For years, businesses have treated public key infrastructure (PKI) as background plumbing, quietly securing access across enterprise systems and devices, and rarely drawing executive attention unless something failed.
New research from the Ponemon Institute suggests that those assumptions no longer hold.
According to the global study, “Trends in PKI Security: A Global Study of Trends, Challenges & Business Impact,” organizations now manage an average of more than 114,000 internal certificates, yet most dedicate only four full-time staff members to running that infrastructure. At the same time, public certificate lifecycles are shrinking, cryptographic standards are evolving, and trust expectations are rising.
The result is an increasingly costly mismatch between operational reality and executive awareness. Part of that gap stems from how broad and operationally complex PKI has become. In the Ponemon study, “PKI” refers to the internally issued certificates and private certificate authorities that secure enterprise applications, workloads, devices, and machine-to-machine communications across on-prem, cloud, and hybrid environments—where most certificate volume, operational effort, and risk now reside.
The PKI costs leaders don’t see until it’s too late
When security leaders talk about PKI costs, it’s often narrowly framed as infrastructure spend: certificate authority software, hardware security modules, and maintenance contracts. But the new Ponemon data highlights a deeper, more persistent drain.
More than one-third of organizations cite legacy PKI costs and risk as the top barrier to securing certificates, yet over half still rely on manual or ad-hoc tools to assess PKI health. Teams are stretched thin, expertise is scarce, and operational effort continues to increase along with certificate volumes. It’s not surprising, then, that 63% of organizations are turning to managed service providers simply to keep up.
This is where the hidden costs of PKI emerge. Manual operations consume high-value security talent and shift spending from strategic initiatives to constant maintenance—not to mention forcing reactive fire drills. But the costs extend beyond the financial, also manifesting in the form of delayed projects, brittle processes, and increasing dependence on external help.
How operational gaps turn into security risks
Many executives still assume most PKI problems manifest as outages, but that belief underestimates the risk.
The Ponemon research shows how organizations are being impacted:
- 60% experienced cryptographic exploits tied to weak or poorly managed keys.
- 58% suffered a third-party certificate authority compromise.
- 43% reported server private-key theft.
These are not minor operational issues but rather direct attack paths that enable security incidents like impersonation, interception, and unauthorized access.
Meanwhile, organizational confidence remains low. Fewer than half of respondents believe their PKI is effective at defending against attacks or meeting compliance requirements, with visibility gaps playing a central role. Only 47% say they have practical insight into the number of certificates they have or where they’re deployed. Without that visibility, misconfigurations persist, weak cryptography goes undetected, and incident response times lengthen.
The implications are clear: for many organizations, PKI functions as a security control in name only, and its failure modes resemble identity compromises more than routine IT errors.
Why certificate outages are a legacy PKI symptom, not the disease
Certificate-related outages remain widespread. Fifty-six percent of organizations reported unplanned downtime due to expired or misconfigured certificates, which are still often managed through manual tracking and renewal processes. But outages are best understood as a lagging indicator.
Behind each outage is a system struggling under fragmented ownership, inconsistent policy enforcement, and tooling that was never designed for today’s scale. As certificate lifetimes shorten and renewal frequency increases, these weaknesses compound. What once caused occasional disruption now threatens sustained reliability.
The research reveals another important signal here. Half of respondents believe that automation and AI would materially reduce outage risk, yet adoption remains uneven. Many organizations recognize the problem, but legacy models and sunk costs slow progress.
How PKI modernization has become a security requirement
The industry often frames PKI modernization as a response to future changes like post-quantum cryptography (PQC), new regulatory requirements, or emerging architectures. However, the data from Ponemon suggests modernization is long overdue.
Fifty percent of organizations in the study say the new 47-day TLS validity rule is accelerating PKI modernization efforts, forcing leaders to confront operational realities sooner than planned. Others point to crypto-agility, unified visibility, and audit readiness as top priorities.
But not everyone is confronting PKI modernization in the same way. The research shows that high-performing organizations treat PKI as a core machine identity security control, using automation, unified visibility, and disciplined governance to achieve fewer outages, stronger compliance confidence, and greater resilience. In fact, 33% of organizations report moving toward PKI delivered as a service as an early step to reduce complexity and operational burden.
Making PKI a C-suite priority
While the study reveals many significant findings, the most important takeaway is the shift in what PKI represents for the modern enterprise.
PKI has evolved beyond being background infrastructure, instead becoming a foundational security service that underpins every digital interaction. A scalable, resilient, and secure PKI is a core, foundational tenet of machine identity security. When PKI is under-resourced, manually operated, or poorly governed, the consequences ripple outward, resulting in higher costs, increased risk, and reduced confidence at the board level.
And the longer these hidden costs of legacy PKI remain in the shadows, the more organizations will find themselves lacking the agility, resilience, and trust they need to keep pace with today’s business demands.
As enterprises prepare for shorter certificate lifecycles, evolving cryptographic standards, and increased regulatory scrutiny, we’re likely to see enterprise PKI approaches continue to evolve. And the true leaders of tomorrow will recognize PKI’s business impact before the next outage, audit failure, or security incident forces them to act.
Kevin Bocek is senior vice president of innovation at CyberArk.
See what the research uncovered. Read the full Ponemon Institute findings to see how organizations are navigating PKI complexity, operational risk, and modernization pressures.
