Machine Identity Management: Why It's Your Largest Unmanaged Security Surface
At a glance
- Machine identity management:
- The discipline of discovering, issuing, monitoring, rotating, and revoking cryptographic credentials — certificates, keys, and tokens — assigned to every non-human entity in an organisation's infrastructure. Covers TLS/mTLS, SSH keys, code signing, workload identities (SPIFFE, Kubernetes service accounts), IoT device certificates, and API credentials.
- Non-human identity (NHI):
- Alternate term for the same scope. Emphasises that these identities sit parallel to the human IAM plane, not inside it — and that no single IAM, SSO, or directory product governs them.
- Scale benchmark:
- Machine identities typically outnumber human identities by 45 to 1 in enterprise environments. In Axelspire's practitioner experience across banking and telecoms PKI, that multiplier is conservative once SSH keys, workload identities, and IoT credentials are fully inventoried.
- Why now:
- CA/Browser Forum ballot SC-081v3 reduced public TLS validity to 200 days on 15 March 2026, phasing to 100 days and then 47 days in subsequent years. Manual certificate operations are no longer viable at these cadences.
- Axelspire's position:
- Machine identity management is not a product category — it is an operational discipline built on four capabilities: discovery, governance, automation, and monitoring. No single vendor covers all four across all identity types. The strategic question is which gaps you close internally and which you outsource.
Acronyms used on this page ▾
| Acronym | Meaning |
|---|---|
| ACME | Automated Certificate Management Environment. Protocol for automated certificate issuance and renewal (RFC 8555). |
| CA/B Forum | CA/Browser Forum. Industry body of CAs and browser vendors that sets baseline requirements for public TLS certificates. |
| CMP | Certificate Management Protocol (RFC 4210). Enrollment and lifecycle protocol used in industrial and telecom PKI. |
| CSA | Connectivity Standards Alliance. Governs the Matter protocol and registers Matter PAA root CAs. |
| DAC | Device Attestation Certificate. Manufacturer-issued credential in the Matter PKI hierarchy proving a device is genuine. |
| DORA | Digital Operational Resilience Act. EU regulation for financial services; includes cryptographic asset management controls. |
| EST | Enrollment over Secure Transport (RFC 7030). mTLS-based certificate enrollment; supports renewal using existing certificates. |
| IAM | Identity and Access Management. The human-identity plane — users, passwords, MFA, SSO, directory services. |
| mTLS | Mutual TLS. Both client and server present X.509 certificates; the foundation of zero trust east-west traffic. |
| NHI | Non-Human Identity. Alternate term for machine identity, emphasising that these identities sit outside human IAM. |
| NIS2 | Network and Information Security directive 2. EU cybersecurity regulation; includes cryptographic control requirements. |
| NIST | National Institute of Standards and Technology (US). Publishes FIPS and SP series cryptographic standards. |
| OT | Operational Technology. Industrial control systems, SCADA, manufacturing — typically managed separately from IT PKI. |
| PAA | Product Attestation Authority. Root CA in the Matter PKI hierarchy, registered with the CSA. |
| PAI | Product Attestation Intermediate. Intermediate CA in the Matter PKI hierarchy. |
| PCI DSS | Payment Card Industry Data Security Standard (v4.0). Includes explicit cryptographic asset management requirements. |
| SC-081v3 | CA/Browser Forum Ballot SC-081 version 3. Reduced public TLS validity to 200 days on 15 March 2026, phasing to 100 and then 47 days. |
| SCEP | Simple Certificate Enrollment Protocol. Widely deployed for initial enrollment; renewal capability is limited. |
| SPIFFE | Secure Production Identity Framework for Everyone. CNCF-governed workload identity specification. |
| SPIRE | SPIFFE Runtime Environment. The reference implementation of SPIFFE — a server that issues SVIDs and per-node agents. |
| SVID | SPIFFE Verifiable Identity Document. The short-lived credential SPIRE issues — typically an X.509 certificate. |
Topics in this series: Certificate sprawl & visibility, Governance at enterprise scale, Workload identity & microsegmentation, Machine identity & zero trust.
Every device, workload, container, API endpoint, and service account in your infrastructure has an identity. Not a username and password — a cryptographic credential. A certificate. A key pair. A token. These are machine identities — also referred to as non-human identities (NHI) — and in most enterprises, they outnumber human identities by a factor of 45 to 1.
Machine identity management is the discipline of discovering, issuing, monitoring, rotating, and revoking every one of those credentials across your entire environment. It is not a new technology category. It is the operational reality that certificate lifecycle management, SSH key governance, workload identity, and IoT device authentication have always pointed toward — now consolidated under a single strategic umbrella.
