TL;DR: Quantum-safe migration is already a live planning problem because data with long confidentiality lifetimes may be harvested now and decrypted later, and the article argues that inventorying cryptographic assets, mapping protocol use, and aligning vendors and standards are now prerequisite steps, according to SSH Communications Security. The real challenge is governance: PQC migration exposes where infrastructure, firmware, and embedded encryption assumptions outlast the controls meant to manage them.
At a glance
What this is: This webinar analysis argues that post-quantum cryptography is becoming urgent because long-lived confidential data and complex encryption estates cannot wait for a later migration window.
Why it matters: It matters to IAM practitioners because cryptographic inventory, vendor dependency, and lifecycle governance now affect machine identity, workload trust, and access control assumptions across the enterprise.
By the numbers:
👉 Watch SSH Communications Security's webinar on post-quantum cryptography migration
Context
Post-quantum cryptography migration is the shift from encryption methods that today’s large-scale quantum computers could eventually break to algorithms designed to resist that threat. The problem is not only mathematical strength, but inventory, dependency mapping, and replacement complexity across systems, protocols, and devices.
For identity and access teams, the governance issue is broader than encryption alone. Secret distribution, certificate lifecycles, workload trust, and access pathways all depend on cryptographic choices, which means PQC planning now touches NHI, workload identity, and long-lived administrative access.
The article’s starting point is typical: most organisations still treat PQC as future work even though the preparation burden is already visible. That delay is the real risk, not the algorithm swap itself.
Key questions
Q: How should organisations start planning post-quantum cryptography migration?
A: Start with a cryptographic inventory that shows where encryption, keys, certificates, and protocols are used across the environment. Then rank systems by confidentiality lifetime, dependency depth, and replacement difficulty. That sequence helps teams avoid shallow upgrades while the hardest embedded dependencies remain undiscovered.
Q: Why does post-quantum cryptography affect identity and access management?
A: Identity systems depend on cryptography for certificates, trust chains, secure transport, and workload authentication. If those foundations become obsolete, authentication and access workflows inherit the same migration risk as the underlying encryption. IAM teams therefore need to treat PQC as part of access lifecycle governance, not as a separate network concern.
Q: What breaks when cryptographic dependencies are not inventoried?
A: Teams lose the ability to estimate migration scope, identify non-upgradable firmware or hardware, and prioritise the systems carrying the longest-lived data. The result is usually fragmented remediation, hidden exceptions, and delays that push exposure into the period when quantum decryption becomes practical.
Q: Who should be accountable for post-quantum readiness across the enterprise?
A: Accountability should sit with the owners of identity, infrastructure, application, and supplier risk together, because cryptography crosses all of those boundaries. Standards, architecture, and vendor management have to move in the same direction or migration will stall in the gaps between teams.
Technical breakdown
Why post-quantum cryptography migration is hard
PQC migration is difficult because cryptography is rarely isolated in one layer. It sits in TLS, embedded firmware, hardware modules, applications, and hard-coded implementations, which means some assets can be upgraded while others must be replaced. The operational problem is discovery, not just algorithm selection. Organisations need a complete view of where encryption lives, which protocols depend on it, and which systems cannot be changed without broader redesign.
Practical implication: build a cryptographic inventory before setting migration timelines.
Cryptographic inventory and dependency mapping
A cryptographic inventory is the control plane for PQC readiness. It should show where keys, certificates, protocols, libraries, and embedded encryption are used, plus which business services depend on them. Without that map, teams cannot estimate blast radius, prioritise long-lived confidentiality use cases, or separate easy wins from hardware-bound exceptions. This is especially important where identity systems rely on certificates or signed trust chains.
Practical implication: map encryption dependencies to business services, not just to asset lists.
Why long-term confidentiality changes the risk model
PQC urgency comes from data retention, not only from breakable encryption. Information that must remain secret for years or decades can be harvested now and decrypted later if today’s cryptography is left in place. That creates a time-shifted compromise model where present-day exposure may not look urgent until the decryption capability arrives. For identity programmes, this raises the value of cryptographic agility and retention-aware risk assessment.
Practical implication: classify data by confidentiality lifetime and align migration priority to that horizon.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Post-quantum migration is a cryptographic governance problem before it is a technical refresh. The article is right to frame PQC as a multi-layer change, because encryption choices sit inside workload trust, certificate handling, and platform dependency chains. That means identity programmes cannot treat cryptography as an adjacent issue. Practitioners should treat cryptographic inventory as part of identity governance, not a separate security project.
The hardest failure mode is undiscovered cryptographic dependency. Hardware, firmware, and hard-coded algorithms create pockets of non-agility that ordinary upgrade plans do not reach. When those dependencies are unknown, teams cannot stage migration, estimate risk, or decide where compensating controls are required. The implication is that PQC readiness depends on visibility first, then sequencing.
Long-lived confidential data creates a harvest-now, decrypt-later exposure window. That is not a future threat model, it is a present-day retention issue. Data that must remain secret for decades is already part of the quantum risk surface, which makes delayed planning a governance error rather than a technical preference. Practitioners should prioritise assets by confidentiality horizon, not by convenience.
