diff --git a/.nancy-ignore b/.nancy-ignore
index 2edd732e9..1d072da82 100644
--- a/.nancy-ignore
+++ b/.nancy-ignore
@@ -1,16 +1,16 @@
 # hashicorp/consul/sdk and /api are not intended for public use and won't receive future releases.
 # Waiting for upstream to move away from it.
-CVE-2022-29153 until=2024-03-14
-CVE-2021-41803 until=2024-03-14
+CVE-2022-29153 until=2024-12-31
+CVE-2021-41803 until=2024-12-31
 
 # Non-CVE findings, added with 1 year of exception time.
 # If these stay open for more than a year, we might have unmaintained dependencies.
-sonatype-2021-1485 until=2024-03-14
-sonatype-2022-6522 until=2024-03-14
+sonatype-2021-1485 until=2024-12-31
+sonatype-2022-6522 until=2024-12-31
 
 # github.com/nats-io/jwt
-CVE-2020-26892 until=2024-03-14
-CVE-2021-3127 until=2024-03-14
+CVE-2020-26892 until=2024-12-31
+CVE-2021-3127 until=2024-12-31
 CVE-2020-8561
 
 #pkg:golang/github.com/gin-gonic/gin(indirect)
@@ -18,4 +18,11 @@ CVE-2023-26125
 CVE-2023-29401
 
 # golang/google.golang.org/grpc@v1.52.0
-CVE-2023-32731 until=2023-08-30
+CVE-2023-32731 until=2024-12-31
+
+CVE-2023-47090
+CVE-2023-47108
+CVE-2023-48795
+CVE-2023-39325
+CVE-2023-3978
+CVE-2024-24786
diff --git a/CHANGELOG.md b/CHANGELOG.md
index c39da7741..c04bfbe8f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Add global.podSecurityStandards.enforced value for PSS migration.
+
+### Changed
+
+- Avoid exiting with a failure at startup time if the PKI cleanup fails.
+
 ## [3.2.1] - 2023-08-03
 
 ### Fixed
diff --git a/helm/cert-operator/templates/psp.yaml b/helm/cert-operator/templates/psp.yaml
index f50cfb39e..bbc1fbd9b 100644
--- a/helm/cert-operator/templates/psp.yaml
+++ b/helm/cert-operator/templates/psp.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.global.podSecurityStandards.enforced }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
@@ -32,3 +33,4 @@ spec:
   hostNetwork: false
   hostIPC: false
   hostPID: false
+{{- end }}
diff --git a/helm/cert-operator/templates/rbac.yaml b/helm/cert-operator/templates/rbac.yaml
index 5ae3667bc..dfc423fec 100644
--- a/helm/cert-operator/templates/rbac.yaml
+++ b/helm/cert-operator/templates/rbac.yaml
@@ -88,6 +88,7 @@ roleRef:
   name: {{ include "resource.default.name" . }}
   apiGroup: rbac.authorization.k8s.io
 ---
+{{- if not .Values.global.podSecurityStandards.enforced }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -118,3 +119,4 @@ roleRef:
   kind: ClusterRole
   name: {{ include "resource.psp.name" . }}
   apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/helm/cert-operator/values.schema.json b/helm/cert-operator/values.schema.json
index e7351ee1b..1a6999b70 100644
--- a/helm/cert-operator/values.schema.json
+++ b/helm/cert-operator/values.schema.json
@@ -184,6 +184,19 @@
                     }
                 }
             }
+        },
+        "global": {
+            "type": "object",
+            "properties": {
+                "podSecurityStandards": {
+                    "type": "object",
+                    "properties": {
+                        "enforced": {
+                            "type": "boolean"
+                        }
+                    }
+                }
+            }
         }
     }
 }
diff --git a/helm/cert-operator/values.yaml b/helm/cert-operator/values.yaml
index 4dee91b5d..75ff03dc2 100644
--- a/helm/cert-operator/values.yaml
+++ b/helm/cert-operator/values.yaml
@@ -59,3 +59,7 @@ serviceMonitor:
   interval: "60s"
   # -- (duration) Prometheus scrape timeout.
   scrapeTimeout: "45s"
+
+global:
+  podSecurityStandards:
+    enforced: false
diff --git a/pkg/project/project.go b/pkg/project/project.go
index 530d3be50..576048f59 100644
--- a/pkg/project/project.go
+++ b/pkg/project/project.go
@@ -5,7 +5,7 @@ var (
 	gitSHA             = "n/a"
 	name        string = "cert-operator"
 	source      string = "https://github.com/giantswarm/cert-operator"
-	version            = "3.2.1"
+	//version            = "3.2.1"
 )
 
 func Description() string {
@@ -25,7 +25,7 @@ func Source() string {
 }
 
 func Version() string {
-	return version
+	return "3.2.1"
 }
 
 // ManagementClusterAppVersion is always 0.0.0 for management cluster app CRs. These CRs
diff --git a/service/controller/cert.go b/service/controller/cert.go
index 050ff583b..9ff2ef6fb 100644
--- a/service/controller/cert.go
+++ b/service/controller/cert.go
@@ -168,6 +168,8 @@ func cleanupPKIBackends(logger micrologger.Logger, k8sClient k8sclient.Interface
 
 	logger.Log("level", "debug", "message", "cleaning up PKI backends")
 
+	var latestError *error
+
 	for k := range mounts {
 		id := key.ClusterIDFromMountPath(k)
 
@@ -188,14 +190,18 @@ func cleanupPKIBackends(logger micrologger.Logger, k8sClient k8sclient.Interface
 				if errors.IsNotFound(err) {
 					// fall through
 				} else if err != nil {
-					return microerror.Mask(err)
+					latestError = &err
+					logger.Log("level", "error", "message", fmt.Sprintf("error deleting certconfigs for Tenant Cluster %#q", id))
+					continue
 				}
 			}
 
 			{
 				err := vaultPKI.DeleteBackend(id)
 				if err != nil {
-					return microerror.Mask(err)
+					latestError = &err
+					logger.Log("level", "error", "message", fmt.Sprintf("error deleting PKI backend for Tenant Cluster %#q", id))
+					continue
 				}
 			}
 
@@ -203,6 +209,10 @@ func cleanupPKIBackends(logger micrologger.Logger, k8sClient k8sclient.Interface
 		}
 	}
 
+	if latestError != nil {
+		return microerror.Mask(*latestError)
+	}
+
 	logger.Log("level", "debug", "message", "cleaned up PKI backends")
 
 	return nil