TL;DR: The Department of War’s November memorandum makes cryptography inventory, named migration leads, test artifacts, and approval gates mandatory, while also rejecting quantum key distribution as a confidentiality substitute and setting phase-out expectations for weaker key-establishment approaches, according to DigiCert. The real message is that crypto-agility, not optimism, now determines whether identity and certificate programmes can survive post-quantum transition.
At a glance
What this is: The article argues that DoW pressure is turning post-quantum cryptography from a future concern into an immediate inventory, testing, and governance problem for identity and certificate programmes.
Why it matters: It matters because cryptography underpins machine identity, certificate lifecycle, and service-to-service trust, so PQC readiness will affect both NHI governance and broader IAM architecture.
👉 Read DigiCert's guidance on PQC migration pressure and crypto inventory
Context
Post-quantum cryptography is the shift from today’s public-key algorithms to approaches designed to resist quantum-capable attacks. The governance problem is not the mathematics alone, but the operational reality of finding every place cryptography is embedded, owned, and renewed across certificates, devices, applications, and service identities.
For identity teams, that makes PQC a lifecycle issue as much as a cryptography issue. Certificate inventories, service-to-service trust, embedded device identities, and algorithm agility all sit in the same control plane, which means cryptographic migration has to be handled as an identity programme, not as a one-time security patch.
Key questions
Q: How should security teams prepare for PQC migration in identity-heavy environments?
A: Start by inventorying every cryptographic dependency, then assign ownership to the teams that operate those systems. Prioritise certificates, workload identities, and embedded trust paths that support critical business functions. The aim is to make migration decisions based on lifecycle risk and service impact, not on assumptions that all crypto can be swapped later.
Q: Why does PQC pressure matter for machine identity programmes?
A: Machine identity systems often assume stable algorithms, long renewal cycles, and predictable trust chains. PQC invalidates that stability by forcing organisations to change algorithms without breaking certificate validation or service continuity. If the programme cannot adapt its lifecycle controls, the identity stack becomes a migration constraint instead of a security control.
Q: What do organisations get wrong about crypto-agility?
A: They often treat crypto-agility as a future state or a product feature rather than an operational capability. Real agility depends on inventory, ownership, testing, and renewal workflows that can absorb algorithm changes without manual rework. Without those controls, migration creates more fragility than resilience.
Q: Who should own PQC migration risk across the enterprise?
A: Ownership should sit with the teams responsible for PKI, workload identity, device identity, and application trust, backed by programme leadership that can prioritise by risk. PQC migration crosses infrastructure, security, and application boundaries, so it fails when treated as a narrow cryptography project.
Technical breakdown
Why crypto inventory becomes the first control
The DoW memorandum pushes organisations toward component-level cryptographic discovery because you cannot migrate what you cannot see. In practice, cryptography is distributed across PKI, application certificates, API trust chains, code-signing keys, embedded device identities, and platform defaults. The hard part is not replacing one algorithm with another. It is identifying where old algorithms are coupled to business services, renewal workflows, and vendor dependencies. Crypto-agility means the environment can change algorithms without redesigning the whole trust model, but that only works if inventory and ownership are already in place.
Practical implication: build a cryptographic asset inventory that ties each certificate, key, and trust path to an owner, renewal path, and migration priority.
Algorithm agility in certificate and workload identity
Algorithm agility is the ability to issue, rotate, revoke, and validate identities even as underlying cryptographic algorithms change. That matters because machine identity systems often assume a stable algorithm for the life of the certificate or device. PQC breaks that assumption. If renewal APIs, HSM policies, or ACME workflows cannot support dual-stack or transition profiles, the result is not just migration delay. It is service interruption, failed validation chains, and an inability to prove trust continuity during cutover.
Practical implication: test whether your certificate management and workload identity tooling can support algorithm transitions before production migration begins.
Why testing and approval gates matter before deployment
The memorandum’s requirement for test plans, results, and approvals reflects a simple operational truth: cryptographic changes can fail silently until they hit production. Interoperability problems, certificate parsing issues, and legacy device incompatibility are common when trust primitives change. In identity terms, this is a governance control, not a paperwork exercise. It forces proof that the new trust path works across issuance, validation, revocation, and fallback scenarios before the migration expands beyond controlled testing.
Practical implication: require evidence of interoperability, rollback, and revocation behaviour before approving any PQC pilot for production use.
