Crypto-agility after the PQC conference: what practitioners need now

At a glance

What this is: This is Keyfactor’s analysis of how the PQC conversation has moved from theory to operational crypto-agility, with discovery, maturity, and automation emerging as the key priorities.

Why it matters: It matters because cryptographic change now affects certificate, key, and dependency governance across NHI, IAM, and platform security programmes, not just PKI specialists.

By the numbers:

• more than 90% of enterprises in the region

👉 Read Keyfactor’s reflections on PQC conference takeaways and crypto-agility

Context

Crypto-agility is the ability to adapt cryptographic systems, certificates, and trust dependencies without having to redesign the whole security stack. That matters because identity programmes now sit on cryptographic assumptions that can shift as algorithms, standards, and compliance expectations change, especially across machine identities and workload trust chains.

The article’s core point is that PQC is moving from a specialist standards discussion into a governance problem for security leaders. Discovery, inventory, and automation are now the practical prerequisites for managing certificate lifecycles, service trust, and future migration work across NHI and broader identity environments.

That is why the post is best read as an operational maturity reflection rather than a product story. The field is moving toward continuous cryptographic readiness, and organisations that treat PQC as a one-time project will fall behind faster than their current planning assumes.

Key questions

Q: How should security teams start building crypto-agility for PQC transition?

A: Start with discovery and inventory. Teams need a complete map of certificates, keys, algorithms, trust anchors, and dependencies before they can prioritise migration work. Without that baseline, PQC becomes a guessing exercise. The right sequence is visibility first, then risk ranking, then automation and migration planning based on the systems that matter most.

Q: Why does crypto-agility matter for IAM and machine identity programmes?

A: Crypto-agility affects how systems prove identity and trust each other over time. IAM and machine identity programmes rely on certificates, keys, and automated trust relationships, so cryptographic change can affect authentication, service access, and renewal workflows at scale. If those dependencies are not visible and automatable, future migration work becomes a resilience problem as well as a security one.

Q: What do teams get wrong about PQC readiness?

A: The most common mistake is treating PQC as a one-time algorithm decision instead of a long-running governance programme. That view ignores the operational work of inventory, prioritisation, automation, and measurement. Teams that focus only on standards selection often discover too late that their certificate estate and trust dependencies are too distributed to change cleanly.

Q: How do organisations measure whether crypto-agility is actually improving?

A: Measure whether cryptographic assets are discoverable, whether renewal workflows are automated, and whether teams can change trust components without service disruption. Those are practical signs that the programme can absorb future algorithm shifts. If change still depends on manual coordination or incomplete asset visibility, crypto-agility is still theoretical rather than operational.

Technical breakdown

Why crypto-agility is a governance model, not just a PKI feature

Crypto-agility means being able to change algorithms, trust anchors, certificate policies, and related dependencies without breaking services. In practice, that requires knowing where cryptographic material lives, how it is consumed, and which systems depend on it. The problem is not only cryptographic transition. It is the dependency graph behind it, including applications, service accounts, automation pipelines, and third-party integrations. Once those dependencies are invisible, migration becomes guesswork and risk rises sharply.

Practical implication: build cryptographic inventory into identity and infrastructure governance, not just into certificate operations.

Discovery and inventory are the starting line for quantum readiness

Discovery is the process of identifying certificates, keys, algorithms, and trust dependencies before planning any migration. Without that baseline, teams cannot measure exposure, prioritise systems, or estimate effort. This is especially important where machine identities are involved, because certificates and secrets often sit in code, CI/CD tooling, or distributed workloads rather than a single managed vault. Discovery is therefore not a reporting exercise. It is the prerequisite for any credible readiness programme.

Practical implication: inventory cryptographic assets before choosing standards, timelines, or tooling.

Automation is the only scalable path to certificate and key change

Automation shortens certificate lifecycle work, reduces manual error, and makes large-scale cryptographic change feasible. The article’s point is not that automation replaces strategy. It is that PQC migration will fail if it depends on hand-managed renewal, one-off exceptions, or disconnected workflows. Where automation already exists for certificate management, it can be reused as the operational backbone for transition planning. That same logic applies to identity programmes that manage service credentials at scale.

Practical implication: reuse existing automation pipelines for crypto change rather than designing a parallel manual process.

NHI Mgmt Group analysis

Crypto-agility is now an identity governance requirement, not an encryption upgrade project. The article correctly shows that the work has moved from algorithm debate to operational readiness. That shift matters because cryptographic dependencies now govern access between systems, services, and workloads. Practitioners should treat quantum readiness as part of identity and trust governance, not a separate security initiative.

