Post-quantum cryptography readiness is lagging enterprise governance

At a glance

What this is: This is Keyfactor’s first Digital Trust Digest issue on post-quantum cryptography, and its central finding is that most organisations are still not operationally ready for the transition.

Why it matters: It matters because PQC readiness touches certificate lifecycle, secrets governance, workload identity, and broader identity programme ownership, all of which determine how quickly cryptographic change can be executed safely.

By the numbers:

• 48% of organizations say they are not prepared for PQC.
• Only 28% have both budget and personnel committed to readiness efforts.
• 92% claim visibility into their cryptographic assets, but only 47% actively monitor them.

👉 Read Keyfactor's first Digital Trust Digest issue on post-quantum readiness

Context

Post-quantum cryptography is the shift from encryption schemes that today’s systems can trust to algorithms designed to withstand quantum attacks. The governance problem is not just algorithm selection, but the fact that cryptographic inventory, ownership, and monitoring are still fragmented across security, infrastructure, and identity teams.

For identity practitioners, PQC is not an abstract research topic. Certificates, keys, tokens, and workload identities all depend on cryptographic assumptions that will need to change under a controlled migration plan, and delayed ownership decisions will turn a technical transition into a programme-level exposure.

The article’s starting position is typical rather than exceptional: organisations are aware of the deadline, but many still lack the budget, staffing, and operational visibility required to move from awareness to execution.

Key questions

Q: How should security teams start a post-quantum cryptography programme?

A: They should start with a cryptographic inventory that maps certificates, keys, trust chains, signing flows, and external dependencies. Without that baseline, teams cannot prioritise systems, estimate migration effort, or sequence change safely. Readiness begins with knowing where cryptography lives, not with replacing every algorithm at once.

Q: Why do post-quantum projects stall even when the risk is understood?

A: They stall because ownership, budget, and coordination are often unclear. PQC affects multiple teams at once, including identity, PKI, infrastructure, and application owners, so progress slows when no one is accountable for end-to-end delivery. Understanding the risk is not enough if the operating model cannot execute the transition.

Q: What is the biggest false confidence signal in PQC readiness?

A: A static inventory without active monitoring creates false confidence. Organisations may know what cryptographic assets they have, but still miss expiring certificates, hidden trust paths, or unmanaged dependencies. Active monitoring is what turns visibility into operational control, especially during a long migration cycle.

Q: Who should own PQC governance in an enterprise programme?

A: PQC governance should be owned by a cross-functional programme with executive accountability, not left to a single technical team. Identity, PKI, security architecture, application owners, and procurement all influence the migration, so the accountable structure has to reflect the full dependency chain.

Technical breakdown

Why cryptographic inventory is the first control for PQC readiness

PQC migration starts with knowing where cryptography exists, not with replacing algorithms in place. Inventory means mapping certificates, keys, signing flows, trust chains, and dependencies across applications, platforms, and third parties. Without that map, teams cannot estimate blast radius, prioritise critical systems, or sequence migration work. This is especially difficult in large identity estates where workload identity, PKI, and secrets management have evolved separately. Practical implication: build an authoritative cryptographic inventory before planning any migration timeline.

Practical implication: build an authoritative cryptographic inventory before planning any migration timeline.

Budget and ownership gaps slow post-quantum migration

The article makes clear that readiness is a governance problem as much as a technical one. PQC requires coordinated decisions across security architecture, IAM, PKI, application owners, and procurement, because the migration affects many systems with different upgrade cycles. Where ownership is unclear, work stalls in assessment, funding, and execution. In practice, that means the hardest part is often not the algorithmic change but deciding who owns the transition and who is accountable for risk acceptance. Practical implication: assign executive ownership and a cross-functional delivery model before treating PQC as a tooling project.

Practical implication: assign executive ownership and a cross-functional delivery model before treating PQC as a tooling project.

Why visibility without active monitoring creates false confidence

Visibility into cryptographic assets only matters if organisations continuously monitor the state, location, and use of those assets. A static inventory can still miss expiring certificates, shadow trust paths, unmanaged signing keys, and dependencies hidden inside applications or third-party services. That gap is where migration failures begin, because teams believe they are ready when they are only partially informed. For identity teams, this is a familiar pattern: inventories that are not operationalised rarely support change at scale. Practical implication: pair inventory with continuous monitoring and remediation workflows.

Practical implication: pair inventory with continuous monitoring and remediation workflows.

NHI Mgmt Group analysis

PQC readiness is a governance transition, not an algorithm swap. The article shows that most organisations are not blocked by a lack of awareness of quantum risk, but by fragmented ownership, limited budget, and incomplete operational visibility. That combination is a programme design problem, not a cryptography-only problem. The implication is that identity, PKI, infrastructure, and risk teams have to treat PQC as shared governance work, not as a specialist lab exercise.

Cryptographic inventory is the named concept that separates preparation from posture theater. The issue’s strongest message is that organisations can claim broad visibility while still failing to monitor assets actively. That is not readiness, it is partial observation. Under NIST CSF terms, the failure sits in governance and asset visibility before it reaches protection or response. Practitioners should recognise that a PQC programme without inventory discipline is still blind to migration scope.

Delayed action creates exposure debt in identity-linked cryptography. Certificates, keys, and trust chains underpin the systems that authenticate machines, services, and users, so postponing migration pushes risk into the future while increasing coordination cost. The article’s survey data shows that waiting for regulation or peer action is a dominant pattern, but that approach compresses the remaining execution window. The practitioner conclusion is to treat delay as accumulated risk, not neutral inaction.

PQC readiness will increasingly be measured by execution capacity, not policy statements. Organisations that can name owners, fund the programme, and continuously monitor cryptographic assets will be able to move. Those that cannot will remain stuck at the assessment stage even after standards are finalised. That distinction matters because identity programmes already know how quickly unmanaged dependencies turn into operational bottlenecks. The implication is to measure whether the programme can actually migrate, not whether it can describe the threat.

The market is signalling a broader shift toward digital trust operations. The article places PQC alongside PKI, identity, and risk, which means cryptographic governance is moving closer to mainstream identity operations. That trend should push practitioners to align PQC planning with certificate lifecycle, workload identity, and secrets management rather than isolating it in a cryptography silo. The practical conclusion is to make PQC part of the identity operating model, not a parallel initiative.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• Ultimate Guide to NHIs , Key Challenges and Risks shows that 97% of NHIs carry excessive privileges, which is the same governance pattern that makes late-stage cryptographic change harder to execute safely.

What this signals

Cryptographic inventory debt: programmes that cannot locate their cryptographic assets will struggle to absorb PQC deadlines without disruption. The reader should treat PQC as a data-quality and ownership exercise as much as a cryptography exercise, because migration velocity depends on whether teams can see every trust dependency before the deadline arrives.

This issue also points to a broader operating-model change. As quantum-safe planning moves from theory to execution, IAM, PKI, and workload identity teams will need a shared control view that aligns with the NIST Cybersecurity Framework 2.0 and makes asset visibility measurable, not assumed.

The clearest signal to watch is whether cryptographic monitoring becomes continuous. Static inventories age quickly, and the organisations that can detect changes in trust paths, certificate state, and signing dependencies will be the ones able to execute migration without losing service continuity.

For practitioners

• Build a cryptographic inventory first Map certificates, keys, signing services, trust chains, and system dependencies before deciding where PQC migration starts. Prioritise externally exposed and long-lived trust paths.
• Assign clear programme ownership Name a single accountable owner for PQC coordination across security, infrastructure, IAM, application teams, and procurement so assessments do not stall between functions.
• Link migration to asset monitoring Move from static discovery to continuous monitoring of cryptographic assets, especially for certificates and signing workflows that can fail silently during long migration cycles.
• Frame PQC as operational risk reduction Translate post-quantum work into business terms such as trust continuity, service resilience, and reduced future remediation cost so funding decisions are easier to justify.

Key takeaways

• PQC readiness is failing as a governance and ownership problem long before it becomes an algorithm migration problem.
• The survey data shows a substantial gap between claimed visibility and active monitoring, which creates false confidence in cryptographic control.
• The practical response is to build inventory, assign accountability, and operationalise monitoring before the migration window tightens further.

Key terms

• Cryptographic Inventory: A cryptographic inventory is the authoritative map of where keys, certificates, trust chains, signing services, and related dependencies exist. For PQC readiness, it is the starting point for migration planning because organisations cannot protect what they have not located or classified.
• Post-Quantum Cryptography: Post-quantum cryptography refers to algorithms designed to resist attacks from quantum computers. In enterprise programmes, it is not just a cryptographic upgrade but a long-running transition that affects identity, trust, application dependencies, and operational governance.
• Cryptographic Monitoring: Cryptographic monitoring is the ongoing observation of certificate state, key usage, trust relationships, and change events across systems. It turns a one-time inventory into operational control and helps teams detect drift, expiry, exposure, and migration blockers before service failure occurs.
• Digital Trust: Digital trust is the confidence that identity, authentication, and cryptographic controls will continue to protect systems and transactions. It depends on how well organisations govern certificates, keys, workload identities, and related trust infrastructure over time.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Keyfactor: Inside the First Issue of Digital Trust Digest on post-quantum cryptography. Read the original.