Accountability sits with the identity, PKI, and platform owners together because certificate strength depends on governance across issuance, renewal, revocation, and decommissioning. If those controls are weak, the organisation has simply replaced one credential type with another unmanaged one. Ownership needs to be explicit before certificates are trusted as a primary authentication layer.
Why This Matters for Security Teams
Certificate-based authentication only improves security when the full lifecycle is controlled. If issuance, renewal, revocation, and decommissioning are weak, the certificate becomes another long-lived credential with better branding. That creates false confidence, especially when teams assume PKI automatically enforces least privilege. NHIMG research on The Critical Gaps in Machine Identity Management report shows why this is operationally dangerous: 59% of organisations report greater difficulty auditing machine identities because of unclear ownership and limited visibility.
The accountability problem is rarely about one team failing in isolation. Identity, PKI, infrastructure, and application owners all influence whether a certificate is traceable, rotated, and removed on time. Current guidance from the OWASP Non-Human Identity Top 10 treats unmanaged machine identity as a core risk area, not a narrow PKI issue. In practice, many security teams discover that certificate sprawl only becomes visible after expiry events, service outages, or an offboarding failure has already exposed the gap.
How It Works in Practice
Accountability should be assigned by lifecycle stage, not by certificate format alone. Identity owners typically define who can request a certificate, PKI teams govern issuance and trust policy, platform teams enforce deployment and rotation, and application owners confirm the certificate is still needed. Without that split, revocation requests stall, renewal windows are missed, and stale certificates remain active after systems are retired.
Practitioner guidance is moving toward explicit machine identity governance, where certificate-based authentication is paired with inventory, ownership, and automated expiry handling. The NHI Lifecycle Management Guide frames this as a continuous control problem rather than a one-time provisioning task. A useful operating model is:
- assign a named owner for every certificate and workload identity;
- bind certificate issuance to a documented business or technical justification;
- enforce short validity periods where automation can support renewal;
- revocation must be tied to decommissioning, incident response, and offboarding;
- track certificates in the same inventory used for other NHIs, not in spreadsheets alone.
The NIST Zero Trust Architecture model reinforces that trust should be evaluated continuously, not assumed because a certificate exists. That matters because certificate strength depends on the controls around it, especially when the organisation has to prove who approved, rotated, or retired the identity. These controls tend to break down in environments with many short-lived workloads, manual renewal processes, or shared service accounts because ownership becomes diffuse and lifecycle events are missed.
Common Variations and Edge Cases
Tighter certificate governance often increases administrative overhead, so organisations have to balance faster adoption against the cost of building reliable lifecycle automation. That tradeoff is especially visible in hybrid estates, legacy middleware, and vendor-managed appliances where certificate changes may require downtime or manual intervention. Best practice is evolving, and there is no universal standard for assigning accountability in every environment.
In many cases, the right answer is a shared accountability model with clear decision rights. Security may own policy, PKI may own trust infrastructure, but service owners still need to own the business need for each certificate and confirm retirement when the workload changes. This is where Top 10 NHI Issues is useful: it highlights that unclear ownership and weak rotation are recurring failure modes, not edge cases. For teams building controls, the practical question is not only who issues the certificate, but who can prove it is still needed today.
One important exception is emergency revocation. In incident response, accountability can temporarily shift to the security team or platform incident commander, but that does not remove the need for named operational owners afterward. Organisations using Ultimate Guide to NHIs and lifecycle processes should document those handoffs before an outage or compromise forces the issue.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Ownership and lifecycle gaps are central machine identity risks. |
| NIST CSF 2.0 | PR.AC-1 | Access control depends on trusted identity lifecycle management. |
| NIST AI RMF | GOVERN | Accountability for autonomous workloads needs explicit governance and traceability. |
Assign an owner to every certificate and enforce renewal, revocation, and retirement as required controls.
Related resources from NHI Mgmt Group
- Who is accountable when stale SSO sessions or weak token controls cause exposure?
- Who is accountable when an OAuth implementation allows weak code exchange controls?
- Who should own certificate-based authentication governance in an enterprise?
- How should security teams deploy certificate-based authentication without creating lifecycle gaps?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
