ProofID blog

Slow Down to Speed Up AI Adoption | ProofID

Tom Eggleston — Wed, 20 May 2026 11:27:34 GMT

Building the identity foundations needed for secure AI adoption

By Tom Eggleston, CEO at ProofID

We're currently in the midst of an AI arms race. In boardrooms across the globe, the conversation has decisively shifted from Generative AI, chatbots that passively provide information, to Agentic AI. These are autonomous software entities that can reason, plan, and execute complex workflows without human intervention. The excitement is entirely justified, as the potential ROI from automating intricate business processes is massive.

However, as identity security professionals, we must temper this excitement with a dose of operational reality. In the rush to deploy these new digital workers and gain a competitive edge, fundamental security principles are being bypassed.

Recent data shows that 80% of organisations report their AI agents have already performed unauthorised or unintended actions.

If you want to truly win in the agent economy, your organisation must adopt a counterintuitive strategy: you must slow down to speed up. Rushing to deploy autonomous agents on top of legacy security architectures creates an unmanageable risk surface. To scale securely and beat the competition, we must transition from a reactive approach to building a strategic, identity-first foundation.

Why We Need a New Paradigm for Managing Agentic AI

The industry is currently underestimating the risk of Agentic AI because we are applying old mental models to a fundamentally new problem. Traditionally, Identity and Access Management (IAM) secured two things: human employees bound by HR policies and biological speed limits, and basic automated scripts bound by predictable, linear decision trees. Agentic AI breaks this model entirely.

AI agents are non-deterministic; they adapt their behaviour in real-time to achieve a goal, meaning we cannot be certain exactly what path they will take. Furthermore, they operate at incredible velocity, capable of executing over 1,000,000 decisions per hour.

Traditional IAM protocols like OAuth 2.1 and SAML were built for human-speed interactions and rely on broad, static scopes that persist for a session's duration. When we try to force AI agents into these legacy frameworks, we create critical vulnerabilities:

The Audit Black Hole: Because legacy systems often force agents to share human credentials or "impersonate" users, we lose the chain of custody. If a database is maliciously altered, the logs show the human did it, not the agent acting on their behalf.
The Recursive Delegation Problem: Complex enterprise tasks are rarely solved by a single agent. Agents frequently spawn sub-agents to complete tasks, creating complex authorization chains where authority is passed along without clear traceability or scope attenuation.
Overprivileged Access: Issuing coarse, long-lived access tokens to an autonomous system that actively explores its environment is an open invitation for catastrophic abuse and data exfiltration.

ProofID’s 5 Pillar Model of Agentic AI Security

To secure this new workforce, we must stop treating AI agents like simple service accounts. We need a paradigm shift where AI agents are treated as first-class identities that are managed and governed with the same rigor as human employees operating in high-risk environments.

At ProofID, we guide our customers through this transition using a foundational five-pillar architecture:

Discover: You cannot secure what you cannot see. Organizations must implement automated discovery tools to continuously scan cloud environments and find "Shadow AI" agents that have been spun up by developers without central oversight.
Govern: We must establish a "Digital HR" process for software. Every agent must be assigned a unique, verifiable identity and a clear human owner who is accountable for its actions. This includes strict Joiner/Mover/Leaver (JML) lifecycle management to immediately decommission agents when they are no longer needed, preventing dormant "zombie agents".
Enforce: Agents need to interact with external tools and other agents securely. Relying on a patchwork of bespoke API connections creates an unmanageable web of risk. Organizations must adopt standardized protocols like the Model Context Protocol (MCP) and route traffic through centralized gateways to enforce policy on every interaction.
Trust: We must move away from static Role-Based Access Control (RBAC) to dynamic Policy-Based Access Control (PBAC). Agents must be granted Just-in-Time (JIT) access with tightly scoped permissions evaluated in real-time, based on the specific context of the task.
Observe: To balance autonomy with safety, we must establish behavioral baselines to spot anomalous actions instantly. For high-risk, high-impact transactions, the system must enforce Human-in-the-Loop (HITL) approvals, pausing the agent until explicit consent is granted.

Bringing the Architecture to Life with Ping Identity

As a long-term identity security partner, ProofID knows that theoretical frameworks must be backed by robust, enterprise-grade technology. Using examples from our partner Ping Identity, we explore how organisations can begin implementing the identity foundations needed to support Agentic AI securely at scale.

Pillar 1 (Discover): You cannot govern what you cannot identify. To uncover "Shadow AI" and bring agents into the light, PingProtect goes beyond basic "good bot versus bad bot" logic. It continuously evaluates identity, intent, and behavior to detect, discover, and classify AI agents interacting with your systems in real-time.
Pillar 2 (Govern): To establish our "Digital HR" department, we utilise PingDirectory and Advanced Identity Cloud (AIC) to provide a centralized repository for your digital workforce. These tools manage the full JML lifecycle for AI agents—onboarding them with unique credentials, assigning clear roles, organizing them centrally, and securely offboarding them when their tasks are complete.
Pillar 3 (Enforce): To protect how agents speak to your enterprise tools, PingGateway acts as a centralized Model Context Protocol (MCP) Gateway. It introduces a vital security layer that intercepts agent requests, enforces token validation, and proxy connections securely before any call reaches downstream enterprise APIs or data repositories
Pillar 4 (Trust): This is where the paradigm truly shifts. Ping Identity is pioneering the concept of Runtime Identity. Traditional IAM assumes the login is the security boundary. Ping’s Agent IAM Core and PingAuthorize shift that boundary to the moment of action. As your Runtime Identity provider, Ping authorizes transactions as they happen. It evaluates context dynamically and issues narrowly scoped, delegated authority in real-time, ensuring agents only ever have the exact privileges needed for the immediate task.
Pillar 5 (Observe): To balance autonomy with safety, Ping provides continuous behavioral monitoring to instantly detect and block rogue activity. For high-impact actions, it leverages Client-Initiated Backchannel Authentication (CIBA) to trigger a real-time push notification to a human owner’s device. This effortlessly enforces a Human-in-the-Loop (HITL) approval checkpoint before a sensitive action can execute.

Conclusion: Securing the Competitive Edge

Currently, 75% of technology leaders cite governance and security as their top barrier to deploying Agentic AI. The urge to quickly deploy autonomous agents is understandable, but trying to stretch legacy IAM solutions to fit non-deterministic AI will only lead to operational chaos, data breaches, and severe regulatory penalties.

The organizations that ultimately win the AI race won't be the ones that deploy agents the fastest; they will be the ones that retool their identity architecture to deploy digital workers safely and at scale.

By slowing down today to implement a robust, Runtime Identity control plane, you empower your business to confidently scale agentic operations tomorrow.

