What do teams get wrong about certificates and service credentials?

Why This Matters for Security Teams

Certificates and service credentials are often deployed as if they were simple connectivity artifacts, but in practice they are bearer access to systems, data, and automation paths. That makes them closer to privileged identities than to infrastructure plumbing. When teams reuse them across services, environments, or pipelines, a single compromise can expose internal APIs, databases, registries, and observability systems. The problem is not the certificate itself; it is the access scope attached to it.

This is why guidance on OWASP Non-Human Identity Top 10 is so relevant to service credentials: the security model must treat machine identities as governable identities, not just secrets in transit. NHIMG research on the Secret Sprawl Challenge shows how quickly credentials spread across teams, repos, and deployment tooling once they are considered “easy to use.” In the 2024 Non-Human Identity Security Report, 88.5% of organisations said their non-human IAM practices lag behind or only match their human IAM maturity.

In practice, many security teams discover the blast radius of a service credential only after it has already been reused in production automation and copied into more places than anyone can inventory.

How It Works in Practice

The core mistake is assuming certificates, API keys, and service account can be managed with the same operating model as endpoint configuration. They need lifecycle controls, ownership, scope limits, and rotation discipline. A certificate may authenticate a workload, but the associated private key and trust chain determine what that workload can reach. If the credential is embedded in a container image, shared across clusters, or issued with broad network trust, compromise becomes persistent and difficult to isolate.

Current best practice is to separate identity proof from long-lived access. That means issuing short-lived credentials where possible, binding them to workload identity, and making authorization depend on runtime context rather than a static entitlement set. For many teams, this includes secrets managers, automated rotation, mutual TLS, and workload identity systems that reduce the need for reusable static material. The practical goal is not “no certificates,” but fewer durable secrets with narrower blast radius.

NHIMG’s Ultimate Guide to NHIs — Static vs Dynamic Secrets is useful here because it frames the operational difference between credentials that sit unchanged for months and those that expire with the task. That distinction matters when service accounts are used by CI/CD, internal bots, data pipelines, and microservices. The NIST SP 800-63 Digital Identity Guidelines reinforce the principle that identity assurance and credential lifecycle are inseparable, even though machine identity implementations differ from human authentication models.

• Assign an explicit owner to every certificate and service credential.
• Track where each credential is issued, stored, loaded, and rotated.
• Prefer short-lived tokens or ephemeral credentials over reusable static secrets.
• Limit trust scope to the smallest service, environment, and purpose needed.
• Revoke credentials automatically when the workload, pipeline, or service ends.

These controls tend to break down in hybrid and multi-cloud environments because credential paths multiply faster than governance tooling can keep up.

Common Variations and Edge Cases

Tighter credential controls often increase operational overhead, requiring organisations to balance blast-radius reduction against deployment friction. That tradeoff is real, especially when legacy applications cannot easily support short-lived tokens, mutual TLS, or centralized identity brokers. In those environments, teams may keep static credentials longer than ideal, but current guidance suggests compensating with stricter segmentation, aggressive monitoring, and faster revocation workflows.

There is no universal standard for every legacy pattern yet. Some environments still rely on shared service certificates for clustering, messaging, or appliance integrations, and replacing them overnight can cause outages. The better approach is to classify credentials by risk, then phase the highest-value ones first: production databases, registry access, pipeline deploy keys, and observability backends. That sequencing aligns with the reality that a low-visibility credential often becomes high impact once it can reach multiple tiers.

NHIMG’s Cisco Active Directory credentials breach and Sisense breach illustrate the same practical lesson: once service credentials are exposed, downstream systems tend to be more reachable than teams expected. The right question is not whether a certificate is “secure enough” in isolation, but whether its failure can be contained when it is reused across a chain of services.

Related resources from NHI Mgmt Group

• What do security teams get wrong about connector credentials in infrastructure automation?
• What do teams get wrong about self-service identity administration?
• What do security teams get wrong about staging credentials?
• What do teams get wrong about short-lived machine credentials?