Post-quantum cryptography readiness starts with identity visibility

At a glance

What this is: This is an analysis of PQC readiness that says cryptographic inventory, not algorithm selection, is the first blocker to enterprise migration.

Why it matters: It matters because IAM, NHI, and security teams will need one inventory model for certificates, keys, and machine identities before they can plan any credible quantum-safe transition.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.

👉 Read Axiad's analysis of post-quantum cryptography readiness and identity visibility

Context

Post-quantum cryptography readiness is fundamentally a visibility problem: most enterprises cannot inventory every certificate, key, algorithm, and identity dependency well enough to plan migration with confidence. That gap matters to NHI governance because the cryptographic estate is embedded in service accounts, API keys, certificates, and the systems that depend on them.

The article frames the issue as a multi-year governance programme rather than a simple cryptography refresh. For IAM teams, the practical question is how to correlate identities, credentials, and system dependencies before quantum-safe transition work can be prioritised.

This makes the first decision less about which post-quantum algorithm to adopt and more about whether the organisation can see its current cryptographic attack surface at all. Without that baseline, migration sequencing, risk triage, and ownership assignment remain guesswork.

Key questions

Q: How should security teams build a cryptographic inventory for post-quantum migration?

A: Start by mapping every algorithm, certificate, key, and dependency to an owner and the system that uses it. Then include cloud services, applications, endpoints, and machine identities so the inventory supports migration sequencing, risk ranking, and accountability rather than only compliance reporting.

Q: Why do machine identities matter in post-quantum cryptography planning?

A: Because machine identities often hold the certificates and keys that actually secure business systems. If teams ignore service accounts, API keys, SSH keys, and code-signing certificates, they miss the assets most likely to block migration or carry hidden dependencies into the quantum-safe transition.

Q: What breaks when cryptography is not inventoried before PQC migration?

A: Migration breaks into isolated replacements with no clear order, no reliable ownership, and no way to see which systems depend on vulnerable algorithms. That creates delay, duplicated work, and the risk that critical identities or applications are left behind during transition.

Q: How do organisations know if their PQC readiness programme is working?

A: They should be able to answer where each cryptographic asset lives, who owns it, which identities depend on it, and what will change when an algorithm is replaced. If those answers are missing, the programme is still in discovery, not readiness.

Technical breakdown

Cryptographic inventory as the control plane for PQC migration

Post-quantum migration starts with discovery, because an organisation cannot re-issue or replace what it cannot find. In practice, cryptographic inventory means mapping algorithms, keys, certificates, lifecycles, and the systems that depend on them across PKI, cloud services, endpoints, applications, and machine identities. This is not a one-off asset list. It is a living control plane that links crypto objects to owners, usage context, and remediation priority. Without that correlation, migration becomes a series of disconnected renewals with no enterprise sequencing.

Practical implication: build a living cryptographic inventory that ties each certificate or key to an owner, system, and renewal path.

Why identity visibility matters in post-quantum readiness

The article’s strongest technical point is that cryptography is not isolated from identity. Certificates authenticate users, devices, applications, and services, while API keys and service account credentials bind machine identity to systems and workloads. That means PQC readiness depends on identity visibility, not just cryptographic scanning. If teams cannot see where machine identities are, they cannot determine which cryptographic assets are high-risk, which are orphaned, or which depend on legacy algorithms that will need replacement.

Practical implication: map machine identities and their cryptographic dependencies together instead of treating identity and crypto as separate inventories.

Crypto-agility depends on dependency mapping, not just new algorithms

Crypto-agility is the ability to change cryptographic methods without re-engineering the whole environment. That only works when teams know which applications, libraries, certificates, and services are coupled to each algorithm. The real architectural challenge is dependency mapping across systems that may embed cryptography in code, firmware, or third-party components. In other words, the migration problem is as much about application and infrastructure relationships as it is about algorithm replacement.

Practical implication: prioritise dependency mapping so migration plans account for embedded cryptography, third-party components, and system coupling.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Cryptographic inventory is the missing governance layer in PQC migration. The article is right to treat visibility as the prerequisite, because algorithm replacement without asset knowledge only creates a false sense of readiness. PQC programmes fail when they start from standards selection instead of identity-linked discovery, ownership, and dependency mapping. Practitioners should treat inventory completeness as the gating control, not a reporting exercise.

Identity-linked cryptography is already part of the NHI problem space. Certificates, API keys, SSH keys, and service account credentials are all non-human identity artefacts when they secure machine-to-machine trust. That means post-quantum preparation cannot sit in a crypto silo. It has to align with NHI governance, lifecycle ownership, and access accountability across systems and workloads.