At ProofID, we are ready to be your partner in building that secure foundation. Let’s map your identity roadmap together and turn Agentic AI from an unmanaged risk into your greatest competitive advantage. Find out more about our vendor-agnostic Agentic AI advisory service:

Fraud in the Age of AI: Fireside Chat

ProofID — Fri, 08 May 2026 10:47:59 GMT

Governing Machine Identity in Higher Education | ProofID

Tom Eggleston — Fri, 20 Mar 2026 12:54:30 GMT

Reflections from the UCISA Leadership Conference

By Tom Eggleston, CEO at ProofID

At this year’s UCISA Leadership Conference, we hosted a breakfast briefing exploring a topic that is quickly becoming one of the most important issues facing university IT leaders:

Machine identity governance.

The session — “From Certificates to AI Agents: Governing Machine Identity in Higher Education” — brought together industry experts ProofID’s Patrick Maginn and Tommy Roberts from CyberArk to discuss how the identity landscape inside universities is changing.

Two drivers are accelerating that change.

First, the dramatic reduction in TLS certificate lifespans to 47 days.
Second, the emergence of AI agents acting autonomously within digital environments.

Individually these shifts are significant. Together, they represent a fundamental change in how universities must approach identity security.

Higher Education Already Runs on Identity

Universities have always been complex identity environments.

Students, academics, researchers, alumni and partners all require secure access to digital services. On top of that sits federated access, cloud platforms, research infrastructure and countless internal applications.

But increasingly, the identities accessing these systems are not human.

Machine identities now include:

TLS certificates
APIs and services
Automation scripts and workloads
Containers and cloud infrastructure
Research platforms
and increasingly, AI agents

Across large organisations, machine identities can outnumber human identities by as much as 80 to 1.

Many of these identities have grown organically over time. In numerous institutions, they exist without full visibility, governance or lifecycle control.

That creates risk today — and the scale of the challenge is about to increase.

Why the 47-Day Certificate Lifecycle Matters

One of the biggest catalysts discussed during our UCISA session was the move toward much shorter TLS certificate lifespans.

Over time, certificates will have a maximum validity of 47 days. On the surface this sounds like a technical adjustment, but the operational implications are substantial.

Universities that once renewed certificates annually will soon face continuous renewal cycles.

If those processes remain manual, the workload quickly becomes unsustainable. More importantly, expired certificates remain one of the most common causes of service disruption.

During the session, Patrick Maginn shared an insight from our work across customer environments:

"Around 50% of P1 and P2 outage we've investigated over the past two years have been linked to certificate mismanagement."

"Roughly one third of all support tickets raised relate to certificate issues. "

Tommy Roberts reinforced how widespread this issue is across the industry. Drawing on support data from Palo Alto Networks environments, he highlighted that:

Our audience confirmed that they had all experienced outages in their institutions.

"Taken together, these statistics illustrate just how often certificates sit at the heart of operational disruption."

For universities, certificate-related outages can affect critical systems including:

student portals
enrollment and clearing systems
research infrastructure
authentication platforms

When these services go offline unexpectedly, the consequences extend beyond IT operations to the wider student and academic experience.

This is why the certificate lifespan change should not simply be viewed as a compliance issue.

It should be seen as a catalyst to modernise machine identity governance.

The Hidden Scale of Machine Identity

One of the most revealing questions during the discussion was simple:

What happens when a university truly looks for all its machine identities?

The answer is often surprising. Across complex digital estates we regularly see:

thousands of TLS certificates
thousands more secrets and credentials
service accounts embedded across applications
APIs connecting internal and external systems
automated research workloads running in the cloud

Without visibility and governance, these identities are difficult to track, rotate, monitor or secure.

And the number of identities will continue to grow as institutions adopt automation and AI-driven services.

The first challenge many universities face is not security tooling — it's visibility.

"When we asked the audience, none could confidently confirm how many machine identities existed across their institutions."

If you don’t know an identity exists, you cannot secure it.

Turning a Compliance Problem into a Strategic Opportunity

Rather than viewing the certificate change as an operational burden, universities have an opportunity to use it as a trigger for broader identity modernisation.

During our discussion we talked about a practical progression that institutions can follow:

Discover
Identify every certificate and machine identity across the estate.

Govern
Establish clear ownership, policies and lifecycle controls.

Automate
Implement automated certificate management and renewal processes.

Automation is essential in a world of 47-day certificates. But the real value comes when automation is supported by governance and visibility.

That is how organisations move from reactive certificate management toward structured machine identity security.

AI Agents Are the Next Wave of Machine Identity

While certificate management is an immediate operational challenge, the longer-term transformation is the rise of AI agents.

Audience insight: Nearly half of the institutions in the room are already piloting or actively rolling out Agentic AI.

Universities are already experimenting with AI across areas such as:

student services
administrative workflows
research automation
academic productivity tools

The next evolution is AI agents capable of performing tasks autonomously.

In many ways, these systems behave like digital employees.

They request access to systems. They execute workflows. They interact with applications and data.

And that raises a fundamental governance question:

Who manages the identity of the AI agent?

Without proper identity controls, AI agents can introduce new security risks, including unmanaged privileges, uncontrolled system access and a lack of accountability for automated actions.

That is why identity governance must evolve alongside AI adoption.

The Identity Foundations Universities Need Before AI Scales

During the UCISA session, we discussed what universities should prioritise as they begin planning for AI agents over the next few years.

The five-pillar model for Agentic AI should be seen as a natural evolution of the machine identity model — Discover → Govern → Automate — with the key point being that the first two steps remain fundamental:

Building on that foundation, a useful framework for AI is:

These pillars provide the structure needed to manage machine identities and AI agents securely at scale.

Key capabilities include:

automated certificate management
secrets management
privileged access controls for machines and workloads
identity lifecycle governance
monitoring and behavioural visibility
MCP gateway architecture for AI integration control and observability

The institutions that ultimately succeed with AI will not necessarily be those that move fastest.

They will be those that build the right identity foundations first. Sometimes the most effective strategy is to slow down to scale securely later.

Where Universities Can Start

For many institutions, the most practical first step is gaining visibility into their certificate landscape.

To support universities beginning this journey, we are offering a complimentary certificate discovery assessment.

This assessment helps institutions:

discover TLS certificates across their environment
identify potential expiry risks
understand opportunities for automation

Alongside this, universities beginning to explore AI adoption can also benefit from structured identity planning.

We are currently offering a limited number of Agentic AI Advisory sessions designed specifically for higher education environments. .