Standards adoption only works when partner readiness is visible. The article’s emphasis on collaboration reflects a real operational constraint: identity and cryptography estates cross vendors, infrastructure layers, and external dependencies. If supplier roadmaps and standards alignment are unknown, migration becomes fragmented and partially reversible. Practitioners should re-evaluate third-party dependency management as part of PQC planning.
PQC readiness is becoming a lifecycle discipline for machine trust. Certificates, keys, and protocols have their own joiner-mover-leaver problem, and quantum migration makes that lifecycle visible. The organisations that wait for a perfect replacement window will end up managing exceptions indefinitely. Practitioners should use lifecycle controls to decide what can be migrated, retired, or isolated first.
From our research:
- NIST launched its post-quantum cryptography standardization project in 2015, according to Ultimate Guide to NHIs , Key Research and Survey Results.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
- That confidence gap is one reason PQC planning needs governance as well as engineering, as explained in Ultimate Guide to NHIs , Key Challenges and Risks.
What this signals
Cryptographic agility is becoming a baseline control for identity and workload trust. As encryption spreads across embedded systems, certificates, and protocols, the real differentiator will be whether teams can change crypto without breaking authentication, service access, or partner integrations. That is why PQC planning belongs in identity architecture reviews, not just in network or platform programmes.
The organisations that will move fastest are those that already know where keys, certificates, and hard-coded dependencies live. For everyone else, the first material risk is not broken encryption but blind spots in ownership, supplier readiness, and the ability to retire non-upgradable components on schedule.
This is also where lifecycle thinking matters for machine trust: if a certificate, protocol, or embedded dependency cannot be reissued or replaced cleanly, the migration backlog will grow faster than the control programme. Teams should align inventory work with 52 NHI Breaches Analysis to understand how hidden dependency chains become operational risk.
For practitioners
- Inventory cryptographic assets across all layers Build a register that includes TLS, certificates, keys, embedded firmware, hardware modules, and any hard-coded algorithms. Tag each dependency by owner, protocol, business service, and expected confidentiality lifetime so migration work can be prioritised by exposure, not by convenience.
- Map long-lived data to quantum exposure horizons Classify data by how long it must remain confidential, especially records that need protection for years or decades. Use that classification to decide which systems require earlier PQC planning, stronger compensating controls, or accelerated retention changes.
- Test vendor and platform roadmaps now Ask suppliers how they plan to support post-quantum algorithms, which components are upgradeable, and which require replacement. Tie those answers to contract reviews and architecture decisions so supplier gaps do not become migration blockers later.
- Sequence migration by dependency depth Start with centralized, update-friendly systems, then move toward embedded and hardware-bound components where replacement may be required. This reduces the chance of getting stuck on low-visibility dependencies after the easiest systems have already been upgraded.
Key takeaways
- Post-quantum migration is already a planning requirement because long-lived data can be harvested now and decrypted later.
- The main obstacle is not algorithm choice but cryptographic dependency visibility across systems, firmware, and suppliers.
- Identity teams should treat cryptographic inventory and lifecycle sequencing as core controls for PQC readiness.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.DS-1 | PQC migration protects data in transit and at rest across identity systems. |
| NIST Zero Trust (SP 800-207) | SC-12 | Zero trust depends on trustworthy cryptography for secure transport and identity assertions. |
| OWASP Non-Human Identity Top 10 | NHI-03 | NHI certificates and tokens depend on cryptographic lifecycle management. |
Inventory and rotate NHI trust material with PQC readiness in mind, especially where certificates have long lifetimes.
Key terms
- Post-Quantum Cryptography: Post-quantum cryptography is a class of encryption algorithms designed to resist attacks from future cryptographically relevant quantum computers. It matters because organisations must protect data and identity trust before quantum decryption becomes practical, especially for information with long confidentiality lifetimes.
- Cryptographic Inventory: A cryptographic inventory is a structured record of where encryption, keys, certificates, and protocol dependencies exist across an environment. It gives security teams the visibility needed to prioritise migration, spot non-upgradable components, and understand how identity and workload trust depend on specific cryptographic choices.
- Cryptographic Agility: Cryptographic agility is the ability to change encryption methods without redesigning the entire system. In practice, it means software, hardware, and identity workflows can shift algorithms, certificates, or trust chains quickly enough to respond to new threats without breaking access or service continuity.
- Harvest-Now, Decrypt-Later: Harvest-now, decrypt-later is the risk pattern where attackers collect encrypted data today and wait for future decryption capability. It is especially relevant to long-lived confidential records, because the security failure may not appear until years after the original exposure window has closed.
Deepen your knowledge
Post-quantum cryptography migration and cryptographic inventory are covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building trust, certificate, and workload governance from the same starting point, it is worth exploring.
This post draws on content published by SSH Communications Security: post-quantum cryptography migration and preparation guidance. Read the original.
Published by the NHIMG editorial team on 2025-07-22.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
