Machine Identity Management: Why It's Your Largest Unmanaged Security Surface

Dan Cvrcek · Founder & Principal Consultant, Axelspire · Former PKI & certificate services lead for Barclays, Sky UK, TSB Bank, Deutsche Bank. Post-doctoral research, University of Cambridge.

Topics in this series: Certificate sprawl & visibility, Governance at enterprise scale, Workload identity & microsegmentation, Machine identity & zero trust.

Every device, workload, container, API endpoint, and service account in your infrastructure has an identity. Not a username and password — a cryptographic credential. A certificate. A key pair. A token. These are machine identities — also referred to as non-human identities (NHI) — and in most enterprises, they outnumber human identities by a factor of 45 to 1.

Machine identity management is the discipline of discovering, issuing, monitoring, rotating, and revoking every one of those credentials across your entire environment. It is not a new technology category. It is the operational reality that certificate lifecycle management, SSH key governance, workload identity, and IoT device authentication have always pointed toward — now consolidated under a single strategic umbrella.

Featured Tool Runs fully in-browser

PKI Health Radar

Drag the sliders to assess your current posture — scores update instantly.

6 more tools: Cost & Risk Explorer Timeline Builder Shadow Heatmap Process Transform Slider Scenario Comparator What-If Demo All tools & guide →

If your organization cannot answer how many machine identities exist in your environment right now, who owns them, when they expire, and which ones are using deprecated cryptographic algorithms, you have a machine identity and credential management problem. Most enterprises do.

What Counts as a Machine Identity

The term is deliberately broad, and that breadth is what makes it strategically important. Machine identities — the non-human identities that operate outside your human IAM stack — include:

TLS/SSL certificates — the most visible category. Every internal and external service endpoint, load balancer, API gateway, and web application holds at least one. Enterprises with 10,000+ employees commonly manage 50,000 to 250,000 active certificates, often without centralized visibility.

Mutual TLS (mTLS) certificates — used for service-to-service authentication in zero trust architectures and service meshes. Unlike server-side TLS, mTLS requires both endpoints to present certificates, which doubles the issuance and rotation burden.

SSH keys — persistent, long-lived, and rarely rotated. Most enterprises have 5 to 10 times more SSH keys than they realize. Unlike certificates, SSH keys have no built-in expiration, making them a compliance blind spot in every audit framework.

Code signing certificates — used to verify the integrity of software artifacts, firmware updates, and container images. A compromised code signing key is a supply chain attack vector.

IoT device certificates — issued to physical devices during manufacturing or provisioning, often with lifespans measured in years or decades. These identities operate in environments where over-the-air rotation is constrained by bandwidth, uptime requirements, and hardware capability. Managing IoT certificate lifecycles — from initial provisioning through renewal and revocation — is one of the most operationally complex domains in machine identity management.

Workload identities — SPIFFE/SPIRE identifiers, Kubernetes service account tokens, and cloud IAM roles attached to ephemeral compute instances. These are short-lived by design but high-volume, often generating thousands of identity operations per hour.

API keys and service account credentials — the unmanaged residue of every integration, automation script, and third-party connection. These are non-human identities that most organizations track in spreadsheets, if they track them at all.

The common thread is that none of these are managed by your IAM team's existing human identity tooling. Active Directory does not govern them. Your SSO provider does not issue them. Your identity governance platform does not lifecycle them. They exist in a parallel identity plane — the NHI layer — that, until recently, had no organizational owner.

Diagram of machine identity categories around an enterprise: TLS and mTLS at the edge and in service meshes, SSH and code signing in build and admin paths, workload identities in Kubernetes and cloud IAM, IoT device certificates on the plant floor, and API keys connecting SaaS and automation — all outside the human IdP. — Figure 1 — Suggested art: one landscape view showing where each machine identity type lives (edge, data center, cloud, CI/CD, IoT) and that they sit parallel to human IAM, not inside it.

Why This Became a Board-Level Concern

Three forces converged to push machine identity management from infrastructure plumbing to strategic risk:

Certificate volumes are growing exponentially. The combination of shorter certificate lifespans (from 398 days down to 90, and soon 47 days under the CA/Browser Forum ballot), microservices architectures that multiply endpoints, and zero trust mandates that require mutual authentication at every boundary has created an environment where manual certificate management is no longer viable. The question is not whether to automate — it is whether you can automate fast enough.

Outages caused by expired certificates are increasing in frequency and severity. When a root CA certificate expires, it does not take down a single service. It takes down every service, device, and connection in the trust chain. These are not theoretical risks. They are the incidents that generate front-page coverage and board-level inquiries. Every one of them traces back to the same root cause: a certificate that nobody knew existed, owned by nobody in particular, monitored by nothing automated.