These working sessions help institutions:

map their machine identity landscape
assess readiness for certificate automation
identify AI agent identity risks
develop a practical governance roadmap

The Bigger Picture

Universities operate some of the most complex digital environments anywhere.

For years, identity governance focused primarily on people. But the balance is shifting rapidly.

Machine identities — and increasingly AI agents — are becoming the dominant identity type within modern university environments. The institutions that succeed will be those that recognise this shift early and build the governance frameworks required to manage it.

Because in an AI-enabled campus, identity will be the foundation of trust.

And that makes machine identity governance one of the most strategic capabilities universities can invest in today.

From Scripts to Digital Employees: Your Identity Strategy Must Evolve | ProofID

Tom Eggleston — Fri, 13 Mar 2026 13:58:00 GMT

Almost every leadership conversation about technology today eventually turns to AI. Increasingly, the focus is on Agentic AI — systems capable of acting autonomously to complete tasks, collaborate with other systems, and make decisions on behalf of humans.

The promise is exciting. AI agents could dramatically improve productivity, streamline operations, and unlock entirely new business capabilities. But from an identity security perspective, one thought keeps coming back to me:

We're focusing heavily on what AI agents can do — and not nearly enough on how we will govern them safely.

The security implications of Agentic AI are still being underestimated. In the rush to explore the possibilities, many organisations are overlooking the fundamental controls required to deploy these technologies responsibly.

And if AI agents become as pervasive as many predict over the next three to five years, the organisations that succeed will not simply be the ones that adopt them first.

They will be the ones that deploy them safely and securely at scale.

The Identity Challenge Behind Agentic AI

Traditional identity security models were designed for a relatively predictable world.

Human users operate within defined roles and policies. Automation systems follow deterministic scripts and workflows.

In both cases, we generally know what actions will occur and under what circumstances. Agentic AI changes that assumption completely.

AI agents are non-deterministic, and goal driven. They reason, adapt, and decide dynamically how to accomplish objectives. Two agents given the same task may take entirely different approaches. At the same time, they operate at a speed and scale that far exceeds human capabilities.

An autonomous agent might execute hundreds or even thousands of actions across systems and APIs within minutes. In some cases, multi-agent systems may collaborate to break a complex request into subtasks executed simultaneously.

The result is a fundamental shift in the security model. We are moving from a world of securing access to a world of governing autonomous decision-making. Most existing identity frameworks were never designed for that.

The Rise of the Digital Employee

To understand the scale of the shift, it helps to look at how AI agents are evolving.

The first generation of agents were interactive assistants. These systems responded to prompts and performed narrow tasks such as answering HR questions or retrieving information from knowledge bases. They provided support, but they rarely executed actions.

The next stage — already emerging in many organisations — is autonomous agents.

These systems can complete complex tasks by coordinating multiple actions across different applications. Often, they operate as part of multi-agent systems, where specialised agents collaborate to complete a workflow.

For example, a travel booking agent might research flights, compare prices, check calendars, and complete bookings across several systems without human intervention.

The next stage goes even further.

AI agents will increasingly act as digital employees — autonomous systems embedded within teams that collaborate with humans and other agents to deliver outcomes.

These digital workers will:

learn from context
adapt their behaviour over time
orchestrate workflows across systems
create tools dynamically to solve problems

This may sound like science fiction, but the pace of change in AI suggests this future is much closer than many organisations expect.

Why Traditional Identity Models Break Down

Most Identity and Access Management (IAM) systems were designed with human behaviour in mind.

Users authenticate, access applications, and perform actions within defined roles and permissions. Risk is mitigated through governance processes, approval workflows, and audit logging.

This model works because human activity occurs at a manageable pace and is relatively predictable.

Machine identities used in automation have also generally followed deterministic rules — executing scripts that perform predefined actions.

Agentic AI breaks both assumptions.

AI agents operate autonomously, adapt their behaviour, and interact with systems dynamically. They may execute large numbers of API calls in rapid succession as they pursue a goal.

Traditional IAM controls often rely on coarse-grained permissions, granting broad access for the duration of a session. That model quickly becomes risky when applied to autonomous agents.

Auditing also becomes significantly more complex. Without clear identity boundaries, organisations risk creating an audit blind spot, where agent activity is indistinguishable from human activity.

In such scenarios, answering basic questions — such as who performed an action and why — becomes extremely difficult.

In high-risk environments such as financial services or healthcare, that lack of visibility can create serious operational and regulatory challenges.

Treating AI Agents as First-Class Identities

The key shift organisations must make is conceptual.

AI agents should not be treated simply as machine identities in the traditional sense. Instead, they should be viewed as first-class identities — governed with the same level of rigour applied to human users in sensitive environments.

This new approach requires several foundational capabilities.

First, organisations need visibility. They must be able to discover every AI agent operating within their environment, including unofficial or experimental deployments.

Second, AI agents must have clear governance structures. Each agent should have a unique identity, a defined purpose, and a human owner who is accountable for its behaviour.

Third, organisations need secure and standardised communication frameworks to manage how agents interact with systems and APIs.

Fourth, authorisation decisions must become context-aware and dynamic, evaluating each action an agent attempts rather than relying solely on static permissions.

Finally, organisations require comprehensive observability — the ability to monitor agent behaviour at scale, detect anomalies, and intervene when necessary.

Together, these capabilities form the foundation for secure Agentic AI adoption.

Preparing for the Next Phase of AI

The rapid evolution of AI presents organisations with an extraordinary opportunity. AI agents have the potential to transform productivity, automate complex processes, and create entirely new business capabilities. But as with every major technology shift, success will depend on the foundation’s organisations put in place today.

The enterprises that succeed with Agentic AI will not simply be those that experiment the fastest. They will be the ones that build the identity governance model required to deploy autonomous systems safely and confidently at scale.

In other words, before organisations can safely deploy digital employees, they must first establish the identity architecture capable of governing them.

Preparing Your Organisation for Agentic AI

At ProofID, we are helping organisations develop the identity strategies required to support the next generation of AI.

Our Agentic AI Advisory service helps enterprise leaders assess their readiness, identify governance gaps, and design the identity architecture required to support secure AI agent deployment.

If your organisation is exploring Agentic AI, now is the time to ensure your identity strategy evolves alongside it.

Learn more about our advisory service here:

The True Cost of TLS Certificate Management | ProofID

Patrick Maginn — Thu, 05 Mar 2026 14:36:24 GMT

There’s no debate about the importance of TLS certificates. They sit at the heart of security across websites, cloud platforms, APIs and internal services as standard. But as certificate lifecycles begin to shorten from March 2026, what used to be an annual administrative task is becoming significantly more demanding.

