For years, PKI was treated as critical infrastructure that operated almost silently behind the scenes. Security teams deployed certificates, renewed them on schedule, and moved on.
Now, every cloud service, machine identity, software release, connected device, and AI workload depends on trusted digital identities. As organizations expand their digital footprint, PKI has become operational infrastructure.
Many organizations, however, are still managing PKI with processes designed for a much smaller environment.
New research from DigiCert and Omdia highlights the disconnect. Organizations recognize the need to modernize. Yet many still lack the visibility, automation, and governance required to manage growing certificate inventories, adapt to shorter certificate lifecycles, and prepare for post-quantum cryptography (PQC).
Our research found that only 34% of organizations have complete visibility into the certificates deployed across their environment. Without that visibility, even routine certificate management becomes more difficult. Unknown certificates have no clear owner, fall outside established processes, and often remain undiscovered until they expire.
This is something we learned firsthand. When DigiCert began modernizing our own PKI environment, we estimated we managed about 7,000 certificates. Discovery revealed that we had more than 18,000.
The number was surprising, but it wasn't the most important lesson. Before we could automate certificate management, strengthen governance, or prepare for future cryptographic changes, we first needed an accurate inventory of our certificate estate. Discovery became the foundation for every decision that followed.
The effort also delivered measurable results. Automation and standardized lifecycle management saved approximately 1,500 hours each year while generating a 50% return on investment during the first year. More importantly, engineering teams spent less time managing certificates and more time delivering business value.
The role of PKI has expanded well beyond traditional security infrastructure. Certificates support cloud platforms, Kubernetes clusters, APIs, software supply chains, DevOps pipelines, SaaS applications, and machine identities. Every new service introduces another identity that must be issued, renewed, monitored, and governed throughout its lifecycle.
That growth changes how organizations need to think about PKI.
Our research identified infrastructure complexity and cross-functional coordination as leading barriers to modernization. That makes sense. PKI no longer belongs to a single security team. Platform engineering, networking, application owners, DevOps, and security all share responsibility for maintaining trust across the organization.
The organizations making the most progress aren't adding more manual processes. They're standardizing certificate management, establishing clear ownership, and embedding automation into day-to-day operations.
That's what operational maturity looks like.
Most conversations about the future of PKI focus on PQC. The industry is also preparing for shorter certificate lifecycles, expanding machine identity programs, and new operational demands created by AI.
Those priorities all depend on the same foundation. Organizations can't migrate to quantum-safe algorithms without knowing where certificates are deployed. They can't manage shorter certificate lifecycles with manual renewal processes. And they can't scale machine identities without consistent governance and automation.
The organizations best prepared for future cryptographic change won't necessarily be the first to deploy PQC. They'll be the ones that have already built the operational discipline to adapt as requirements evolve.
Modernizing PKI doesn't require solving every problem at once. Organizations that make steady progress tend to focus on the same foundational capabilities first.
I've seen firsthand how quickly certificate inventories can outgrow expectations and how difficult modernization becomes without visibility and automation. The research shows many organizations are at that same inflection point. Building the right operational foundation today will make every future transition—from shorter certificate lifecycles to PQC—more manageable.
To explore the findings in more detail, watch the on-demand webinar, PKI Under Pressure, where Omdia Principal Analyst Adam Strange and I discuss the research and share practical approaches to modernizing PKI.