Regulatory and compliance frameworks now explicitly require machine identity governance. PCI DSS 4.0, NIS2, DORA, and the evolving NIST Cybersecurity Framework all include requirements around cryptographic asset management, key rotation, and certificate lifecycle controls. Auditors are no longer satisfied with "we use certificates." They want evidence of policy enforcement, rotation cadence, and revocation capability.

The Organizational Problem Behind the Technical Problem

The reason machine identity management is difficult is not primarily technical. PKI has existed for decades. Certificate authorities work. ACME protocol automates issuance. The difficulty is organizational.

In most enterprises, machine identities are managed — or more accurately, not managed — by multiple teams with no shared tooling, no common policy, and no centralized visibility:

The network team manages TLS certificates on load balancers and reverse proxies. The platform engineering team manages certificates in Kubernetes and service mesh configurations. The security team manages the certificate authority hierarchy and signing policies. The DevOps team manages code signing and CI/CD pipeline credentials. The OT/IoT team manages device certificates on embedded hardware, often using entirely separate issuance infrastructure. The cloud team manages workload identities and IAM roles across AWS, Azure, and GCP, each with their own identity primitives.

No single team has a complete picture. No single tool spans all of these domains. The result is what analysts call "certificate sprawl" — a distributed, uncoordinated accumulation of machine identities that grows faster than any team's ability to track it. This is a visibility and governance problem before it is an automation problem.

The Machine Identity Lifecycle

Every machine identity — whether a TLS certificate, an SSH key, or a workload credential — follows a lifecycle: discovery, issuance, deployment, monitoring, rotation, and revocation. The lifecycle applies regardless of identity type, but the operational constraints vary dramatically.

A server TLS certificate issued via ACME can be rotated in milliseconds with zero downtime. An IoT device certificate bound to a hardware secure element may require firmware-level coordination, connectivity windows, and fallback provisioning in case of failure. An SSH key that has been embedded in automation scripts for five years may have no rotation mechanism at all — just institutional inertia and the hope that nobody has copied it.

The critical gap in most organizations is between issuance and rotation. Certificates get deployed. Then nothing happens until they expire and something breaks. Monitoring the machine identity lifecycle — tracking expiration timelines, algorithm compliance, CA trust chain validity, and ownership changes — is the operational layer that prevents the next outage. Organizations that automate issuance but ignore lifecycle monitoring have solved half the problem.

Machine Identity and Zero Trust Architecture

Zero trust architecture does not work without machine identity management. This is not a theoretical dependency — it is an architectural requirement.

Zero trust's core principle is that no connection is trusted by default. Every request must be authenticated and authorized, regardless of network location. For human users, this means MFA, conditional access, and continuous verification. For machines — which generate the vast majority of traffic in any enterprise network — it means certificates.

When a container needs to communicate with a database, it presents a certificate. When an API gateway routes a request to a backend service, both sides authenticate with certificates. When a device connects to a cloud IoT hub, it proves its identity with a key pair bound to a device certificate. Every one of these interactions depends on a machine identity being issued, valid, trusted, and revocable.

The implication is that your zero trust maturity is capped by your machine identity maturity. You cannot enforce microsegmentation policies without workload identities. You cannot verify east-west traffic without mTLS. You cannot revoke access to a compromised service without certificate revocation infrastructure that actually works at scale.

Organizations that invest in zero trust network architecture without investing in the non-human identity layer underneath it are building on a foundation they do not control. Read the full analysis in Machine Identity and Zero Trust: Why Certificates Are the Foundation, Not an Afterthought.

The IoT Dimension

IoT devices represent the fastest-growing and most operationally constrained category of machine identities. Unlike server certificates that can be rotated in milliseconds via ACME, IoT device certificates must contend with intermittent connectivity, limited compute resources, long device lifespans, and environments where a failed rotation means a bricked device in a location that requires a physical truck roll to remediate.

The machine identity challenge in IoT is also a supply chain identity challenge. Device identity often begins at the point of manufacture, where an initial certificate or key pair is injected into hardware. This manufacturing-time identity must survive the entire device lifecycle — through distribution, deployment, ownership transfer, firmware updates, and eventual decommissioning.

Standards like the Matter protocol for smart home devices have formalized this with a structured certificate hierarchy (DAC, PAI, PAA) that binds device identity to manufacturer identity from the silicon level upward. But proprietary alternatives still dominate in industrial IoT, creating vendor lock-in risks that limit an organization's ability to manage device identities independently.

For enterprise security leaders evaluating their machine identity posture, IoT devices are the segment most likely to contain unmanaged, unmonitored, and unrotatable credentials. Understanding hardware versus software key storage tradeoffs is essential for making informed procurement and architecture decisions.

Scaling Machine Identity Management: From Analyst Category to Operational Discipline

Gartner, Forrester, and other analyst firms have elevated machine identity management into a distinct market category. This is useful for getting budget approval. It is less useful for understanding what to actually do.

