PKI Is Buckling Under the Weight of Machine Identities

For years, public key infrastructure quietly did its job in the background, issuing certificates, encrypting traffic, and validating identities. Now it is becoming a frontline failure point.

New research from CyberArk suggests that PKI systems are struggling to keep pace with the explosion of machine and workload identities across cloud native and zero trust environments. As certificates multiply, organizations are discovering that legacy tools and manual processes are no longer just inefficient. They are actively dangerous.

The findings come from a global study conducted by Ponemon Institute, which surveyed nearly 2,000 IT and security practitioners. The results paint a picture of infrastructure stretched beyond its design limits, where expired certificates trigger outages and weak cryptography opens the door to attackers.

At its core, PKI is meant to establish trust. It issues digital certificates that prove users, machines, and services are who they claim to be. But modern IT environments now generate certificates at a scale that traditional PKI was never built to handle. Containers spin up and down in minutes. APIs authenticate constantly. Machine identities now outnumber human ones by orders of magnitude.

That growth has turned PKI into a hidden cost center. According to the study, organizations manage an average of more than 114,000 internal certificates, yet typically assign only four full time employees to oversee them. A third of respondents say legacy PKI costs and risks are the biggest obstacle to securing certificates, and nearly two thirds have been forced to outsource PKI management because they lack the expertise in house.

The operational consequences are already visible. More than half of organizations surveyed reported unplanned outages caused by expired certificates or configuration errors. These are not abstract failures. They translate directly into downtime, broken applications, and disrupted services.

The security fallout is even more concerning. Sixty percent of respondents said their organizations experienced security exploits tied to weak cryptography. Over half reported third party certificate authority compromises, and more than four in ten experienced server private key theft. Each incident undermines the trust model PKI is supposed to enforce.

“The rapid expansion of machine identities has completely changed the PKI operating model. The complexity of managing an increasing number of certificates is compounded by legacy systems, manual processes and resource constraints,” said Kurt Sand, GM of Machine Identity Security at CyberArk. “As certificate volumes grow and certificate lifespans continue to shrink, the financial and operational impact of unmanaged PKI will escalate rapidly. Now is the time for organizations to automate and modernize their PKI to reduce operational burdens and improve their overall security posture.”

Confidence in PKI appears fragile. Fewer than half of organizations surveyed say they are highly confident their PKI can meet compliance requirements or defend against cyberattacks and insider threats. That lack of confidence matters as regulators and auditors increasingly expect provable, technical controls rather than policy statements.

There is, however, a clear dividing line between organizations that are coping and those that are not. Companies with higher confidence in their PKI are far more likely to have unified visibility into their certificate inventories, rather than scattered tools and spreadsheets. They are also more likely to be experimenting with automation and artificial intelligence to manage certificate lifecycles.

What emerges from the data is a familiar technology story. Infrastructure that once worked quietly in the background has become a bottleneck because the environment around it changed faster than the tools themselves. PKI is no longer a niche concern for certificate specialists. It is now a core dependency for cloud platforms, zero trust architectures, and machine driven systems.

As machine identities continue to multiply and certificate lifespans shrink, the margin for error disappears. In that world, manual PKI is not just outdated. It is a liability waiting to expire.