, unusual key sizes, and exceptions.

What's in the full article

GlobalSign's full article covers the operational detail this post intentionally leaves for the source:

  • Practical examples of how certificate lifetimes shorten from years to 200 days, 100 days, and 47 days across the renewal lifecycle.
  • Examples of how shadow certificates emerge in development, acquisitions, legacy systems, and cloud provisioning workflows.
  • Discussion of SAN licensing as a commercial model for teams facing frequent certificate renewal.
  • Guidance on how smaller teams can adapt PKI operations without building a dedicated certificate function.

👉 Read GlobalSign's analysis of unknown certificates and shrinking validity periods →

Shadow certificates and short-lived certs: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Unknown certificates are unmanaged non-human identities in disguise. A certificate is not just cryptography, it is a trust-bearing identity object that authenticates systems, services, and applications. When it is undiscovered, it becomes a governance blind spot that can break availability without any attacker being present. The practitioner conclusion is straightforward: inventory is the first identity control, even in PKI.

A few things that frame the scale:

  • 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
  • A separate finding from the same survey shows that systems with least-privileged AI access had a 17% incident rate versus 76% for over-privileged systems.

A question worth separating out:

Q: Who is accountable when an unknown certificate causes an outage?

A: Accountability should sit with the team that owns the underlying system and with the identity or PKI function that governs renewal policy. If neither can name the certificate before it fails, the organisation has a lifecycle governance gap, not just a technical issue. The fix is clear ownership, not post-incident blame.

👉 Read our full editorial: Unknown certificates are becoming the new PKI risk problem



   
ReplyQuote
Share: