Advanced cryptographic threats raise the bar for PQC readiness

At a glance

What this is: This webinar examines the Executive Order on advanced cryptographic threats and its implications for post-quantum cryptography readiness, crypto-agility, and digital trust.

Why it matters: It matters because identity, certificate, and workload teams will need cryptographic inventories, ownership, and migration plans that work across NHI, autonomous, and human trust flows.

👉 Register for Keyfactor's webinar on the Executive Order and advanced cryptographic threats

Context

Post-quantum cryptography readiness is no longer a future planning exercise. The governance gap is that many organisations know they need stronger cryptography, but they do not yet know where every certificate, key, signature dependency, and trust anchor lives across identity, workloads, and machine-to-machine communication.

The Executive Order shifts cryptography from a technical preference into an operational programme with ownership, reporting, and sequencing requirements. For IAM, PAM, and machine identity teams, that means crypto-agility has become part of identity governance because digital trust depends on the ability to inventory, classify, and replace cryptographic assets without breaking services.

Key questions

Q: How should security teams prepare for post-quantum cryptography migration?

A: Start with a complete cryptographic inventory, then rank dependencies by business criticality and replacement complexity. Teams should identify where certificates, keys, signatures, and trust relationships exist, assign ownership, and build migration paths for the most sensitive services first. The goal is not a one-time project but a governed transition that preserves digital trust while systems change.

Q: Why does crypto-agility matter for identity and access programmes?

A: Crypto-agility matters because identity systems depend on certificates, signatures, and trust chains that must be replaced without service disruption. If those dependencies are hidden or manually managed, organisations cannot adapt when algorithms or deadlines change. Identity teams need the ability to move quickly because digital trust is only as strong as the slowest cryptographic dependency.

Q: What breaks when cryptographic assets are not inventoried?

A: Migration plans break first, followed by ownership and sequencing. Without inventory, teams do not know which workloads depend on long-lived certificates, embedded keys, or external trust anchors, so they cannot prioritise the right systems or estimate risk. The result is delayed remediation, hidden exposure, and a higher chance of service interruption during PQC transition.

Q: Who should own PQC readiness in an enterprise?

A: PQC readiness should be jointly owned by security architecture, identity teams, and the business services that rely on cryptography. The technical team can map dependencies, but the business owner must define criticality and acceptable migration timing. Shared ownership is essential because the risk spans identity, application trust, and service continuity.

Background and context

Crypto-agility is the operating model for PQC migration

Crypto-agility means an organisation can identify, swap, and govern cryptographic algorithms, certificates, key lengths, and trust dependencies without redesigning every dependent system. In practice, this is not just a crypto engineering issue. It touches certificate lifecycle management, workload identity, federation, code signing, device trust, and service-to-service authentication. If the organisation cannot map where cryptography is embedded, then migration plans stay theoretical because the blast radius is unknown. The EO turns that mapping problem into an execution requirement.

Practical implication: build an inventory that ties each cryptographic dependency to an owner, a system, and a replacement path.

PQC readiness depends on cryptographic asset inventory

Cryptographic inventory is the structured record of what algorithms, keys, certificates, protocols, and trust relationships are in use and where they matter. Without it, teams cannot prioritize high-risk dependencies such as code signing, TLS termination, device authentication, or machine identity issuance. Inventory also reveals where long-lived certificates, embedded keys, and untracked service identities will complicate migration. The core failure is not lack of awareness. It is lack of visibility into the actual cryptographic estate that supports digital trust at scale.

Practical implication: classify cryptographic assets by business criticality and migration difficulty before setting PQC timelines.

Digital trust now includes certificate and signature governance

Digital trust is the confidence that identities, signatures, and encrypted channels can be verified continuously across systems and supply chains. PQC affects both key exchange and digital signatures, so organisations must think beyond transport encryption. Code signing, document signatures, device attestation, and workload authentication may all need replacement paths. If signature governance is weak, a migration can protect one channel while leaving another exposed. The EO is forcing security teams to treat cryptography as a governed lifecycle, not a one-time engineering project.

Practical implication: extend governance to signatures and trust chains, not just TLS or VPN encryption.

NHI Mgmt Group analysis

Crypto-agility has become an identity governance problem, not just a cryptography problem. The EO is pushing organisations to discover where trust depends on keys, certificates, and signatures before those dependencies become migration blockers. That means the governance unit of work is the cryptographic asset, its owner, and its lifecycle, not the algorithm in isolation. The implication is that IAM and machine identity teams now share accountability for cryptographic readiness.

