Post-quantum cryptography readiness demands enterprise identity governance

At a glance

What this is: This is a PQC readiness guide arguing that post-quantum migration depends on enterprise-wide crypto-agility, not just certificate replacement.

Why it matters: It matters to IAM, NHI, and security leaders because cryptographic inventory, renewal automation, and governance controls increasingly shape identity trust across systems, workloads, and devices.

By the numbers:

• Recent estimates suggest quantum computers capable of breaking RSA-2049 could emerge as early as 2035.
• Manual PKI management becomes harder as certificate lifespans are expected to be as short as 47 days by 2029.

👉 Read Keyfactor's post on preparing for post-quantum cryptography

Context

Post-quantum cryptography, or PQC, refers to cryptographic methods designed to remain secure against attacks from future quantum computers. The governance problem is not abstract: organisations need to know where cryptography exists, which systems depend on it, and how quickly they can change it without breaking trust.

For identity programmes, the issue reaches beyond certificates and keys. PKI, workload identity, device trust, secrets management, and auditability all depend on cryptographic assumptions that may not survive a long migration window, especially when inventory is incomplete and ownership is fragmented across teams.

Key questions

Q: How should organisations prepare for post-quantum cryptography without breaking identity trust?

A: Start with a full inventory of cryptographic assets, then prioritise the systems that carry the most exposure or the longest replacement cycle. Use automation for certificate issuance and renewal, because manual PKI does not scale as transition complexity rises. Treat the migration as a governance programme that spans security, IT, compliance, and application owners.

Q: Why does PQC readiness matter for IAM and workload identity teams?

A: Because certificates, keys, and trust chains underpin authentication, service-to-service access, and auditability. If those dependencies are not mapped and modernised in a coordinated way, identity trust can fragment across systems. IAM and workload identity teams must therefore participate in cryptographic planning, not wait for PKI teams to act alone.

Q: What do security teams get wrong about certificate migration?

A: They often treat certificate replacement as a narrow technical task instead of a lifecycle problem. In reality, renewal timing, algorithm deprecation, fallback planning, and ownership assignment all affect whether trust remains intact during transition. The mistake is assuming one successful cutover ends the governance work.

Q: Who should own PQC migration when multiple teams depend on the same trust assets?

A: Ownership should sit with a cross-functional programme that includes security, IT, legal, compliance, and product teams. No single function can map dependencies, approve risk, and coordinate change across all affected services. The right model is shared accountability with clear operational ownership for each cryptographic domain.

Technical breakdown

Cryptographic discovery and inventory in PQC migration

PQC readiness begins with knowing where cryptography actually lives, not where policy says it should live. That means certificates, private keys, embedded algorithms, legacy applications, OT systems, and shadow IT all need to be identified before a migration plan can be trusted. In identity terms, the inventory is the control plane: if you cannot map trust assets, you cannot prioritise exposure, sequence replacement, or validate coverage. Discovery tools help surface scale, but the governance work is assigning ownership and remediation order across systems that behave very differently.

Practical implication: build a complete cryptographic inventory before choosing migration sequences or renewal tooling.

Crypto-agile certificate management and automation

Crypto-agility means systems can support current and post-quantum algorithms during transition, rather than waiting for a clean cutover. That usually requires dual certificates, automated issuance, renewal, replacement, and audit logging, because manual PKI operations do not scale as certificate lifecycles shorten. The technical challenge is not only volume but orchestration across dependent services that must trust both old and new algorithms at once. In practice, automation becomes a governance requirement, because delayed renewal or inconsistent rollout can break availability and weaken trust continuity.

Practical implication: automate certificate lifecycle operations wherever dual-stack cryptography is required.

Ongoing governance for algorithm deprecation and fallback

PQC is not a one-time upgrade because standards, implementations, and algorithm confidence will continue to shift. Ongoing governance needs policies for algorithm deprecation, periodic key rotation, and fallback mechanisms if a chosen algorithm weakens or an implementation fails. This is where identity and cryptography intersect: trust chains must be revisable without forcing emergency rework across every dependent system. The real technical risk is assuming a migration ends when the first post-quantum configuration is deployed.

Practical implication: maintain a formal process for deprecating algorithms and recovering from cryptographic failures.

Threat narrative

Attacker objective: The attacker wants to preserve encrypted data now so it can be decrypted later when quantum capability makes current cryptography obsolete.

1. entry via harvest-now-decrypt-later collection of encrypted files and long-lived certificates.
2. escalation through retained ciphertext that becomes recoverable once future quantum capability exists.
3. impact through retrospective decryption of sensitive data, long after the original protection window has closed.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Post-quantum migration exposes a crypto-agility gap, not just a cipher upgrade task. The article is right to frame PQC as an organisation-wide transformation because identity trust depends on discovery, ownership, automation, and change control across many systems at once. The weak point is not whether a new algorithm exists, but whether the enterprise can replace cryptographic dependencies before they expire. Practitioners should treat PQC as a governance programme with operational dependencies, not a product refresh.

