Subscribe to the Non-Human & AI Identity Journal

Why is harvest now, decrypt later a current risk?

Because the attacker does not need quantum capability today to create value from stolen ciphertext. If encrypted data can be exfiltrated and stored now, it may become readable later when quantum techniques mature. That means the risk window already exists for long-lived sensitive information, especially where retention periods are measured in years.

Why This Matters for Security Teams

Harvest now, decrypt later is not a future-only problem. It is a collection problem: adversaries can exfiltrate encrypted records today, preserve them cheaply, and wait until cryptanalytic methods or quantum-capable tooling improve. That changes the economics of long-lived data protection, especially for regulated records, archived backups, and identity material that remains valuable for years. NHI Management Group has also found that 79% of organisations have experienced secrets leaks, with 77% of those incidents causing tangible damage, which shows how often sensitive material already leaves the environment before defenders notice.

Security teams often underestimate the risk because encryption creates a false sense of finality. Strong encryption still matters, but it does not eliminate exposure if the ciphertext has a long retention horizon. This is why current guidance from the NIST Cybersecurity Framework 2.0 and NHIMG research on Ultimate Guide to NHIs — Why NHI Security Matters Now both push teams toward reducing exposure duration, not only strengthening algorithms. In practice, many security teams encounter the impact only after historic data is copied out of backups or object storage, rather than through intentional risk review.

How It Works in Practice

The core issue is not whether today’s encryption works against today’s tools. It is whether the protected data will still need confidentiality years from now. If the answer is yes, attackers can store ciphertext and defer the decryption problem. That is why harvest now, decrypt later is especially relevant for archives, legal records, health data, intellectual property, and long-lived NHI material such as service account secrets, API tokens, or certificate chains that should never survive long term.

Defenders reduce this risk by shortening the useful life of anything an attacker could cache. That means classifying data by retention horizon, rotating credentials aggressively, preferring short-lived tokens over static secrets, and re-encrypting sensitive stores as cryptographic guidance evolves. It also means treating compromise of an NHI as an exposure multiplier, because compromised identities often unlock bulk access to ciphertext repositories. NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks highlights why secrets sprawl and excessive privilege make this worse, while the Top 10 NHI Issues page reinforces that long-lived credentials and weak lifecycle control are common failure points.

  • Prioritise data with multi-year confidentiality requirements first.
  • Inventory where encrypted data and secrets are stored, including backups and CI/CD systems.
  • Replace static NHI credentials with short-lived, automatically revoked credentials where possible.
  • Plan cryptographic agility so algorithms, key lengths, and renewal policies can change without a full redesign.

These controls tend to break down in legacy backup environments because ciphertext is replicated for resilience, but rotation and re-encryption are often operationally impractical.

Common Variations and Edge Cases

Tighter crypto hygiene often increases operational overhead, requiring organisations to balance near-term administration against long-term exposure reduction. There is no universal standard for quantum-readiness timelines yet, so best practice is evolving rather than settled. The practical question is not only whether data is encrypted, but whether it will remain sensitive long enough to outlast the current cryptographic assumptions.

Edge cases matter. Data with short business value may not justify major migration work, while highly durable records do. Some organisations also face a tradeoff between aggressive key rotation and system stability, especially where embedded devices, partner integrations, or air-gapped archives cannot support frequent rekeying. In those environments, current guidance suggests focusing on segmentation, minimising retention, and reducing who can export ciphertext in bulk. This is also where NHI governance becomes relevant: if an attacker steals a service account with broad read access, the encrypted data can be harvested at scale even if it cannot be opened today.

For practitioners building the next control set, the right approach is to pair data retention policy with crypto lifecycle policy, then test whether the most sensitive data can be reprotected before the risk horizon grows. As the Ultimate Guide to NHIs makes clear, poor secrets governance and delayed revocation already create avoidable exposure today, which is exactly the condition harvest now, decrypt later exploits tomorrow.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.DS Encrypted data still needs protection across its full lifecycle.
OWASP Non-Human Identity Top 10 NHI-03 Static secrets and weak rotation amplify harvest-now exposure.
NIST AI RMF Risk management should account for future decryption of stored data.

Classify long-lived data, protect it in transit and at rest, and plan for crypto agility.