For a long time, renewals were handled in the background as part of routine security operations, often manually and tracked on spreadsheets. That is not going to be sustainable moving forwards. As renewal cycles accelerate, organisations are having to look more closely at how much work is needed and whether their current approach can realistically keep up.

In recent discussions with enterprise security leaders, I’ve been working through what that shift really means in operational terms. When you translate lifecycle reductions into renewal volumes, hours and headcount, the scale becomes clear very quickly.

Shorter certificate lifecycles and expanding machine identities

The CA/Browser Forum has confirmed a phased reduction in the maximum validity period for publicly trusted TLS certificates that starts now. The limit falls to 200 days from March 2026, to 100 days in March 2027 and to 47 days by March 2029. Once the 47-day cap is in place, organisations will need to renew certificates a minimum of eight times per year compared to the previous annual cycle.

At the same time, machine identities are expanding rapidly and many of these also rely on certificates. CyberArk reports that machine identities currently outnumber human identities 82:1. This means organisations are not only renewing certificates more often, but they’re also managing more of them in the first place – across both public facing and private environments .

Putting real numbers against lifecyle renewals

Let’s put some realistic numbers against this.

I f an organisation manages 2,000 publicly trusted TLS certificates, under the old 398 day lifecycle that means around 2,000 renewals per year. As validity periods reduce, that picture changes quickly.

At a 200 day maximum validity which comes into effect March 2026, each certificate needs renewing roughly 1.8 times per year. That’s almost double the workload, and 2,000 certificates becomes 3,600 renewals annually.

At 100 days which comes into effect in March 2027, renewal frequency rises to 3.6 times per year. That’s roughly 7,200 renewals annually. By the 47-mandate in 2029, each certificate must be renewed 7.7 times per year. 2,000 certificates becomes in the region of 15,500 renewals every year.

These figures don’t account for any wiggle room for renewing prior to expiry so I think are realistically on the low side.

Now let’s apply a conservative time estimate. If each renewal takes four hours to validate, create a new private key, CSR creation, request, deploy and test, and a full time engineer works 1,800 hours per year, the operational effort looks like this:

When renewal activity reaches this scale, it stops being absorbed into existing teams and becomes a defined operational cost. For many organisations, this cost runs into seven figures once headcount is factored in.

Operational and reputational exposure

According to research by CyberArk, 72% of organisations have experienced a certificate-related outage in the last year. We’ve seen that as many as 50% of P1 and P2 outages can be traced back to mismanaged or expired certificates. With numbers like that, certificate management starts to become a matter of operational resilience.

These outages come with direct financial consequences. When a revenue-generating service goes down, transactions stop. Orders are abandoned and marketing spend continues while conversion drops. Engineering teams are pulled into urgent remediation outside of their planned work. The cost is not only the revenue lost during the incident, but the operational disruption that follows.

Browser warnings introduce a different kind of cost. When customers see a “site not secure” message, it immediately challenges confidence. In sectors where digital trust underpins the brand, a public security warning is hard to shrug off. Even after the issue is fixed, doubt can linger, damaging reputation for the long run.

As renewal cycles shorten and certificate volumes rise, the likelihood of oversight increases unless processes evolve. The underlying issue in many of these incidents is simply a lack of visibility into what’s live and when it expires. The impact of just one missed renewal can cost far more than a year of proactive management and automation.

The case for automation

Automation is often treated as an additional budget line. In practice, it functions as a cost control mechanism.

With automated policy-driven renewals and continuous discovery, certificates are identified, renewed and monitored as part of a defined operating model rather than a recurring administrative task. Visibility improves, and with it, confidence that certificates are governed consistently.

The impact goes beyond hours saved. Reducing manual touchpoints also lowers the likelihood of expiry-related incidents. It protects revenue in customer-facing environments, helps safeguard reputation, and allows experienced security teams to focus on strategic initiatives, resilience and governance instead of repetitive renewal activity.

A practical next step

The shift to shorter certificate lifecycles is already underway and the 47-day mandate will be here sooner than we think. The conversation is now moving beyond whether certificate automation is needed, that’s a given and one of the key drivers of the CA/Browser Forums decision to reduce, now we need to talk about to how to implement it in time, as the window is shortening.

The first step towards automation is getting clear visibility of your certificates. Working with CyberArk’s leading technology, we can provide a scan of your public TLS certificates, so you know where you stand. Once you know what you have you can start managing effectively, then you can start to work on automating the certificate management lifecycle.

Discover / Manage / Automate.

Using an ROI calculator built from our experiences working with enterprise security teams, we can help you work out the cost of automation vs manual renewal work and build a business case.

For many, the numbers speak for themselves.

The Blueprint for a Mature & High-Value IGA Programme | ProofID

ProofID — Tue, 03 Mar 2026 11:56:24 GMT

Many organisations find themselves in a similar position: they've invested significantly in a leading Identity Governance and Administration (IGA) platform, successfully reached “go-live,” yet still feel as though their programme is not delivering its promised value.

In many cases, nothing is noticeably broken — the workflows run, the connectors are active, and the audits are completed — but the expected reduction in risk and increase in operational efficiency remain ambiguous.

If this sounds all too familiar, it’s important to recognise that whilst this can be frustrating, improvement is achievable without needing to start again from scratch. Mature, well-run IGA programmes are intentionally designed, operated, and evolved to ensure that post go-live, you’re able to see the value in your investment.

Explore our blueprint for success as we dive into the repeatable, operational traits that distinguish high-performing programmes from those that leave you wondering “what’s broken?”

Outlining Clear Programme Ownership

Establishing clear ownership is the single most important differentiator between a stalled or successful IGA programme.

A common pitfall for many organisations is treating their IGA programme as a one-off technical implementation that ends at go-live, rather than a long-term business control system.

In order to move beyond this, it's essential to distinguish between owning the platform and owning the programme. While technical administration is necessary to manage day-to-day operations, a mature, well-functioning programme requires an Identity Programme Manager who will:

Set strategic priorities that align with the business goals.
Resolve trade-offs between security requirements and user experience.
Own success metrics that demonstrate real business value.
Maintain direction as the organisation’s needs evolve post go-live.

Without accountability and ownership, your programme is likely to drift off-course, and you’ll inevitably be left with:

Backlogs that grow without clear priorities.
Delayed or avoided decisions that hold up business progress.
Risky or political changes that don’t align with the business goals.

Ownership doesn’t mean one person is responsible for all the work — it simply means there is a clear point of contact that is accountable for business direction and evolutionary outcomes.

Engaging Key Stakeholders

Your IGA programme is not an “IT project” that can be managed in isolation.

Mature, well-run programmes move away from the one-time implementation model and instead engage key stakeholders across the business as invested partners, involved in its function.