PKI Health Radar
Drag the sliders to assess your current posture — scores update instantly.
If your organisation cannot answer how many machine identities exist in your environment right now, who owns them, when they expire, and which ones are using deprecated cryptographic algorithms, you have a machine identity and credential management problem. Most enterprises do.
What Counts as a Machine Identity
The term is deliberately broad, and that breadth is what makes it strategically important. Machine identities — the non-human identities that operate outside your human IAM stack — include:
TLS/SSL certificates — the most visible category. Every internal and external service endpoint, load balancer, API gateway, and web application holds at least one. Enterprises with 10,000+ employees commonly manage 50,000 to 250,000 active certificates, often without centralised visibility.
Mutual TLS (mTLS) certificates — used for service-to-service authentication in zero trust architectures and service meshes. Unlike server-side TLS, mTLS requires both endpoints to present certificates, which doubles the issuance and rotation burden.
SSH keys — persistent, long-lived, and rarely rotated. In Axelspire's engagements, organisations consistently discover 5 to 10 times more SSH keys than their security teams believe exist. Unlike certificates, SSH keys have no built-in expiration, making them a compliance blind spot in every audit framework.
Code signing certificates — used to verify the integrity of software artifacts, firmware updates, and container images. A compromised code signing key is a supply chain attack vector.
IoT device certificates — issued to physical devices during manufacturing or provisioning, often with lifespans measured in years or decades. These identities operate in environments where over-the-air rotation is constrained by bandwidth, uptime requirements, and hardware capability. Managing IoT certificate lifecycles — from initial provisioning through renewal and revocation — is one of the most operationally complex domains in machine identity management.
Workload identities — SPIFFE/SPIRE identifiers, Kubernetes service account tokens, and cloud IAM roles attached to ephemeral compute instances. These are short-lived by design but high-volume, often generating thousands of identity operations per hour.
API keys and service account credentials — the unmanaged residue of every integration, automation script, and third-party connection. These are non-human identities that most organisations track in spreadsheets, if they track them at all.
The common thread is that none of these are managed by your IAM team's existing human identity tooling. Active Directory does not govern them. Your SSO provider does not issue them. Your identity governance platform does not lifecycle them. They exist in a parallel identity plane — the NHI layer — that, until recently, had no organisational owner.
Why This Became a Board-Level Concern
Three forces converged to push machine identity management from infrastructure plumbing to strategic risk:
Certificate validity is collapsing on a defined schedule. Under CA/Browser Forum ballot SC-081v3, public TLS certificate validity dropped from 398 days to 200 days on 15 March 2026 — and phases to 100 days, then 47 days, over the subsequent years. Combined with microservices architectures that multiply endpoints and zero trust mandates that require mutual authentication at every boundary, manual certificate operations are structurally unviable. The question is not whether to automate — it is whether you can automate fast enough to stay ahead of the 100-day and 47-day thresholds.
Outages caused by expired certificates are increasing in frequency and severity. When a root CA certificate expires, it does not take down a single service. It takes down every service, device, and connection in the trust chain. These are not theoretical risks — they are the incidents that generate front-page coverage and board-level inquiries. Every one of them traces back to the same root cause: a certificate that nobody knew existed, owned by nobody in particular, monitored by nothing automated.
Regulatory and compliance frameworks now explicitly require machine identity governance. PCI DSS 4.0, NIS2, DORA, and the evolving NIST Cybersecurity Framework all include requirements around cryptographic asset management, key rotation, and certificate lifecycle controls. Auditors are no longer satisfied with "we use certificates." They want evidence of policy enforcement, rotation cadence, and revocation capability.
The Organisational Problem Behind the Technical Problem
The reason machine identity management is difficult is not primarily technical. PKI has existed for decades. Certificate authorities work. ACME protocol automates issuance. The difficulty is organisational.
In most enterprises, machine identities are managed — or more accurately, not managed — by multiple teams with no shared tooling, no common policy, and no centralised visibility:
The network team manages TLS certificates on load balancers and reverse proxies. The platform engineering team manages certificates in Kubernetes and service mesh configurations. The security team manages the certificate authority hierarchy and signing policies. The DevOps team manages code signing and CI/CD pipeline credentials. The OT/IoT team manages device certificates on embedded hardware, often using entirely separate issuance infrastructure. The cloud team manages workload identities and IAM roles across AWS, Azure, and GCP, each with their own identity primitives.
No single team has a complete picture. No single tool spans all of these domains. The result is what analysts call "certificate sprawl" — a distributed, uncoordinated accumulation of machine identities that grows faster than any team's ability to track it. This is a visibility and governance problem before it is an automation problem.
