Post-quantum cryptography is becoming an identity governance problem

At a glance

What this is: This is an analysis of why post-quantum cryptography is now an identity and trust governance issue, with the key finding that today’s digital trust fabric is becoming time-limited.

Why it matters: It matters because every IAM, NHI, and workload trust path depends on cryptography, so teams that cannot inventory, rotate, and swap algorithms will inherit systemic risk.

By the numbers:

• The timeline for when a quantum computer could potentially break standard 2048-bit RSA encryption has compressed from 1 billion physical qubits in 2012 to 1 million noisy qubits in recent research.
• 2029.

👉 Read Keyfactor's analysis of why post-quantum cryptography matters now

Context

Post-quantum cryptography is the class of cryptographic algorithms designed to resist attacks from sufficiently capable quantum computers. The governance problem is not whether quantum is useful, but whether the trust fabric underneath authentication, signing, and encrypted transport can survive a change in attacker capability. For identity teams, that means certificates, signed software updates, federated trust, and workload authentication all sit in the migration path.

The article’s core point is that cryptography was treated like static plumbing for decades, while the underlying risk curve kept moving. That assumption is now breaking. For IAM and NHI programmes, the practical question is no longer whether quantum risk exists, but how quickly trust dependencies can be inventoried and made crypto-agile before signatures, sessions, and machine-to-machine trust become brittle.

Key questions

Q: How should security teams prepare identity systems for post-quantum cryptography?

A: They should start with a complete inventory of where cryptography underpins authentication, federation, signing, and encrypted transport. Then they should rank systems by business lifetime and migration complexity, because the most dangerous dependencies are the ones that must remain trusted for years. Crypto-agility matters when replacement can happen without re-architecting the whole identity stack.

Q: Why does post-quantum risk matter for NHI and workload identity?

A: Because service accounts, certificates, and signed machine-to-machine assertions all depend on cryptographic trust. If those trust objects cannot be reissued or swapped quickly, the identity layer inherits a future-proofing problem. NHI governance has to account for algorithm lifespan, not just key custody, because trust can fail after the credential was originally issued.

Q: What breaks if organisations treat cryptography as static infrastructure?

A: They miss hidden dependencies in certificates, token signing, software delivery, and federation flows. That creates a gap where the system appears stable today but cannot adapt when the underlying algorithm is no longer trustworthy. The failure mode is not only outage risk. It is delayed trust failure across identity and supply-chain controls.

Q: Who owns post-quantum migration in an identity programme?

A: It should be shared across IAM, PKI, platform, application, and security governance teams, with clear accountability for trust inventory and algorithm transition. If ownership sits only with infrastructure teams, identity dependencies get missed. The right model is lifecycle governance for cryptography, because trust objects age just like credentials do.

Technical breakdown

Why RSA and current trust chains are becoming fragile

RSA and other public-key systems work because large-number factoring is computationally infeasible for classical machines. Quantum algorithms change that assumption by reducing the cost of certain attacks enough that key sizes once considered safe are no longer durable. The issue is not only encrypted traffic in transit. It also affects certificate chains, signed binaries, identity federation, and any control that assumes a signature remains trustworthy for its full intended lifetime. Once the verification model weakens, trust becomes conditional on algorithm choice as much as on key custody.

Practical implication: Map every identity and trust dependency that relies on RSA or comparable classical cryptography before migration pressure becomes operationally urgent.

Crypto-agility in IAM and NHI environments

Crypto-agility means an environment can swap algorithms, key sizes, and trust mechanisms without redesigning the whole stack. In practice, that requires inventorying where cryptography is embedded in identity flows, not just where it is visible to security tools. IAM and NHI programmes depend on certificates, tokens, TLS, code signing, and federated assertions, so migration failure often comes from hidden dependencies rather than the core identity platform. The technical challenge is governance plus change control, not a single cryptographic upgrade.

Practical implication: Build a cryptographic inventory that includes human auth, workload identity, and signed software delivery paths, then test replacement paths before deadlines force them.

Harvest now, decrypt later and trust now, forge later

The article highlights two attacker models. Harvest now, decrypt later means adversaries collect encrypted data today and wait for quantum capability to recover it in the future. Trust now, forge later means they capture signed or authenticated traffic and later replay or forge it once signature schemes fail. The second model is especially relevant to IAM because identity tokens, signed updates, and federated assertions are trust objects, not just data blobs. If those trust objects lose integrity, the blast radius reaches authentication, software supply chains, and machine-to-machine authorisation.

Practical implication: Prioritise long-lived secrets, signed artefacts, and any identity assertion with extended business value as the first migration candidates.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Crypto-agility is now identity governance, not infrastructure hygiene. The article shows that cryptography is the trust substrate for authentication, signing, and machine-to-machine exchange. Once algorithms become time-limited, identity programmes inherit the obligation to know where trust is anchored and how quickly it can be reissued. Practitioners should treat cryptographic lifecycle management as part of IAM and NHI governance, not a separate engineering concern.

