AxelSpire

PKI Maturity Benchmarks 2026: Where Enterprises Actually Score

Most organisations that assess their PKI maturity on the PKI Consortium's PKIMM scale land at Level 2 (Basic) when scores require evidence — despite self-assessing at Level 3. This page publishes AxelSpire's benchmark data from evidence-based PKI assessments conducted 2024–2026, so you can place your own scorecard against real peer distributions rather than vendor marketing.

AxelSpire's position: Benchmark data for PKI maturity barely exists in public. The Ponemon/Entrust studies survey self-reported sentiment; PKIMM publishes the model but no score distributions. What follows is field data — small sample, honestly caveated — which is still more than is otherwise available.

Part of: PKI assessment methodology — the methodology these benchmarks are scored against.

Bar chart showing most enterprises score at PKIMM Level 2 in evidence-based PKI assessments, with no organisation reaching Level 5.
Overall PKIMM maturity distribution across AxelSpire evidence-based assessments, 2024–2026. No assessed organisation reached Level 5. Source: AxelSpire.

How to read this data

Methodology, stated up front because it determines what the numbers mean:

  • Source: Enterprise and mid-market organisations based on AxelSpire analysis. Small sample; directional, not statistical.
  • Scoring: evidence-based. A score above 2 in any category required an artefact — a policy document, a dashboard, a runbook, an automation coverage report. Self-reported scores without evidence were reduced.
  • Framework: PKI Consortium PKIMM — 4 modules, 15 categories, levels 1–5. Weighting per AxelSpire's methodology: Operations 35%, Governance 25%, Management 20%, Resources 20%.

This is a different measurement from survey-based studies. Surveys measure what teams believe; evidence-based assessment measures what they can prove. The gap between the two is itself the first benchmark.

Benchmark 1: Self-assessment inflation is ~1 full level

Across assessments, the median gap between an organisation's initial self-assessment and its evidence-based score was one full maturity level, almost always in the same direction: self-assessed Level 3, scored Level 2.

The inflation concentrates in two categories: Automation ("we use ACME" ≠ automation coverage) and Monitoring & auditing (alerting exists; nobody has tested whether it fires before an outage). Where stakeholder scores diverged by more than one level, the lower score matched the evidence in the large majority of cases — the basis for the reconciliation rule in AxelSpire's assessment methodology.

Benchmark 2: The module profile is consistently lopsided

The same shape appears in nearly every assessment: Governance scores highest, Operations lowest.

PKIMM moduleTypical evidence foundTypical evidence missing
GovernanceCP/CPS exists, compliance mappingsPolicy review cycle actually executed
ManagementHSMs for root keysTested key recovery; crypto-agility plan
OperationsExpiry spreadsheet or basic alertingAutomation coverage >30%; renewal-storm awareness
ResourcesA PKI "owner" by customMore than one person who can operate the CA; budget line

Enterprises overinvest in the module auditors ask about (Governance) and underinvest in the module that causes outages (Operations). Under SC-081v3's compressed lifetimes — 200-day certificates already in effect, 47 days by March 2029 — this inversion is exactly backwards: automation capability, not documentation, is now the primary risk driver. It also explains why Governance-heavy organisations still fail audits on Operations evidence — the recurring findings are catalogued in the PKI audit checklist.

Radar chart comparing typical enterprise PKI maturity, strongest in governance, against the operations-dominant profile required for 47-day certificate lifetimes.
Median enterprise PKIMM module profile vs the profile required for 47-day certificate operations. Enterprises overindex on Governance while Operations — the module that prevents outages — lags. Source: AxelSpire.

Benchmark 3: Automation coverage — the number that decides your renewal maths

Automation coverage — the percentage of certificates issued and renewed without human intervention — is the single most predictive category score in the dataset.

Automation coverage bandPractical meaning at 200-day lifetimesAt 47-day lifetimes
<30%Recurring manual renewal load, absorbed with painMathematically unsustainable for most team sizes
30–80%Coping; outage risk concentrated in the manual tailThe manual tail becomes the outage generator
>80%SustainableSustainable

The claim worth extracting: below roughly 80% automation coverage, 47-day certificates convert a staffing question into an outage schedule. The renewal arithmetic per estate size is worked through in certificate outage costs and the renewal-storm mechanics in the certificate renewal operating model.

Note the gap against survey data: organisations report far higher automation adoption than evidence shows, because "we have ACME somewhere" is reported as "we automate". Adoption is not coverage.

Benchmark 4: The inventory gap

In every assessment that included a discovery scan, the discovered certificate count exceeded the tracked count. Typical multiple: 2–3× the CMDB figure. The overflow comes from the same four sources each time: DevOps-issued public certificates, service-mesh auto-issuance, acquired-company infrastructure, and OEM-issued device certificates. This is why the assessment methodology front-loads discovery in Sprint 1 — and why a cross-CA certificate inventory is the prerequisite for trusting any other score on the card.

Benchmark 5: What actually separates Level 2 from Level 3

Level 3 is not a tooling purchase. In the organisations that crossed from 2 to 3 within a year of assessment, the moves were, in order of impact:

  1. A named PKI owner with a RACI — the absence of which is the most common structural failure across all assessments.
  2. A reconciled inventory across all issuance sources — without it, every other improvement is unmeasurable.
  3. Automation coverage as a tracked KPI — not automation projects; a percentage, reported monthly.
  4. Documented, exercised runbooks for the top three certificate incident types.

None of the four requires buying a CLM platform. Two of the four require knowing your estate — which is an intelligence problem, not a lifecycle problem.

Compare your own scorecard

Run the 60-second readiness self-assessment for a first-pass placement, or execute the full 2-sprint PKIMM assessment and score against the tables above. For an evidence-based external assessment with peer benchmarking, contact AxelSpire.

FAQ

What is a good PKI maturity score?
Median enterprises score PKIMM Level 2 under evidence-based assessment. Level 3 — documented standards, centralised inventory, defined ownership — is a realistic 12-month target and sufficient for 200-day certificate operations. Level 4 (automated lifecycle, proactive monitoring) is the working requirement for 47-day lifetimes from March 2029.

Why do self-assessments score higher than audited assessments?
Because belief is scored instead of evidence. The median inflation in AxelSpire's data is one full level, concentrated in automation and monitoring categories, where "the capability exists somewhere" is reported as "the capability is deployed".

How does PKIMM compare to CMMI?
PKIMM is CMMI-inspired — five levels, evidence-driven — but scoped to PKI: 4 modules and 15 categories covering governance, key and certificate management, operations, and resourcing. It is the only vendor-neutral PKI maturity framework published in the last five years.

How often should PKI maturity be reassessed?
Annually as a baseline, and after any material change: CA migration, merger, cloud replatforming, or a validity-period step-down (the next SC-081v3 step, 100 days, arrives March 2027).

Is there public benchmark data for PKI maturity?
Almost none. Survey studies (e.g. Ponemon/Entrust) report self-assessed sentiment, not evidence-based scores, and PKIMM publishes no score distributions. The data on this page — sample caveats stated — is drawn from AxelSpire's assessment engagements.


Dan Cvrcek, AxelSpire. Updated July 2026.