Who should own certificate governance in an IAM programme?

Why Certificate Governance Belongs in Identity, Not Just Infrastructure

Certificate governance is often treated as a plumbing task because the certificate is delivered through a platform, but the security decision is an identity decision. The question is not who installs the certificate, but who defines eligibility, validity, renewal, revocation, and exception handling. That belongs with identity governance because certificates confer access, trust, and persistence across systems, which makes them part of the enterprise access model, not just an operational artifact.

This split matters when local teams optimise for uptime or convenience and extend certificate lifetimes, bypass approval logic, or create unmanaged exceptions. NHI Management Group has repeatedly documented how weak ownership and lifecycle control turn machine identities into a blind spot, including in the Ultimate Guide to NHIs — Regulatory and Audit Perspectives. The broader pattern aligns with the NIST Cybersecurity Framework 2.0, where governance, risk, and control ownership must be explicit rather than implied.

In the 2024 Non-Human Identity Security Report, only 38% of organisations reported automated certificate lifecycle management, while 45% said certificate expiry is the leading cause of outages, a sign that ownership gaps become service failures quickly.

In practice, many security teams discover broken certificate governance only after an outage, not through a planned control review.

How the Control Boundary Should Work in Practice

The cleanest operating model separates policy ownership from platform operation. Identity teams should own the rules that determine who receives a certificate, what proof is required, how long the certificate remains valid, what rotation standard applies, and which revocation triggers are mandatory. Infrastructure, endpoint, or workplace teams can still run enrollment services, device tooling, hardware modules, and local deployment workflows, but they should execute policy rather than define it.

That boundary is especially important for certificates tied to non-human identities, service accounts, devices, and workload identities. Lifecycle decisions should be driven by an authoritative identity source, with automated issuance and revocation tied to joiner-mover-leaver events, device posture, workload status, and risk signals. The Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here because it frames certificates as part of a broader NHI lifecycle, not a standalone administrative task.

• Identity governance defines eligibility, approval, TTL, renewal, and revocation policy.
• Platform teams operate enrollment, deployment, and certificate authorities under those rules.
• Security teams monitor drift, exception rates, expiry risk, and orphaned certificates.
• Audit teams verify that ownership, logs, and approvals map back to the policy decision-maker.

Current guidance suggests that ownership should sit where access policy is already governed, while operational execution should remain close to the system that issues or installs the certificate. This aligns with machine identity practices discussed in the Critical Gaps in Machine Identity Management report, where lack of clear ownership and manual tracking are recurring weaknesses. These controls tend to break down in highly distributed environments with multiple certificate authorities and inconsistent asset inventories because no single team can reliably see every issuer, consumer, and renewal path.

Common Ownership Models and Where They Break Down

Tighter governance often increases coordination overhead, requiring organisations to balance speed of issuance against control consistency. That tradeoff becomes visible in hybrid estates, where workplace teams, infrastructure teams, and application owners all expect different renewal cadences and approval paths.

There is no universal standard for this yet, but best practice is evolving toward a federated model: identity owns the policy, local platform teams operate the workflow, and application owners are accountable for business justification. This avoids the common failure mode where certificates are treated as local assets and silently extended beyond their intended trust window. The 2024 Non-Human Identity Security Report shows why this matters: 88.5% of organisations say their NHI IAM practices lag human IAM, and 59.8% see value in dynamic ephemeral credentials, which reinforces the shift toward shorter-lived, centrally governed trust.

Two edge cases deserve special attention. First, hardware-backed certificates for endpoints or industrial systems may require shared operational ownership because device provisioning is tightly coupled to physical logistics. Second, certificate use in regulated environments may require stronger separation of duties, where the identity team sets policy but cannot approve exceptions alone. In both cases, the control boundary should still be explicit and auditable. When certificate governance is split informally across teams, expiry, revocation, and exception handling drift into tribal knowledge, and that is where outages and audit findings usually begin.

Related resources from NHI Mgmt Group

• Who should own MFA recovery governance in an IAM programme?
• Who should own MCP server risk in an IAM programme?
• Who should own privileged access risk in an IAM programme?
• Who should own SaaS governance when finance, IT, and IAM all have a stake?