In a healthy programme, different stakeholders play different roles:

HR departments: provide accurate lifestyle data that trigger different process stages.
Application owners: define and maintain access models for their specific system area.
Managers: make informed, high-quality approval decisions during certification cycles.
Security teams: provide the necessary policy and risk context to ensure compliance.

When these groups aren't engaged in the function of your IGA programme, your processes and outcomes suffer, resulting in:

Managers often rubber-stamping approvals, granting access without real scrutiny.
Application access becoming outdated, which complicates security and compliance.
Identity teams becoming bottlenecks, causing faith to be lost in the platform’s reliability.

Mature programmes avoid this by explaining why these decisions matter at the beginning of your programme implementation. This allows you to maintain engagement through governance forums and create feedback loops that make stakeholders feel supported, rather than imposed upon.

Enabling Trustworthy Data

Platforms consume data — they don’t fix it.

A recurring misunderstanding within many businesses is the belief that their IGA platform is going to fix their underlying data issues. However, in reality, platforms act like a mirror — they’re simply going to highlight the issues rather than clean them up.

Poor quality data is a foundational barrier to being able to automate and scale, and some of these real-world data problems look like:

Job titles that don't reflect actual responsibilities.
Cost centres that change without formal notice.
Duplicate identities and conflicting sources of truth.

These issues can break role models, increase expectations and ultimately undermine the automation your IGA programme is designed to provide you with.

With a mature programme, you can expect that data quality is going to be reviewed and treated as part of an ongoing process - it’s not a one-time job, but an ongoing, shared business responsibility.

Mature programmes actively align with your HR and identity teams so that you can actively govern upstream data sources, resulting in a clear reflection of your IGA platform with an accurate picture of what’s happening in your organisation.

Implementing Phased Delivery

Starting with a “bang” might sound promising — but it is often the cause of your programme’s deterioration.

It's difficult to sustain value when your initial deployment is treated as a big event. It often leaves your team overwhelmed, creates a fragile environment, and causes momentum to collapse under the weight of its complexity — because there are simply too many objectives to hit.

Well-run programmes recognise that identity maturity is a journey, and not a singular milestone destination. Mature programmes build organisational trust through incremental, phased delivery by:

Focusing on a small number of outcomes at a time to ensure quality.
Optimising delivery in clearly defined phases that align with business priorities.
Celebrating small wins to reduce the fear of change and contribute to building momentum.

By delivering visible and measurable wins through incremental phases, identity teams can prove the value of the programme - whilst learning from each phase. This creates space and time for continuous learning and improvement without overwhelm and fragility.

Designing for "Day Two"

Go-live is the starting line, not the finishing point.

A significant number of organisations plan for their initial programme deployment, but fail to invest in the “day two” reality of running, evolving, and governing the platform they implement long-term.

Mature programmes plan for operational longevity from the outset, which includes:

Ensuring knowledge transfer between implementational teams and the operational “run” team.
Securing ongoing funding and resources for continuous platform optimisation and evolution.
Establishing clear support and escalation to handle daily issues efficiently and quickly.
Aligning build and run teams so that new features are designed with operability in mind.

Successful programmes plan for evolution - not just deployment. Sustainable support models and clear operational ownership are what determine whether your IGA investment thrives or merely survives.

Measuring What Matters

One of the most significant challenges for IGA leaders is demonstrating the return-on-investment their IGA programme brings.

Commonly, success is reported through “activity metrics”, like the number of applications onboarded or the count of workflows built in a specific timeframe. Whilst these metrics show that the platform is active, they do not prove that it is returning business value.

Output is not the same as outcome, and mature programmes showcase the pillars the business should be measuring against, such as:

How much time is saved through the automation of manual processes.
The reduction in manual access requests and helpdesk tickets.
The improved decision quality during access certifications.
What is the measurable risk reduction through the elimination of high-risk exceptions or orphan accounts.

When value is measured correctly, it becomes visible — and when it is visible, it is far easier to protect and sustain executive support.

Benchmarking Your Own Programme

Identity maturity looks different in every organisation, and the journey is rarely a straight line. Improvement, regardless of what stage you’re at, starts with clarity — and clarity requires an honest self-assessment of where you currently stand today.

Your programme is likely stronger than you think, but less mature than you assume. Recognising the traits of a well-run programme is the first step towards reclaiming the value you place in your IGA investment.

Take the next step towards maturity with the ProofID IGA Value Assessment - a practical tool designed to help you:

Benchmark your programme against industry standards for maturity.
Identify your specific strengths as well as hidden gaps in your governance.
Understand where to focus your efforts to ensure your IGA programme delivers sustained business value.

Understand how your IGA programme compares against key success factors by completing our IGA Benchmark Assessment.

Understanding The Value of Your IGA Programme: 7 Signs That Matter | ProofID

ProofID — Thu, 26 Feb 2026 11:00:00 GMT

Identity Governance and Administration (IGA) programmes rarely fail overnight. More often, they lose momentum gradually after go-live as operational pressures build and attention shifts elsewhere.

Yet organisations that treat IGA as an ongoing discipline see measurable results: research from the EAJ shows long-term IGA management achieves 42% stronger compliance outcomes and completes audit preparation 30–52% faster. The challenge for identity leaders isn’t technology—it’s spotting early signals of drift, from certification fatigue and workarounds to inaccurate metrics.

What Determines IGA Value

IGA delivers value only when its core elements are managed consistently over time. Early focus is typically on stable provisioning; as programmes mature, attention shifts to governance, automation, and risk-aware decision-making.

Consistent governance and clear ownership create clarity in how access decisions are made and enforced. When responsibility is shared across IT, HR, application owners, and the business, programmes scale more effectively and continue delivering measurable benefits:

Benefit	Impact
Reduce operational costs	Minimises manual helpdesk tickets and administrative overhead.
Reduce risk	Closes security gaps through automated enforcement.
Improve compliance	Streamlines audit performance with accurate data.
Deliver fast access	Ensures productivity by granting rights immediately.
Automate lifecycle	Removes human error from joiner, mover, and leaver processes.

How Value Shows Up in Practice

The value of IGA isn’t defined by a project milestone, it’s evident in day-to-day operations. Small signals emerge long before technical issues appear, showing where a programme is working well and where attention is needed.

These operational cues aren’t a sign of negligence, they reflect growth and complexity. Recognising them early gives identity leaders the opportunity to strengthen governance, improve confidence, and accelerate value delivery.

1. Automated and Swift User Lifecycle Management

A clear signal that an IGA programme is delivering operational value is the ability to handle the "joiner, mover, leaver" (JML) process without manual intervention. In environments where data governance or ownership is weaker, data issues often undermine this automation. HR changes, such as job title updates or cost centre moves, can break role models overnight if the underlying data quality is poor.