Discovery-first planning is the only defensible way to manage post-quantum change. The practical breakthrough in the piece is the insistence that organisations start with inventory, prioritisation, and shared maturity language. That aligns with OWASP-NHI and NIST-CSF thinking because you cannot govern what you cannot see. The implication is straightforward: every migration plan should begin with cryptographic visibility, not with vendor selection.

Automation debt will become crypto-agility debt if teams delay pipeline modernisation. The article’s automation theme is more than efficiency. Manual renewal and ad hoc certificate handling create brittle trust chains that will not scale through PQC transition. Organisations that still depend on human-operated change windows will carry that weakness into the next cryptographic era. Practitioners should therefore assess whether their current automation is sufficient for repeated, large-scale trust change.

The named concept here is crypto-agility readiness lag: the gap between recognising post-quantum risk and having the inventory, automation, and maturity model to act on it. That gap is already visible in identity-heavy environments where cryptographic assets are dispersed across applications, secrets stores, and infrastructure. The implication is that delayed readiness will show up first as operational fragility, then as governance failure.

Compliance and resilience are converging around continuous trust management. The article reflects a broader market reality: cryptographic policy changes are now inseparable from resilience planning. For identity teams, that means lifecycle governance, certificate management, and migration planning belong in the same programme conversation. The practitioners who can connect those domains will have the strongest position when standards and regulatory expectations shift again.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• For a broader planning lens, Ultimate Guide to NHIs , 2025 Outlook and Predictions connects current NHI governance gaps to the next wave of identity risk.

What this signals

Crypto-agility readiness lag: many teams already understand the quantum transition risk, but fewer have the inventory and automation needed to act on it. That gap will show up first in distributed certificate estates, where manual handling cannot support rapid trust change. The practical test is whether identity and infrastructure teams can change cryptographic dependencies without a service outage.

The governance lesson extends beyond PKI. If machine identity and access programmes still treat certificates, keys, and renewal workflows as isolated operational tasks, they will struggle to absorb post-quantum transition work. Practitioners should align this planning with the concepts in the Ultimate Guide to NHIs and map where trust dependencies sit across workloads, pipelines, and service accounts.

For practitioners

• Inventory cryptographic dependencies across identity and infrastructure Map certificates, keys, algorithms, and trust anchors across applications, CI/CD systems, workloads, and third-party integrations so migration scope is measurable before any PQC decision is made.
• Assess where manual certificate handling still creates fragility Identify renewal, rotation, and exception workflows that still depend on human coordination, because those paths will not scale through repeated cryptographic change.
• Reuse existing automation for cryptographic change Extend current certificate lifecycle automation where possible instead of creating a separate migration process, so future trust changes can be repeated without adding operational drag.
• Prioritise the highest-impact systems first Rank systems by business criticality and exposure, then sequence crypto-agility work where a failure would have the largest operational or governance consequence.
• Build crypto-agility into procurement and architecture reviews Ask whether new platforms can adapt when standards, policies, or cryptographic requirements shift, because design choices made now can lock in long-term technical debt.

Key takeaways

• The article frames PQC as a long-running governance programme, not a one-off standards decision.
• Discovery, inventory, and automation are the practical foundations of quantum readiness because they make the trust estate visible and changeable.
• Identity teams should treat crypto-agility as part of machine trust governance, or future migration work will land as operational debt.

Key terms

• Crypto-agility: Crypto-agility is the ability to change cryptographic algorithms, certificates, and trust dependencies without redesigning core services. It depends on asset visibility, modular architecture, and automation so organisations can respond to standards changes and emerging risk without breaking identity or application workflows.
• Cryptographic inventory: A cryptographic inventory is a structured record of where keys, certificates, algorithms, and trust anchors are used. It is more than a list of assets. It is the operational map that lets security and identity teams assess exposure, sequence change, and avoid migration blind spots.
• Post-quantum cryptography: Post-quantum cryptography is a set of cryptographic approaches designed to remain secure against attacks from sufficiently capable quantum computers. In practice, it affects how organisations plan for certificates, trust relationships, and long-lived identity dependencies that may outlast current algorithm assumptions.
• Certificate lifecycle automation: Certificate lifecycle automation is the use of software to issue, renew, rotate, and retire certificates with minimal manual handling. For identity teams, it reduces operational error and creates the repeatable workflows needed to support large-scale cryptographic change.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.

This post draws on content published by Keyfactor: From Kuala Lumpur to Crypto-Agility: Reflections from the PKI Consortium’s PQC Conference 2025. Read the original.