The practical reality is that machine identity management is not a single product purchase. It is an operational discipline built on four capabilities:

Discovery and inventory — finding every certificate, key, and credential across your environment, including the ones nobody remembers deploying. This is the prerequisite for everything else. You cannot manage what you cannot see. The certificate sprawl problem is where most organizations need to start.

Policy and governance — defining who can issue what types of certificates, with what key lengths, using which algorithms, for which purposes, with what maximum lifespans. This is the governance layer that transforms ad-hoc credential management into enforceable organizational policy.

Automation — eliminating manual certificate operations through protocol-based issuance (ACME, EST, SCEP, CMP), automated renewal, and integration with CI/CD pipelines, container orchestrators, and cloud platforms. Automation is not optional when certificate lifespans drop to 47 days.

Monitoring and response — continuous visibility into certificate health, expiration timelines, algorithm compliance, and revocation status. This is the operational layer that prevents the next outage.

No single vendor covers all four capabilities across all machine identity types. The decision for enterprise leaders is whether to pursue a platform consolidation strategy (fewer vendors, broader coverage) or a best-of-breed integration strategy (specialized tools connected through automation). Both work. Neither works without a clear understanding of the scope of the problem. For a detailed comparison of how the two leading platforms stack up, see our Keyfactor vs Venafi analysis.

Four-column diagram: discovery and inventory, policy and governance, automation through ACME and APIs, and monitoring with alerts and revocation — the operational discipline of machine identity management, not a single product. — Figure 2 — Suggested art: four connected capabilities (discover → govern → automate → monitor) with icons for scanner, policy document, protocol pipes, and dashboard; emphasizes program over vendor logo wall.

Where to Start

If your organization has not formalized machine identity management as a discipline, the starting point is not technology. It is visibility.

Conduct a certificate and key discovery exercise across your infrastructure. Identify every issuing CA — internal, external, cloud-native, and ad-hoc. Map ownership to teams. Quantify the gap between what your security team thinks exists and what actually exists. That delta is your machine identity risk surface.

From there, establish governance. Define certificate policies. Assign ownership. Set rotation requirements. Build the organizational muscle before you automate it.

Then automate. But automate with the understanding that the automation layer must span every environment where machine identities exist — not just the ones that are easy to reach.

Assess your machine identity posture

Not sure where your gaps are? Ask Axel can walk you through a rapid discovery assessment, or talk to us directly about a structured machine identity review.

Ask Axel Book a consultation

FAQ

How do you scale machine identity management across a large enterprise? Scaling machine identity management requires three layers: centralized discovery that spans every environment (cloud, on-prem, IoT, CI/CD), policy-driven governance that delegates issuance authority without fragmenting visibility, and protocol-based automation (ACME, EST, SCEP) that eliminates manual certificate operations. Most enterprises stall at the first layer because they cannot inventory identities distributed across teams with no shared tooling.

What is the machine identity lifecycle and how should it be managed? The machine identity lifecycle covers discovery, issuance, deployment, monitoring, rotation, and revocation of every certificate, key, and credential assigned to non-human entities. Each stage requires defined ownership, enforced policy, and automation. The critical gap in most organizations is between issuance and rotation — certificates are deployed but never monitored for expiration, algorithm compliance, or ownership changes.

How is machine identity and credential management different from human IAM? Human IAM manages usernames, passwords, and MFA through interactive flows that assume a person is present. Machine identity and credential management handles certificates, SSH keys, API tokens, and workload identities through automated, non-interactive credential exchange. The tools are different (PKI and secret managers vs. SSO and directory services), the scale is different (45:1 machine-to-human ratio), and the organizational ownership is different — machine identities typically span network, platform, security, DevOps, and IoT teams with no single owner.

How do you build and manage a machine identity inventory? Start with automated certificate and key discovery across every CA — internal, external, cloud-native, and ad-hoc. Scan network endpoints, container orchestrators, cloud IAM configurations, and IoT provisioning systems. Map each identity to an owning team, record expiration dates and algorithm details, and quantify the gap between what your security team thinks exists and what actually exists. That delta is your machine identity risk surface. Most organizations underestimate their actual count by 40% or more.

What is the relationship between machine identity management and IoT device security? IoT devices are a category of machine identity with unique constraints — long lifespans, limited compute, intermittent connectivity, and manufacturing-time provisioning requirements. IoT device identity management follows the same principles as enterprise machine identity management but requires specialized approaches to certificate provisioning, renewal, and revocation. For the hardware-level implementation — SE/TPM part selection, certificate hierarchies, and secure boot — see the Hardware-Backed Device Identity guide. For extending SPIFFE workload identity to device fleets alongside traditional device PKI, see SPIFFE & Workload Identity for Device Fleets.

Machine Identity Governance — Certificate Sprawl & Visibility — Machine Identity & Zero Trust — Hardware-Backed Device Identity — SPIFFE & Workload Identity — IoT Certificate Management. Contact Axelspire or Ask Axel.