When data problems are not sorted out, they create a constant downstream impact. Developed programmes treat data governance as an ongoing discipline, ensuring that identity data remains the single source of truth. This allows for:

Automating provisioning and de-provisioning throughout the access lifecycle.
Managing identity creation, modifications, and deprovisioning seamlessly.
Ensuring identity data remains accurate and up-to-date to reduce risks from outdated accounts.

2. Rapid Processing of Access Requests

Speed is a critical indicator of health. When an IGA platform is perceived as slow, fragile, or bureaucratic, users lose trust. A caution sign appears when teams start working around the platform, granting manual access because "governance is harder work" than the alternative.

This "shadow IT" behaviour signals that the tool is being blamed for friction caused by unclear decision-making processes. In a well-managed environment, access requests are processed rapidly through clear approval workflows, and manual exceptions typically stay below 10% of total requests. If your organisation sees new applications being onboarded outside the IGA platform or permissions granted via direct manipulation, it indicates a loss of trust that must be addressed to prevent governance from eroding.

3. High Levels of Access Task Automation

High-value programmes minimise the need for human touch in standard processes. However, a common sign of regression is when exceptions start to replace standard processes. If your team spends more time maintaining manual workarounds, one-off scripts, or temporary exceptions that never expire, the programme is spending its energy sustaining itself rather than evolving.

These exceptions are often used as short-term relief for underlying process issues. To strengthen value and operational effectiveness, organisations must move away from firefighting and towards standardised automation.

4. Shift to Just-in-Time Privileged Access

As organisations grow, they move away from "standing access"—where users hold high-level privileges 24/7—toward Just-in-Time (JIT) access. Standing privileges are a significant risk vector; if an account is compromised, the attacker inherits those permanent rights.

JIT access grants privileges only for the specific time window required to complete a task, automatically revoking them afterwards. This reduces the attack surface significantly. Implementing JIT signals that an organisation has moved beyond basic access management and is proactively minimising the "blast radius" of potential identity incidents. It requires a confident grasp of roles and policies, signalling stronger governance control and measurable risk reduction.

5. Efficient Access Review Preparation

Access reviews (certifications) are often the most challenging part of IGA. In a struggling programme, preparation is a manual struggle involving spreadsheets and email chasing. A strong programme streamlines this specifically to meet auditor demands without burning out business users.

Efficiency here means having a single authoritative view of access for identifying policy violations before the review even begins. If your teams are delaying changes or avoiding improvements because the platform feels fragile, review cycles become even harder. High-value environments utilise:

Automated access reviews and certifications.
Built-in reporting for clear audit trails.
Streamlined certification processes that respect the reviewer's time.
Single authoritative views to quickly spot outliers.

6. Timely and Automated Access Certifications

One of the earliest signals that an IGA programme needs attention is a decline in certification quality. This manifests as "rubber stamping," where managers approve access they don't recognise simply to clear their queue. When campaigns are frequently extended or completed in a rush, certification loses its meaning as a security control.

An efficient process ensures that certification is not just a compliance tick-box but a meaningful review of risk. High-performing programmes achieve over 95% on-time certification completion, preventing fatigue and disengagement from weakening governance.

7. Continuous Reduction in Identity Risks

The ultimate goal of IGA is risk reduction. A common pitfall is when metrics track activity instead of outcomes—counting the number of workflows built rather than the reduction in orphaned accounts. If leadership cannot see a continuous reduction in risk, they will struggle to see the value of the IGA investment.

Developed programmes use advanced analytics to shift from reactive reporting to proactive detection. This involves:

Detecting inappropriate access and policy violations in real-time.
Revoking excessive or orphaned access automatically.
Implementing machine learning for anomaly detection.
Strengthening security through least-privilege enforcement and Segregation of Duties (SoD) controls.

Conclusion

By recognising these seven signals — from the speed of lifecycle management to the meaningfulness of access reviews — you can identify where your programme needs renewed focus. IGA delivers its full value when it is actively managed, not just well implemented.

With attention to data quality, automation, and risk-based metrics, you can reverse programme drift, strengthen your security posture, and ensure your IGA strategy continues to provide lasting business value.

Understand how effectively your IGA programme is performing. Complete our IGA Benchmark Assessment today.

Solving Large Scale Application Onboarding | ProofID

ProofID — Mon, 16 Feb 2026 12:35:33 GMT

A key theme that keeps coming up in conversation with identity leaders: application onboarding at scale is slowing down IAM roadmaps.

Whether teams are onboarding their first 20 applications into SailPoint Identity Security Cloud (ISC) or migrating hundreds from an ageing IdentityIQ (IIQ) environment, the pain points were consistent — too many custom requirements, not enough skilled resources, and inconsistent onboarding processes across business units.

At ProofID, we’ve seen this challenge play out across industries. But one customer story in particular, Nelnet, highlights what’s possible when you bring structure, repeatability, and real-world experience to SailPoint onboarding.

Nelnet: Onboarding Applications 2× Faster with a Factory Model

Nelnet is a diversified financial services and technology company operating across loan servicing, fintech, education software, renewable energy, and communications. With such a broad portfolio, they needed an identity platform that could scale, with consistent governance across thousands of identities and hundreds of applications, and the flexibility to support both cloud and legacy systems.

ProofID partnered with Nelnet through two major SailPoint programs:

Initial implementation of SailPoint IdentityIQ (IIQ)
Migration from IIQ to SailPoint Identity Security Cloud (ISC)

Across both phases, we successfully onboarded and migrated 50–75 applications, each with different integration patterns, owners, and governance requirements. The result: application onboarding completed in half the time expected, with consistent quality — and a repeatable model Nelnet now uses internally.

The Pain Point: Complex Apps, Limited Resources, Slow Progress

Many organisations experience the same challenges Nelnet faced:

Custom and legacy applications with no ready-made connectors
Inconsistent onboarding processes across teams
Data quality issues that cause delays and rework
Stakeholder bottlenecks during testing and validation
Pressure to show value quickly as budgets tighten and program visibility increases

Identity leaders frequently echo these frustrations. SailPoint provides a powerful platform, but without a disciplined onboarding approach, progress slows — and executive support wanes. Nelnet needed to move fast. So, we introduced a new approach.

The Factory Model: ProofID’s Blueprint for Scalable Onboarding

Instead of treating each application as a bespoke, standalone project, we use a factory model to create a production-line approach to SailPoint onboarding. It’s structured, repeatable, and engineered for scale.

