Few companies have the luxury of a dedicated full time professional PKI staff. More typical are those companies that assign this duty as an adjunct to someone with a separate primary function, such as AD engineering. As such, I find that many PKI practitioners don’t have PKI proficiency as a primary skillset. It’s easy to understand how a “just make it work” mentality can eventually creep into a PKI operational processes. Too often, operational efficiency easily trumps perceived security risks.