They insert extra components between the workload and the control point, which increases operational complexity and can shift the certificate relationship from the process to the proxy. That makes enforcement more brittle, especially when Kubernetes, meshes, or deployment patterns vary across environments. Governance should follow the workload, not just the supporting infrastructure.
Why This Matters for Security Teams
Service meshes and sidecars change where identity is asserted, enforced, and observed. Instead of the workload presenting its own cryptographic identity directly, a proxy often becomes the enforcement point, which can blur ownership, complicate trust boundaries, and make certificate lifecycle issues harder to trace. That matters because workload identity is not just a transport detail. It is the control plane for access, segmentation, and audit.
For teams that rely on Kubernetes consistency, the risk is that governance assumptions follow the deployment platform rather than the actual workload. Current guidance suggests that identity should remain bound to the workload even when a mesh is present, with the mesh acting as an enforcement helper rather than the source of truth. The SPIFFE workload identity specification is useful here because it frames identity as a portable workload primitive, not a proxy artifact. NHI Management Group’s Guide to SPIFFE and SPIRE makes the same governance point in practical terms.
In practice, many security teams discover the identity gap only after sidecar restarts, certificate failures, or cross-cluster inconsistencies have already caused outages or policy drift.
How It Works in Practice
A service mesh typically inserts a sidecar proxy beside each workload and routes traffic through that proxy so it can enforce mTLS, policy, and telemetry. That model can work well, but it also means the certificate exchange may happen between proxies rather than between the application process and its peer. If governance is built around the proxy alone, the workload can become invisible as the true security principal.
The operational answer is to anchor identity at the workload and let the mesh consume that identity. In practice, that means using short-lived, automatically rotated credentials, workload-bound attestation, and policy checks that evaluate the request context at runtime. This aligns well with zero trust principles in the NIST Cybersecurity Framework 2.0, which emphasises governance, identity, and continuous risk management rather than static trust. It also matches NHI lifecycle guidance in Ultimate Guide to NHIs, especially where rotation and offboarding are concerned.
- Bind identity to the workload, not only the sidecar.
- Use attested workload identity, such as SPIFFE IDs, for cryptographic proof of what the service is.
- Issue short-lived certificates and revoke them automatically when the workload ends.
- Apply policy at request time so a proxy cannot silently inherit broader access than the application needs.
- Track certificate ownership and rotation separately for application, proxy, and platform components.
NHIMG research shows why this matters operationally: only 38% of organisations have automated certificate lifecycle management in place, while certificate expiry is the leading cause of outages for 45% of organisations in the Critical Gaps in Machine Identity Management report. These controls tend to break down in hybrid clusters where mesh versions, injection policies, and certificate authorities differ across environments because the same identity path is not enforced end to end.
Common Variations and Edge Cases
Tighter mesh-based control often increases operational overhead, requiring organisations to balance stronger traffic enforcement against deployment friction and troubleshooting complexity. That tradeoff is especially visible when teams mix injected and non-injected workloads, run multiple meshes, or move services between Kubernetes and non-Kubernetes environments.
Best practice is evolving here. There is no universal standard for how much identity enforcement should sit in the sidecar versus the workload, but the emerging consensus is that the proxy should not become the sole identity authority. Where the mesh handles certificate transport, policy decisions should still reference workload-bound identity, not just proxy metadata. That reduces the risk of policy drift when a deployment is rescheduled, scaled, or replatformed.
Edge cases also matter. Stateful services may need longer coordination windows for rotation. Legacy services may not support direct workload attestation. Multi-cluster or multi-tenant platforms may require separate trust domains so a compromised proxy in one environment cannot impersonate another. For broader NHI governance patterns, Top 10 NHI Issues is a useful companion reference. The core rule remains simple: if the mesh is easier to manage than the workload, identity governance will eventually drift toward the wrong control point.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A01 | Sidecars can obscure the true identity and access path of autonomous workloads. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Focuses on workload identity lifecycle and governance, which meshes can complicate. |
| NIST AI RMF | AI RMF supports governance of dynamic, context-dependent systems with layered controls. |
Treat mesh certificates as an implementation detail and govern the workload identity directly.
Related resources from NHI Mgmt Group
- Why do self-service portals create governance risk in identity programmes?
- What breaks when identity governance does not cover AI agents and service accounts together?
- Why is it important to integrate identity and data governance?
- How should security teams evaluate Centrify alternatives for identity governance?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