The long-standing assumption that digital trust is stable across the full life of a credential no longer holds. That assumption was designed for a world where the security margin on classical cryptography outlasted business lifecycles. It fails when an attacker can preserve encrypted data or signed artefacts until decryption or forgery becomes feasible. The implication is that retention, signature validity, and certificate lifetime now need to be evaluated against future compromise, not just current exposure.

Post-quantum migration exposes a named concept we should call cryptographic trust debt. This is the backlog of identity, signing, and transport dependencies that rely on algorithms whose remaining safety window is shrinking faster than most programmes can inventory them. The debt accumulates wherever certificates, tokens, and signed binaries are left untouched because they appear to work today. Practitioners should treat that backlog as a governance liability, not a future curiosity.

AI agent authentication makes the quantum timeline more urgent, not less. The article explicitly notes that AI agents will authenticate to systems they need to act on, which means machine identity will inherit the same signature and transport assumptions as human and workload identity. If those trust paths are not crypto-agile, autonomous and non-autonomous systems both become dependent on algorithms that may expire before the business does. The practical conclusion is that identity roadmaps must converge on algorithm agility across all actor types.

Boards will not experience this as a cryptography issue first. They will experience it as a trust continuity issue. Software updates, federated logins, partner integrations, and workload attestation all depend on signatures that appear invisible until they fail. The discipline shift is to make cryptographic state observable, governable, and testable in the same way teams already manage privileged access and credential expiry. Practitioners should expect audit questions about where trust could become unverifiable, not just where keys are stored.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, which makes cryptographic and secret governance part of the same control plane.
• That concern aligns with the Ultimate Guide to NHIs , 2025 Outlook and Predictions, where identity teams are urged to plan for faster-changing machine trust boundaries.

What this signals

Cryptographic trust debt: identity teams now have to treat every certificate, signing key, and federation path as a time-bounded asset. If the algorithm underneath it cannot be swapped quickly, the control is already aging out of relevance. That is why crypto-agility belongs in the same programme conversation as secret rotation and workload identity governance.

The operational signal is not whether quantum attacks are feasible this quarter. It is whether your identity estate can prove where classical cryptography sits, how long it must remain valid, and who owns replacement. Teams that cannot answer those questions will struggle to defend auditability when trust objects become short-lived.

For practitioners, the next step is to connect post-quantum planning to existing identity lifecycle work and to baseline it against the NIST SP 800-63 Digital Identity Guidelines where federation and authenticator assurance intersect with trust design.

For practitioners

• Inventory cryptographic dependencies across identity paths Catalog where RSA, certificates, signed artefacts, and encrypted sessions support human login, workload identity, and federation. Include systems that rarely change because those are often the hardest to migrate.
• Prioritise long-lived trust objects for migration Start with code signing, partner federation, certificates with long validity, and any identity assertion that must remain trustworthy for years. These are the highest-value targets for crypto-agility planning.
• Build an algorithm-swap runbook before urgency arrives Test how identity, PKI, and application teams will replace one cryptographic method with another without breaking authentication or signed delivery. Validate the process in controlled environments first.
• Extend NHI governance to include cryptographic lifecycle Tie secret rotation, certificate expiry, and trust-anchor review into the same governance cadence used for service accounts and workload identities. Treat cryptographic retirement as a lifecycle event, not an exception.

Key takeaways

• Quantum risk is no longer a distant cryptography debate. It is a governance problem for every identity and trust path that depends on long-lived signatures, certificates, and encrypted sessions.
• The practical risk is not just future decryption. It is that today’s trust objects may outlive the algorithms that validate them, creating delayed failure in IAM, NHI, and software delivery controls.
• Crypto-agility is the control that changes the outcome, because programmes that can inventory, replace, and reissue trust mechanisms will absorb the shift more cleanly than those that treat cryptography as static plumbing.

Key terms

• Post-quantum cryptography: Post-quantum cryptography is a set of algorithms designed to remain secure even if quantum computers become capable of breaking widely used public-key methods. In identity programmes, it matters because authentication, signing, and federated trust all depend on algorithms that must survive long enough to remain trustworthy.
• Crypto-agility: Crypto-agility is the ability to change cryptographic algorithms, key sizes, and trust mechanisms without redesigning the entire environment. For identity teams, it means certificates, tokens, signing flows, and federation paths can be replaced quickly when risk, regulation, or technical standards change.
• Harvest now, decrypt later: Harvest now, decrypt later is an adversary strategy in which encrypted data is captured today and stored until future decryption capability becomes available. It matters for identity and NHI governance because sensitive sessions, secrets, and signed communications may retain value long after transmission.
• Cryptographic trust debt: Cryptographic trust debt is the backlog of identity and security dependencies that still rely on algorithms or signatures with shrinking safety margins. The debt is operational, not theoretical. It grows when organisations defer inventory, replacement planning, and lifecycle governance for trust objects.

Deepen your knowledge

Post-quantum cryptography and crypto-agility are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are mapping identity trust dependencies across human, workload, and machine systems, it is worth exploring.

This post draws on content published by Keyfactor: World Quantum Day: What We’re Not Talking About Enough. Read the original.