The Machine Identity Lifecycle
Every machine identity — whether a TLS certificate, an SSH key, or a workload credential — follows a lifecycle: discovery, issuance, deployment, monitoring, rotation, and revocation. The lifecycle applies regardless of identity type, but the operational constraints vary dramatically.
A server TLS certificate issued via ACME can be rotated in milliseconds with zero downtime. An IoT device certificate bound to a hardware secure element may require firmware-level coordination, connectivity windows, and fallback provisioning in case of failure. An SSH key that has been embedded in automation scripts for five years may have no rotation mechanism at all — just institutional inertia and the hope that nobody has copied it.
The critical gap in most organisations is between issuance and rotation. Certificates get deployed. Then nothing happens until they expire and something breaks. Monitoring the machine identity lifecycle — tracking expiration timelines, algorithm compliance, CA trust chain validity, and ownership changes — is the operational layer that prevents the next outage. Organisations that automate issuance but ignore lifecycle monitoring have solved half the problem.
Machine Identity and Zero Trust Architecture
Zero trust architecture does not work without machine identity management. This is not a theoretical dependency — it is an architectural requirement.
Zero trust's core principle is that no connection is trusted by default. Every request must be authenticated and authorised, regardless of network location. For human users, this means MFA, conditional access, and continuous verification. For machines — which generate the vast majority of traffic in any enterprise network — it means certificates.
When a container needs to communicate with a database, it presents a certificate. When an API gateway routes a request to a backend service, both sides authenticate with certificates. When a device connects to a cloud IoT hub, it proves its identity with a key pair bound to a device certificate. Every one of these interactions depends on a machine identity being issued, valid, trusted, and revocable.
The implication is that your zero trust maturity is capped by your machine identity maturity. You cannot enforce microsegmentation policies without workload identities. You cannot verify east-west traffic without mTLS. You cannot revoke access to a compromised service without certificate revocation infrastructure that actually works at scale.
Organisations that invest in zero trust network architecture without investing in the non-human identity layer underneath it are building on a foundation they do not control. Read the full analysis in Machine Identity and Zero Trust: Why Certificates Are the Foundation, Not an Afterthought.
The IoT Dimension
IoT devices represent the fastest-growing and most operationally constrained category of machine identities. Unlike server certificates that can be rotated in milliseconds via ACME, IoT device certificates must contend with intermittent connectivity, limited compute resources, long device lifespans, and environments where a failed rotation means a bricked device in a location that requires a physical truck roll to remediate.
The machine identity challenge in IoT is also a supply chain identity challenge. Device identity often begins at the point of manufacture, where an initial certificate or key pair is injected into hardware. This manufacturing-time identity must survive the entire device lifecycle — through distribution, deployment, ownership transfer, firmware updates, and eventual decommissioning.
Standards like the Matter protocol for smart home devices have formalised this with a structured certificate hierarchy (DAC, PAI, PAA) that binds device identity to manufacturer identity from the silicon level upward. But proprietary alternatives still dominate in industrial IoT, creating vendor lock-in risks that limit an organisation's ability to manage device identities independently.
For enterprise security leaders evaluating their machine identity posture, IoT devices are the segment most likely to contain unmanaged, unmonitored, and unrotatable credentials. Understanding hardware versus software key storage tradeoffs is essential for making informed procurement and architecture decisions.
Scaling Machine Identity Management: From Analyst Category to Operational Discipline
Gartner, Forrester, and other analyst firms have elevated machine identity management into a distinct market category. This is useful for getting budget approval. It is less useful for understanding what to actually do.
In Axelspire's practitioner view, machine identity management is not a single product purchase. It is an operational discipline built on four capabilities:
Discovery and inventory — finding every certificate, key, and credential across your environment, including the ones nobody remembers deploying. This is the prerequisite for everything else. You cannot manage what you cannot see. The certificate sprawl problem is where most organisations need to start.
Policy and governance — defining who can issue what types of certificates, with what key lengths, using which algorithms, for which purposes, with what maximum lifespans. This is the governance layer that transforms ad-hoc credential management into enforceable organisational policy.
Automation — eliminating manual certificate operations through protocol-based issuance (ACME, EST, SCEP, CMP), automated renewal, and integration with CI/CD pipelines, container orchestrators, and cloud platforms. Automation is not optional when certificate lifespans drop to 47 days.
Monitoring and response — continuous visibility into certificate health, expiration timelines, algorithm compliance, and revocation status. This is the operational layer that prevents the next outage.
