WebPKI Observatory — Operational Risk
CAs have disclosed 1,480 incidents across 54 CAs, with misissuance (586 incidents) and governance failures (457) representing the dominant categories. Only 23% of incidents are self-detected, while external researchers, automated tools, and root programs collectively discover the majority, indicating structural gaps in internal controls. Policy failures (169 incidents) and disclosure failures (120) reveal compliance opacity, while audits detect only 8% of incidents despite their role as the primary external validation mechanism, a gap examined in detail in the audit intelligence findings.