Cryptographic inventory is the new prerequisite for digital trust continuity. Organisations cannot plan PQC migration if they cannot enumerate where machine identities, application trust paths, and code-signing dependencies live. The issue is not whether quantum risk is real, but whether the trust fabric can be mapped well enough to change it safely. Practitioners should treat inventory quality as a resilience signal, not a documentation exercise.

Advanced cryptographic threats expose a lifecycle assumption that was built for stable algorithms and long planning windows. That assumption fails when governments and standards bodies accelerate deadlines while service dependencies remain distributed and opaque. The implication is that programmes built around periodic certificate management must now operate as continuous cryptographic governance.

Digital trust modernization will concentrate pressure on machine identity teams first. Service-to-service authentication, code signing, and device trust are the most likely friction points because they sit at the intersection of scale and change tolerance. The organisations that already govern machine identity well will absorb PQC transition faster than those still treating cryptography as an implementation detail. Practitioners should align migration planning to workload reality, not policy aspiration.

World-class PQC readiness will be measured by replacement speed, not awareness level. Awareness campaigns do not reduce exposure when the issue is unowned certificates, undocumented trust chains, and untracked embedded cryptography. The organisations that can assign ownership and sequence migration by criticality will keep digital trust intact through the transition. Practitioners need operational evidence of readiness, not more policy statements.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly weak identity governance compounds across environments.
• For a broader view of NHI exposure patterns, see The 52 NHI breaches Report for recurring failure modes and governance lessons.

What this signals

Cryptographic modernisation will land in the same governance queue as machine identity and workload access. Teams that already manage service accounts, certificates, and trust relationships as lifecycle objects will adapt faster than teams that still treat them as infrastructure leftovers. The practical challenge is not deciding whether PQC matters, but building a change programme that can reach every dependency without losing service continuity.

PQC readiness will expose where identity governance is still fragmented. If different teams own certificates, signatures, federation, and workload trust independently, migration will stall at the handoff points. Security leaders should expect the strongest programmes to be the ones that can show one view of trust dependencies and one accountable owner per cryptographic domain.

For practitioners

• Inventory cryptographic dependencies across the estate Map certificates, keys, signatures, and trust relationships across workloads, applications, devices, and identity systems. Tie each item to an owner, a renewal path, and a business service so migration work can be sequenced by criticality.
• Prioritise the highest-friction trust paths first Focus early on code signing, device authentication, service-to-service identity, and customer-facing TLS paths because these dependencies are hardest to replace under live traffic. Use the NIST Cybersecurity Framework 2.0 to structure governance and recovery planning.
• Establish cryptographic ownership and reporting Assign a business owner and a technical owner for each cryptographic domain, then create reporting that shows which systems rely on long-lived algorithms, embedded keys, or manually managed certificates. Use that reporting to drive board-level risk discussions.
• Build migration paths for signatures as well as encryption Do not limit planning to transport encryption. Include document signatures, software signing, workload attestation, and federation dependencies so the transition does not leave trust gaps behind.

Key takeaways

• The Executive Order turns post-quantum cryptography into a governance and execution problem, not a theoretical risk discussion.
• Cryptographic inventory, ownership, and reporting are now the gating controls for preserving digital trust during migration.
• Teams that treat signatures, certificates, and workload trust as lifecycle assets will be better positioned to meet PQC timelines.

Key terms

• Crypto-agility: Crypto-agility is the ability to change cryptographic algorithms, certificates, keys, and trust dependencies without redesigning the whole service. It matters because modern identity and infrastructure stacks embed cryptography in many layers, so the organisation needs a controlled way to replace weak or obsolete mechanisms while keeping services available.
• Cryptographic inventory: Cryptographic inventory is the documented map of where keys, certificates, signatures, algorithms, and trust chains exist across the estate. It gives security and identity teams the visibility needed to prioritise migration, assign ownership, and avoid hidden dependencies that can break services during cryptographic change.
• Digital trust: Digital trust is the confidence that systems, identities, and messages can be verified and relied on across networks, applications, and supply chains. In practice it depends on strong authentication, valid signatures, and resilient cryptographic controls that can survive algorithm changes and operational disruption.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.

This post draws on content published by Keyfactor: Webinar Expert Panel on the Executive Order on Advanced Cryptographic Threats. Read the original.