Quantum readiness exposes the weakness of static trust assumptions. Policies written around stable certificates and long-lived algorithms assume the environment can be inventoried and updated in orderly cycles. That assumption is under pressure when cryptography is distributed across cloud, code, hardware, and third-party services. The implication is that organisations need to rethink cryptographic governance as continuous identity and dependency management, not periodic cleanup.

Named concept: cryptographic inventory debt. This is the accumulated gap between the cryptography an organisation uses and the cryptography it can actually locate, classify, and govern. The article shows that PQC delay compounds this debt because every new system, key, or certificate widens the blind spot. Practitioners should read this as a programme risk, not a tooling inconvenience.

Post-quantum planning will separate visible identity programmes from decorative ones. Enterprises that already correlate human identity, machine identity, and certificate ownership will move faster because they can translate crypto findings into accountable remediation. Those that still run fragmented identity and PKI processes will discover that PQC is not a technical patch cycle but a governance stress test. The practitioner takeaway is simple: the inventory model has to become enterprise-wide before the deadline becomes real.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• If you are mapping PQC exposure across identity estates, review 52 NHI Breaches Analysis for how visibility gaps turn into real compromise paths.

What this signals

Cryptographic inventory debt: PQC programmes will expose how much hidden cryptography still sits outside ownership, policy, and review. Teams that already correlate identities, certificates, and systems will convert discovery into action faster than teams still splitting crypto and IAM into separate operating models.

The governance signal is that quantum readiness belongs in the same control conversation as NHI visibility, offboarding, and lifecycle management. When credentials and certificates are treated as part of one identity fabric, migration planning becomes measurable instead of aspirational.

For teams aligning to external guidance, the discovery work maps closely to the NIST Cybersecurity Framework 2.0 and the inventory-driven posture expected in post-quantum transition planning. The practical watchpoint is whether every new certificate or key creation event can be tied back to an accountable owner.

For practitioners

• Build a cryptographic inventory tied to identity owners Map every certificate, key, algorithm, and dependency to a named owner and system record. Include cloud services, applications, endpoints, and machine identities so the inventory can support migration sequencing rather than just audit reporting.
• Prioritise legacy algorithms by business criticality Rank RSA, ECC, and other quantum-vulnerable uses by data sensitivity, certificate lifecycle, and the privilege level of the identity they protect. Use that ranking to decide what gets migrated first, not just what is easiest to replace.
• Treat machine identities as part of the PQC scope Include service accounts, API keys, SSH keys, and code-signing certificates in the same governance workstream as user-facing certificates. These are the credentials most likely to create hidden migration dependencies and ownership confusion.
• Set a recurring discovery cadence for crypto drift Re-scan for new certificates, libraries, and embedded cryptography so the inventory stays current as environments change. The practical goal is to catch new quantum-vulnerable assets before they become untracked exposure.

Key takeaways

• Post-quantum readiness is blocked first by inventory gaps, not by algorithm choice.
• Identity-linked certificates, keys, and machine credentials create the real migration surface.
• Enterprises that cannot map ownership and dependency now will struggle to execute crypto-agile change later.

Key terms

• Cryptographic Inventory: A cryptographic inventory is a complete record of the algorithms, certificates, keys, and dependencies used across an environment. For PQC readiness, it must connect each item to an owner, system, and lifecycle state so teams can prioritise replacement, renewal, and risk reduction.
• Crypto-Agility: Crypto-agility is the ability to replace one cryptographic method with another without redesigning the whole environment. In practice, it depends on modular applications, clear dependency mapping, and governance that can track where algorithms are embedded in code, services, and devices.
• Identity-linked Cryptography: Identity-linked cryptography is cryptography that is directly bound to a user, device, application, or service identity. That linkage matters because changes to keys or certificates affect authentication, trust, ownership, and remediation across the identity lifecycle.
• PQC Readiness: PQC readiness is the state of being able to plan and execute a transition to post-quantum algorithms without losing operational control. It requires discovery, prioritisation, ownership, and change coordination before any large-scale cryptographic replacement begins.

Deepen your knowledge

Post-quantum cryptography readiness, cryptographic inventory, and identity-linked dependency mapping are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a PQC governance programme from the same visibility gap, it is worth exploring.

This post draws on content published by Axiad: NIST, CISA, and Gartner experts say quantum will break today's encryption by 2029. Read the original.