How the Factory Model Works

1. Standardised Onboarding Templates

Each application type—OOB connectors, SaaS apps, JDBC, REST, custom on-prem—uses a prebuilt template optimised through dozens of deployments.

2. Application Categorisation

We classify applications based on complexity, integration pattern, provisioning needs, and governance risk—allowing predictable timeframes from day one.

3. Parallel Workstreams

Multiple onboarding “pods” work in parallel, increasing throughput without sacrificing quality.

4. Clear Roles & Responsibilities

Business owners, technical SMEs, and QA teams follow a consistent RACI model to eliminate confusion and delays.

5. Automation & Tooling

Where possible, we automate entitlement ingestion, account aggregation, configuration steps, and workflow deployment using SailPoint APIs and scripts.

6. Tracking & Measurement

Dashboards track cycle times, exceptions, and readiness—making bottlenecks visible instantly.

This model is how we doubled Nelnet’s speed—and why organisations across banking, fintech, and higher education are adopting the same approach.

What This Looks Like in Practice: Timeframes You Can Count On

Using Nelnet as an example, typical onboarding timelines through the factory model included:

Out-of-the-Box (OOB) Connectors
Active Directory, Azure AD, Workday, ServiceNow, Salesforce
10–14 business days

SaaS Apps via SCIM/REST/SaaS Connectors
Zoom, GitHub, AWS, Google Workspace
14–21 business days

Legacy or Custom On-Prem Applications
Internal HR systems, databases, mainframes
20+ business days, depending on customisation and provisioning complexity

These aren’t best-case estimates—they’re real timelines delivered for Nelnet and consistently achieved across other ProofID programs.

Accelerating Onboarding in SailPoint ISC

Migrating to or scaling within SailPoint Identity Security Cloud presents new opportunities to speed up onboarding. At Nelnet, we leveraged:

Prebuilt configuration templates for faster setup
APIs to bulk-load applications, connections, and entitlements
Governance Groups to simplify policy and certification scale-out
Lifecycle Events & rules to automate provisioning flows and reduce manual admin

The result is a cloud-native onboarding engine that scales as your program matures—without reinventing the wheel each time.

Why This Matters for Identity Leaders Today

Identity teams are under pressure:

Talent shortages persist
Regulatory demands are increasing
Attack surfaces continue to grow
Boards want measurable progress, fast

Large-scale application onboarding is where programs win or lose momentum.

The organisations that succeed are the ones who adopt industrialised identity—repeatable, predictable onboarding at scale, powered by a partner that understands both SailPoint and enterprise complexity.

How Modern IGA Programmes Should Deliver Value

Ideally, a modern IGA programme functions as a living business control system. It should not be a static compliance exercise but a dynamic capability that reduces risk and streamlines operations.

The primary value drivers include:

Automated Lifecycle Management: eliminating manual provisioning for joiners and leavers.
Risk Reduction: ensuring "least privilege" access to sensitive data.
Audit Confidence: providing immediate proof of compliance during reviews.
Operational Efficiency: freeing up IT service desks from routine password resets and access requests.

When working correctly, the platform acts as a bridge, translating business decisions into technical enforcement.

Ready to Accelerate Your Application Onboarding?

If large-scale onboarding is a blocker, we can help.

ProofID has deep SailPoint expertise across both IdentityIQ and Identity Security Cloud, with a proven track record delivering complex onboarding for global enterprises.

Let’s cut timelines, reduce rework, and give your identity program the momentum it needs.

What Restricts the Value of IGA Programmes? | ProofID

ProofID — Thu, 12 Feb 2026 12:34:27 GMT

Struggling to make your Identity Governance and Administration (IGA) programme deliver real value despite significant investments? Countless organisations watch their IGA initiatives falter, leading to increased risk exposure and under-realised returns. This article uncovers the primary drivers of these failures and reveals best practices for success.

When an organisation makes a major investment in an IGA platform, expectations are naturally high. Leaders anticipate ramped-up automation, tighter controls, and improved audit confidence. Yet, despite utilising market-leading technologies, many of these initiatives stall.

The initial enthusiasm often fades six to 12 months after the programme goes live. Delivery teams become frustrated, business stakeholders feel burdened by certification cycles, and the perceived value plummets compared to the capital invested.

Here is the reality: identity programmes rarely underperform because of technology. They struggle because of how they are owned, operated, and supported over time. It is not usually a case of buying the wrong product; it is often a case of "mistaken identity," where the tool becomes a scapegoat for broader organisational gaps.

How Modern IGA Programmes Should Deliver Value

Ideally, a modern IGA programme functions as a living business control system. It should not be a static compliance exercise but a dynamic capability that reduces risk and streamlines operations.

The primary value drivers include:

Automated Lifecycle Management: eliminating manual provisioning for joiners and leavers.
Risk Reduction: ensuring "least privilege" access to sensitive data.
Audit Confidence: providing immediate proof of compliance during reviews.
Operational Efficiency: freeing up IT service desks from routine password resets and access requests.

When working correctly, the platform acts as a bridge, translating business decisions into technical enforcement.

The Scale of the Problem: Why IGA Value Stalls Post-Launch

Despite the clear benefits, many IGA deployments struggle to reach maturity or sustained adoption. Industry observations suggest that even organisations with top-tier tools suffer from disengagement and stalled momentum.

The pattern is predictable: companies plan obsessively for "go-live," celebrate the launch, and then move on. They treat identity as a finite IT project rather than an ongoing operational discipline. Without a long-term strategy, the platform accumulates technical debt, processes become brittle, and the business loses trust in the system.

Identity programmes almost always lose operational effectiveness before any technical failure occurs.

Primary Drivers of Underperforming IGA Programmes

The reasons programmes fail to deliver full value are rarely rooted in software bugs or feature gaps. Instead, they stem from organisational misalignment, poor data, and a lack of clear ownership.

Lack of Executive Buy-In and Stakeholder Alignment

Treating identity as solely an IT project is a fundamental error. When IGA is framed as a "set and forget" compliance task, it fails to gain traction as a business capability.

Successful identity governance requires input from HR, application owners, and security teams. Without executive backing to enforce this collaboration, the identity team is left administering workflows they do not own, leading to friction and slow decision-making.

Prioritising Provisioning Over Core Governance Functions

Many organisations focus heavily on the number of applications onboarded or workflows built. While automating provisioning is useful, it does not equal governance.

If the focus is purely on connecting apps rather than governing access, the programme becomes a utility rather than a control system. This approach often leads to "rubber-stamping" access rights without understanding the risk, undermining the security benefits the platform was purchased to deliver.

Integration Complexities and Technical Hurdles

IGA platforms do not exist in a vacuum; they must integrate with HR systems, legacy applications, and cloud infrastructure.