No single vendor covers all four capabilities across all machine identity types. The decision for enterprise leaders is whether to pursue a platform consolidation strategy (fewer vendors, broader coverage) or a best-of-breed integration strategy (specialised tools connected through automation). Both work. Neither works without a clear understanding of the scope of the problem. For a detailed comparison of how the two leading platforms stack up, see our Keyfactor vs Venafi analysis.
Where to Start
If your organisation has not formalised machine identity management as a discipline, the starting point is not technology. It is visibility.
Conduct a certificate and key discovery exercise across your infrastructure. Identify every issuing CA — internal, external, cloud-native, and ad-hoc. Map ownership to teams. Quantify the gap between what your security team thinks exists and what actually exists. That delta is your machine identity risk surface.
From there, establish governance. Define certificate policies. Assign ownership. Set rotation requirements. Build the organisational muscle before you automate it.
Then automate. But automate with the understanding that the automation layer must span every environment where machine identities exist — not just the ones that are easy to reach.
Assess your machine identity posture
Not sure where your gaps are? Ask Axel can walk you through a rapid discovery assessment, or talk to us directly about a structured machine identity review.
FAQ
What is machine identity management? Machine identity management is the discipline of discovering, issuing, monitoring, rotating, and revoking cryptographic credentials assigned to every non-human entity in an organisation's infrastructure — including TLS certificates, SSH keys, code signing certificates, workload identities (SPIFFE, Kubernetes service accounts), IoT device certificates, and API credentials. Unlike human identity management, it operates through automated, non-interactive credential exchange using protocols such as ACME, EST, SCEP, and CMP. Machine identities typically outnumber human identities by 45 to 1 in enterprise environments.
Why is machine identity management important? Machine-to-machine traffic dominates modern infrastructure — cloud workloads, containers, APIs, service meshes, and IoT devices all rely on cryptographic credentials rather than passwords. A single expired root certificate can cascade into a platform-wide outage; a single compromised code signing key can enable a supply-chain attack. Under CA/Browser Forum ballot SC-081v3, TLS certificate validity dropped to 200 days on 15 March 2026 and phases to 100 days and then 47 days in subsequent years, making manual certificate operations structurally unviable.
How do you scale machine identity management across a large enterprise? Scaling machine identity management requires three layers: centralised discovery that spans every environment (cloud, on-prem, IoT, CI/CD), policy-driven governance that delegates issuance authority without fragmenting visibility, and protocol-based automation (ACME, EST, SCEP) that eliminates manual certificate operations. Most enterprises stall at the first layer because they cannot inventory identities distributed across teams with no shared tooling.
What is the machine identity lifecycle and how should it be managed? The machine identity lifecycle covers discovery, issuance, deployment, monitoring, rotation, and revocation of every certificate, key, and credential assigned to non-human entities. Each stage requires defined ownership, enforced policy, and automation. In Axelspire's experience across enterprise deployments, the critical gap is between issuance and rotation — certificates are deployed but never monitored for expiration, algorithm compliance, or ownership changes.
How is machine identity and credential management different from human IAM? Human IAM manages usernames, passwords, and MFA through interactive flows that assume a person is present. Machine identity and credential management handles certificates, SSH keys, API tokens, and workload identities through automated, non-interactive credential exchange. The tools are different (PKI and secret managers vs. SSO and directory services), the scale is different (45:1 machine-to-human ratio), and the organisational ownership is different — machine identities typically span network, platform, security, DevOps, and IoT teams with no single owner.
How do you build and manage a machine identity inventory? Start with automated certificate and key discovery across every CA — internal, external, cloud-native, and ad-hoc. Scan network endpoints, container orchestrators, cloud IAM configurations, and IoT provisioning systems. Map each identity to an owning team, record expiration dates and algorithm details, and quantify the gap between what your security team thinks exists and what actually exists. That delta is your machine identity risk surface. In Axelspire's practitioner experience, most organisations underestimate their actual count by 40% or more.
What is the relationship between machine identity management and IoT device security? IoT devices are a category of machine identity with unique constraints — long lifespans, limited compute, intermittent connectivity, and manufacturing-time provisioning requirements. IoT device identity management follows the same principles as enterprise machine identity management but requires specialised approaches to certificate provisioning, renewal, and revocation. For the hardware-level implementation — SE/TPM part selection, certificate hierarchies, and secure boot — see the Hardware-Backed Device Identity guide. For extending SPIFFE workload identity to device fleets alongside traditional device PKI, see SPIFFE & Workload Identity for Device Fleets.
Machine Identity Governance — Certificate Sprawl & Visibility — Machine Identity & Zero Trust — Hardware-Backed Device Identity — SPIFFE & Workload Identity — IoT Certificate Management. Contact Axelspire or Ask Axel.