PKI Maturity Benchmarks 2026: Where Enterprises Actually Score
Most organisations that assess their PKI maturity on the PKI Consortium's PKIMM scale land at Level 2 (Basic) when scores require evidence — despite self-assessing at Level 3. This page publishes AxelSpire's benchmark data from evidence-based PKI assessments conducted 2024–2026, so you can place your own scorecard against real peer distributions rather than vendor marketing.
AxelSpire's position: Benchmark data for PKI maturity barely exists in public. The Ponemon/Entrust studies survey self-reported sentiment; PKIMM publishes the model but no score distributions. What follows is field data — small sample, honestly caveated — which is still more than is otherwise available.
Part of: PKI assessment methodology — the methodology these benchmarks are scored against.
How to read this data
Methodology, stated up front because it determines what the numbers mean:
- Source: Enterprise and mid-market organisations based on AxelSpire analysis. Small sample; directional, not statistical.
- Scoring: evidence-based. A score above 2 in any category required an artefact — a policy document, a dashboard, a runbook, an automation coverage report. Self-reported scores without evidence were reduced.
- Framework: PKI Consortium PKIMM — 4 modules, 15 categories, levels 1–5. Weighting per AxelSpire's methodology: Operations 35%, Governance 25%, Management 20%, Resources 20%.
This is a different measurement from survey-based studies. Surveys measure what teams believe; evidence-based assessment measures what they can prove. The gap between the two is itself the first benchmark.
Benchmark 1: Self-assessment inflation is ~1 full level
Across assessments, the median gap between an organisation's initial self-assessment and its evidence-based score was one full maturity level, almost always in the same direction: self-assessed Level 3, scored Level 2.
The inflation concentrates in two categories: Automation ("we use ACME" ≠ automation coverage) and Monitoring & auditing (alerting exists; nobody has tested whether it fires before an outage). Where stakeholder scores diverged by more than one level, the lower score matched the evidence in the large majority of cases — the basis for the reconciliation rule in AxelSpire's assessment methodology.
Benchmark 2: The module profile is consistently lopsided
The same shape appears in nearly every assessment: Governance scores highest, Operations lowest.
| PKIMM module | Typical evidence found | Typical evidence missing |
|---|---|---|
| Governance | CP/CPS exists, compliance mappings | Policy review cycle actually executed |
| Management | HSMs for root keys | Tested key recovery; crypto-agility plan |
| Operations | Expiry spreadsheet or basic alerting | Automation coverage >30%; renewal-storm awareness |
| Resources | A PKI "owner" by custom | More than one person who can operate the CA; budget line |
Enterprises overinvest in the module auditors ask about (Governance) and underinvest in the module that causes outages (Operations). Under SC-081v3's compressed lifetimes — 200-day certificates already in effect, 47 days by March 2029 — this inversion is exactly backwards: automation capability, not documentation, is now the primary risk driver. It also explains why Governance-heavy organisations still fail audits on Operations evidence — the recurring findings are catalogued in the PKI audit checklist.
Benchmark 3: Automation coverage — the number that decides your renewal maths
Automation coverage — the percentage of certificates issued and renewed without human intervention — is the single most predictive category score in the dataset.
| Automation coverage band | Practical meaning at 200-day lifetimes | At 47-day lifetimes |
|---|---|---|
| <30% | Recurring manual renewal load, absorbed with pain | Mathematically unsustainable for most team sizes |
| 30–80% | Coping; outage risk concentrated in the manual tail | The manual tail becomes the outage generator |
| >80% | Sustainable | Sustainable |
The claim worth extracting: below roughly 80% automation coverage, 47-day certificates convert a staffing question into an outage schedule. The renewal arithmetic per estate size is worked through in certificate outage costs and the renewal-storm mechanics in the certificate renewal operating model.
Note the gap against survey data: organisations report far higher automation adoption than evidence shows, because "we have ACME somewhere" is reported as "we automate". Adoption is not coverage.
Benchmark 4: The inventory gap
In every assessment that included a discovery scan, the discovered certificate count exceeded the tracked count. Typical multiple: 2–3× the CMDB figure. The overflow comes from the same four sources each time: DevOps-issued public certificates, service-mesh auto-issuance, acquired-company infrastructure, and OEM-issued device certificates. This is why the assessment methodology front-loads discovery in Sprint 1 — and why a cross-CA certificate inventory is the prerequisite for trusting any other score on the card.
Benchmark 5: What actually separates Level 2 from Level 3
Level 3 is not a tooling purchase. In the organisations that crossed from 2 to 3 within a year of assessment, the moves were, in order of impact:
- A named PKI owner with a RACI — the absence of which is the most common structural failure across all assessments.
- A reconciled inventory across all issuance sources — without it, every other improvement is unmeasurable.
- Automation coverage as a tracked KPI — not automation projects; a percentage, reported monthly.
- Documented, exercised runbooks for the top three certificate incident types.
None of the four requires buying a CLM platform. Two of the four require knowing your estate — which is an intelligence problem, not a lifecycle problem.
Compare your own scorecard
Run the 60-second readiness self-assessment for a first-pass placement, or execute the full 2-sprint PKIMM assessment and score against the tables above. For an evidence-based external assessment with peer benchmarking, contact AxelSpire.
FAQ
What is a good PKI maturity score?
Median enterprises score PKIMM Level 2 under evidence-based assessment. Level 3 — documented standards, centralised inventory, defined ownership — is a realistic 12-month target and sufficient for 200-day certificate operations. Level 4 (automated lifecycle, proactive monitoring) is the working requirement for 47-day lifetimes from March 2029.
Why do self-assessments score higher than audited assessments?
Because belief is scored instead of evidence. The median inflation in AxelSpire's data is one full level, concentrated in automation and monitoring categories, where "the capability exists somewhere" is reported as "the capability is deployed".
How does PKIMM compare to CMMI?
PKIMM is CMMI-inspired — five levels, evidence-driven — but scoped to PKI: 4 modules and 15 categories covering governance, key and certificate management, operations, and resourcing. It is the only vendor-neutral PKI maturity framework published in the last five years.
How often should PKI maturity be reassessed?
Annually as a baseline, and after any material change: CA migration, merger, cloud replatforming, or a validity-period step-down (the next SC-081v3 step, 100 days, arrives March 2027).
Is there public benchmark data for PKI maturity?
Almost none. Survey studies (e.g. Ponemon/Entrust) report self-assessed sentiment, not evidence-based scores, and PKIMM publishes no score distributions. The data on this page — sample caveats stated — is drawn from AxelSpire's assessment engagements.
Dan Cvrcek, AxelSpire. Updated July 2026.