Cryptographic inventory is the named control gap that determines whether PQC is manageable. If organisations cannot identify certificates, keys, embedded cryptography, and shadow IT, they cannot prioritise the highest-exposure assets or verify migration coverage. That gap is especially dangerous in environments where workload identity, device trust, and application authentication all rely on hidden cryptographic assumptions. Practitioners should assume that incomplete inventory creates blind spots large enough to invalidate the transition plan.

Manual certificate management is becoming an identity governance liability. The article correctly points to shorter certificate lifespans and increasing algorithmic complexity, which together make manual renewal and replacement brittle. This is not just an operations problem; it is a governance problem because delayed renewal can disrupt trust chains, auditability, and service continuity. Practitioners should reclassify certificate automation as a control requirement, not a convenience.

Algorithm deprecation will need lifecycle governance, not ad hoc reaction. PQC will evolve in waves, and organisations that treat the first migration as the end state will accumulate cryptographic debt again. Regular policy revision, fallback planning, and rotation discipline are the mechanisms that keep trust adaptable when standards change or algorithms weaken. Practitioners should build deprecation governance now so the next cryptographic shift does not reopen the same risk window.

Shadow IT is also shadow cryptography, and that is where migration plans fail first. The article’s discovery step is valuable because unauthorised software and hardware often hide the exact cryptographic dependencies teams forget to inventory. That means PQC readiness must cover not just sanctioned PKI but also unmanaged endpoints, applications, and embedded systems. Practitioners should extend identity and asset governance into every place cryptography is used, not only the systems they already know about.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
• For a broader lifecycle lens, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs, which connects renewal discipline to governance and offboarding.

What this signals

Crypto-agility is becoming an identity programme requirement, not a PKI specialist concern. Organisations that still treat cryptography as a back-office technical layer will struggle to coordinate migration across workload identity, application trust, and audit controls. The governance lesson is simple: if trust assets are not discoverable and assignable, they are not manageable. For a standards anchor, map this work to the NIST Cybersecurity Framework 2.0 identify and protect functions.

Shadow cryptography will be the hidden obstacle in most PQC plans. A programme can only modernise what it can find, and unmanaged code, embedded systems, and rogue tools are where legacy algorithms often persist longest. That is why discovery needs to extend beyond sanctioned PKI into the full trust surface. The same logic applies to machine identity and secrets governance across the estate.

Identity teams should expect shorter trust lifecycles across more systems. As certificate renewal windows tighten and post-quantum transition periods overlap with legacy support, operational discipline will matter more than one-time migration projects. The practical response is to align cryptographic change control with lifecycle governance, so replacement, rollback, and deprecation are all managed as recurring processes. For related guidance, the Ultimate Guide to NHIs , Why NHI Security Matters Now frames why urgency keeps rising.

For practitioners

• Inventory every cryptographic dependency Map certificates, private keys, algorithms, protocols, embedded cryptography, and OT systems before defining migration priority. Include shadow IT and unmanaged devices so the plan reflects actual trust dependencies, not just documented ones.
• Prioritise dual-stack coverage for exposed systems Identify high-exposure assets that need both post-quantum and traditional certificates during transition. Sequence them ahead of lower-risk systems so business continuity is preserved while trust chains are modernised.
• Automate certificate issuance and renewal Replace manual PKI workflows with automated issuance, renewal, replacement, and logging wherever certificate volumes or lifespans make human handling unreliable.
• Create formal algorithm deprecation governance Define review cadence, fallback mechanisms, and rotation rules for algorithms that may weaken over time. Make deprecation a standing policy process rather than a one-off migration decision.

Key takeaways

• PQC readiness is a governance challenge because cryptographic trust spans discovery, ownership, automation, and policy change.
• The scale of the problem is already visible in long-lived certificates, hidden cryptographic dependencies, and harvest-now-decrypt-later threats.
• Teams that build inventory and automation now will be better positioned to modernise trust chains without breaking service continuity.

Key terms

• Post-Quantum Cryptography: Cryptographic methods designed to remain secure against future quantum computers. In practice, PQC is a transition problem as much as an algorithm problem, because existing trust chains, certificates, and device lifecycles must be replaced without breaking business services.
• Crypto-Agility: The ability to change cryptographic algorithms, certificates, and trust mechanisms without redesigning the entire environment. It matters because organisations need to support legacy and post-quantum methods at the same time during migration, then deprecate old methods safely.
• Cryptographic Inventory: A complete map of where cryptographic assets exist and how they are used. That includes certificates, private keys, embedded algorithms, applications, devices, and hidden dependencies, because migration fails when teams only see the assets they already manage.
• Harvest Now, Decrypt Later: An attack pattern where adversaries steal encrypted data today and store it until future computing advances make decryption possible. The risk is delayed impact, which means long-lived data and weak migration planning can create exposure years after the original collection event.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Keyfactor: PQC 4-Sight, How to Prepare Your Organization for Post-Quantum Cryptography. Read the original.