When the platform is neglected post-launch, teams perceive it as slow, overly complex, and risky to change. This leads to accumulated complexity. Without ongoing investment to match the pace of business change, the IGA solution falls behind, prompting teams to create manual workarounds that bypass governance entirely.

Poor Data Quality and Management

Data quality is often the "silent killer" of IGA programmes. Platforms consume data; they do not clean it. If HR data is inconsistent—such as rapidly changing job titles or cost centres—automation becomes impossible.

Common data issues include:

Duplicate or orphaned identities.
Conflicting sources of truth.
Organisational structures that do not map to roles.

When the tool is fed poor data, it produces brittle role models and excessive exceptions, forcing identity teams into constant firefighting.

Skills Gaps and Resource Shortages

There is often a massive gap between the resources allocated for implementation and those reserved for long-term sustainability. Organisations frequently fail to answer who owns identity after the consultants leave.

Without a dedicated team to manage the platform's evolution, technical debt mounts. Internal teams may lack the specialist expertise to maintain complex IGA environments, leading to a degradation of service and a loss of stakeholder confidence.

Reviewer Fatigue and Resistance to Change

When ownership is unclear, certification campaigns become a "tick-box" exercise. Business approvers, lacking context or confidence, simply rubber-stamp access requests to get them off their desk.

This "certification fatigue" destroys the rigour of the process. Access becomes inconsistent, and the platform is viewed as a bureaucratic hurdle rather than a security asset. This resistance is often a symptom of poor change management and a lack of user-centric design.

Best Practices for Launching Successful IGA Programmes

To unlock consistent business value, organisations must shift their mindset from "deploying a tool" to "building a capability."

Align with Business Objectives from the Start

Identity must be reframed as a business control system. This means establishing clear ownership models where:

HR owns the “people” data.
Application teams own the access models.
Managers are accountable for approval decisions.

The identity team should own the tool, but they cannot own the decisions. Aligning these responsibilities ensures that the platform enforces decisions the business is actually capable of making.

Phase Implementation Strategically

Avoid the "big bang" approach. Successful programmes rely on tightly scoped phases that deliver incremental value.

By securing small but meaningful wins, you build stakeholder confidence. A gradual journey allows the organisation to mature its processes alongside the technology, preventing the team from being overwhelmed by complexity on day one.

Leverage Automation and Modern Platforms

Automation should be the reward for good data governance. Focus on cleaning and rationalising identity attributes first.

Once the data is trustworthy, use the platform to automate low-risk decisions. This reduces the burden on human reviewers and ensures that manual intervention is reserved for high-risk exceptions, keeping engagement levels high.

Invest in Training and Change Management

"Go-live" is not the finish line. Organisations must invest in ongoing training for business users and technical support for the identity team.

Users need to understand why they are approving access, not just how to click the button. Continuous education helps maintain the rigour of governance processes and ensures the platform evolves in step with the business.

Common Mistakes That Derail IGA Initiatives

The most pervasive mistake is the "set and forget" mentality. Leaders often assume that once the software is installed, the problem is solved.

Other common mistakes include:

Unclear Accountability: Having "too many cooks" leads to ownership gaps where no one is responsible for outcomes.
Blaming the Tool: When processes fail, the IGA platform is often the visible scapegoat, masking the underlying organisational dysfunction.
Ignoring the Operational Model: Failing to plan for how the system will be supported long-term guarantees technical debt.

Conclusion

The inability of IGA programmes to deliver sustained business value is rarely a technology problem; it is an ownership problem. To succeed, organisations must stop asking, "Do we have the right tool?" and start asking, "Do we own our identity decisions?"

Success requires reframing identity as a living control system, supported by clean data, clear accountability, and sustained investment. By addressing these operational realities, you can turn a struggling IGA project into a robust business enabler.

Gain clarity on how your IGA programme is performing and benchmark your organisation against key success factors with our personalised IGA Benchmark Assessment — it only takes around 3 minutes to complete.

ProofID | TLS Certificates are shrinking: What the 47-day rule means for your organisation

ProofID — Mon, 02 Feb 2026 09:00:00 GMT

Change is coming to the foundation of digital trust — and it’s happening faster than many realize.

By 2029, every public TLS certificate will be limited to a maximum lifespan of just 47 days. The transition starts as early as March 2026 with certificates dropping to 200 days, then 100, before reaching the 47-day limit. For most organizations, that means an 8–12x increase in certificate renewals every year.

For those still managing TLS certificates manually, this change could bring operational chaos.

From 398 Days to 47: The Compression of Digital Trust

The push for shorter certificate lifespans is not theoretical. It’s being driven by major browser vendors and formalised through the CA/B Forum — the governing body for certificate authorities worldwide.

The rationale is sound: shorter-lived certificates improve security by reducing the window of potential compromise. But the practical impact is immense.

A business managing 3,000 certificates today could soon need to handle over 25,000 renewals annually. Without automation, that’s tens of thousands of extra manual actions — each one a potential point of failure.

Why It Matters: Risk, Resilience and Reputation

TLS certificates are the unsung heroes of secure digital communication. When they expire, applications fail, websites go dark, and transactions grind to a halt.

Under the new model, manual renewal and tracking simply won’t scale.
According to the CyberArk 47-Day Certificate Readiness Report, most organizations still rely on spreadsheets or ticket-based processes.

In a world of short-lived certificates, those methods will buckle — leading to outages, compliance failures, and reputational damage.

Key findings from the research includes:

83% of organizations experience at least one certificate-related outage per year.
77% believe outages will be inevitable under the new short-lived model.
75% fear increased human error as renewal volumes multiply.

A Forcing Function for Automation

This isn’t just a compliance change — it’s a catalyst for MODERNIZATION.

ProofID, together with CyberArk Certificate Manager, helps organizations prepare for the 47-day era by automating certificate discovery, renewal, and policy enforcement.

With full lifecycle visibility and automated workflows, you can:

Identify unmanaged or risky certificates across all environments.
Renew certificates automatically before expiry.
Enforce consistent policies and governance.
Maintain uptime, compliance, and audit readiness with confidence.
Prepare for quantum computing — automation today enables faster adoption of quantum-safe cryptography tomorrow.

Automation transforms certificate management from a reactive burden into a proactive, scalable process — one that supports both security and business continuity.

Get Ahead of the Curve

The 47-day rule is coming, whether your organization is ready or not. Those who modernize early will enjoy reduced risk, stronger governance, and greater resilience as certificate volumes surge.

Find risky public TLS certificates before the 47-day renewal cycle catches up to you.

Book your complimentary certificate scan.

Book now