Should organisations treat certificates and tokens like other non-human identities?

Why This Matters for Security Teams

Certificates and tokens are not “just technical artifacts”; they are machine-held proof of identity that can authorize access, move laterally, and persist long after the system that minted them has changed. Treating them differently from other non-human identities creates blind spots in ownership, expiry, and revocation. That is why NHI governance has to cover secrets as identity objects, not only as configuration data. The State of Secrets Sprawl 2026 found that 64% of valid secrets leaked in 2022 are still valid and exploitable today, which is a clear signal that detection without lifecycle control is not enough.

Security teams often misclassify certificates and tokens as “safe because they are non-interactive,” then discover the real problem only after a breach, an outage, or a partner integration failure. That pattern appears in incidents such as the Salesloft OAuth token breach and the JetBrains GitHub plugin token exposure, where the credential format mattered less than the authority it carried. Current guidance from the NIST Cybersecurity Framework 2.0 reinforces that identity assurance and access control must be continuous, not assumed from issuance alone. In practice, many security teams encounter stale certificate trust only after a routine renewal failure or an exposed token has already been used.

How It Works in Practice

Practical NHI governance treats certificates and tokens as lifecycle-managed identities. That means assigning an owner, defining intended use, limiting scope, setting expiry, and revoking access when the workload or integration changes. A token issued for one pipeline run should not remain valid for a quarter. A certificate used for one service mesh path should not quietly become a general-purpose trust anchor. The core question is not “is this a credential?” but “what authority does this credential confer, for how long, and who can revoke it?”

Effective programs usually combine inventory, policy, and automation. Inventory answers what exists and where it is used. Policy decides which certificates and tokens are acceptable for a given workload, often with least privilege and separation by environment. Automation handles renewal, rotation, and revocation before expiry becomes an outage event. The Guide to the Secret Sprawl Challenge is useful here because secret sprawl often starts in CI/CD, chat systems, and shared tooling long before it is visible in a formal secrets vault. NIST guidance also supports this operational model: the NIST Cybersecurity Framework 2.0 emphasizes governance, access control, and continuous monitoring rather than one-time issuance checks.

• Map every certificate and token to an owner, system, and purpose.
• Set short-lived defaults where the workload can tolerate it.
• Use automated rotation and revocation, not ticket-driven cleanup.
• Separate human admin access from machine-to-machine trust paths.
• Monitor for stale credentials that outlive their intended workload or pipeline.

The same logic appears in breach analysis: the Sisense breach and the Internet Archive breach both show how credential exposure becomes identity exposure once authority is reusable. These controls tend to break down when organisations have no complete inventory of machine identities and still rely on spreadsheets for tracking, because revocation and renewal become manual exceptions instead of routine operations.

Common Variations and Edge Cases

Tighter certificate and token governance often increases operational overhead, so organisations have to balance stronger control against deployment speed and service reliability. That tradeoff is real, especially in legacy environments, partner integrations, and systems that cannot tolerate frequent re-authentication.

There is no universal standard for every edge case yet. Some workloads genuinely need longer-lived certificates because embedded devices, offline systems, or constrained industrial environments cannot refresh quickly. In those cases, best practice is evolving toward compensating controls such as narrower scope, stronger monitoring, and segmented trust boundaries rather than pretending the credential is low risk. The same caution applies to externally managed integrations, where revocation speed may depend on third-party processes.

Current guidance suggests treating bearer tokens as especially sensitive because they are often easy to replay if leaked, while certificates may appear safer but still create durable trust if private keys are compromised. A token used by automation should usually be shorter-lived than an operator-created access grant, and both should be reviewed as part of the broader NHI estate described in the Ultimate Guide to NHIs — What are Non-Human Identities. For organisations building toward stronger machine-identity discipline, the right benchmark is not whether the credential is a certificate or a token, but whether it has a defined owner, a bounded lifetime, and a reliable revocation path.

Related resources from NHI Mgmt Group

• Should organisations treat SaaS integrations like non-human identities?
• How should organisations prepare for NYDFS Part 500 when non-human identities are in scope?
• How should security teams govern non-human identities at scale?
• How should security teams govern non-human identities for compliance?