NHI Mgmt Group analysis
Crypto inventory is now an identity governance control, not a back-office catalogue. The article’s central point is that every cryptographic dependency must have an owner, because unmanaged trust paths become migration blockers the moment algorithms change. That matters for NHI, certificate lifecycle, and service identity governance alike. Organisations that treat cryptography as an abstract security property will miss the operational ownership model needed for transition.
Algorithm agility is the new baseline for machine identity resilience. Static certificate assumptions were acceptable when algorithms changed slowly, but they do not survive a mandated post-quantum transition. This is especially true for workloads, embedded devices, and service-to-service trust, where renewal and validation are automated and tightly coupled. The practical conclusion is that identity infrastructure must be built to absorb algorithm change without changing the trust relationship itself.
Post-quantum migration exposes the difference between issued identity and governed identity. A certificate can be technically valid and still be ungoverned if nobody knows where it exists, who owns it, or how it will be replaced. That gap is visible across human-facing PKI, NHI workloads, and long-lived device certificates. Practitioners should read PQC pressure as a test of whether their identity programme has real lifecycle control or only issuance control.
DoW-style approval gates will accelerate expectations for evidence-based migration. The requirement for test artifacts and named leads signals that cryptographic change is moving into the same governance posture as other high-risk infrastructure decisions. For identity teams, that means migration plans must be auditable, owned, and tied to operational proof. The organisations that can demonstrate evidence will move first; those that cannot will defer risk until they no longer have that option.
From our research:
- DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- Companies are dedicating an average of 32.4% of their security budgets to secrets management and code security, with US organisations leading at 40.8%, according to The State of Secrets in AppSec.
- For a broader view of how machine identity governance and lifecycle control fit together, see Ultimate Guide to NHIs , Key Research and Survey Results.
What this signals
Crypto-agility is becoming a governance requirement, not a technical preference. PQC migration will expose whether identity teams can trace ownership across certificates, keys, devices, and workload identities before a standards change forces the issue. Organisations that already maintain lifecycle visibility can turn that pressure into a managed programme rather than an emergency response.
With 75% of organisations expressing strong confidence in their secrets management capabilities, the gap between confidence and control is already familiar. PQC pressure will create the same pattern unless teams can prove that ownership, renewal, and validation are visible end to end.
Identity teams should expect algorithm change to show up as operational risk first. That means renewal failures, interoperability issues, and incomplete inventories will be the early warning signals. The organisations that monitor trust paths as rigorously as access paths will have the clearest path through the transition.
For practitioners
- Build a cryptographic dependency inventory Map every certificate, key, trust anchor, and embedded identity to a system owner, renewal path, and business criticality. Include service-to-service certificates, code-signing keys, IoT identities, and legacy application trust chains so migration scope is visible before planning starts.
- Assign named migration leads per cryptographic domain Give responsibility to specific owners for PKI, workload identity, device identity, and application trust so accountability survives across teams and vendors. Use the ownership model to drive prioritisation rather than trying to migrate everything at once.
- Validate algorithm agility in the certificate pipeline Test issuance, renewal, revocation, and validation workflows against transition profiles before production cutover. Confirm that ACME, enterprise APIs, HSM integrations, and monitoring tools can handle algorithm changes without breaking dependent services.
- Require proof before approving PQC pilots Demand documented test results, interoperability evidence, and rollback plans before allowing production migration. Treat approval as a governance checkpoint that confirms the new trust path works across the full lifecycle, not as a paperwork review.
Key takeaways
- PQC migration is an identity governance problem because every certificate, key, and trust path needs an owner before algorithms change.
- The scale of the challenge is operational, not theoretical, because unmanaged secrets and exposed credentials already show how quickly control gaps become breach surface.
- Practitioners should prioritise inventory, ownership, and algorithm agility now, because migration without evidence will create outages instead of resilience.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers rotation and lifecycle handling of cryptographic identities during PQC changeover. |
| NIST CSF 2.0 | ID.AM-1 | Asset inventory is required to find cryptographic dependencies before migration can start. |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Zero Trust depends on continuously validated identity and trust relationships. |
Treat PQC migration as a trust validation exercise and test service identity continuity during transition.
Key terms
- Crypto-agility: Crypto-agility is the ability to change cryptographic algorithms, certificates, or trust mechanisms without redesigning the whole system. In identity programmes, it means issuance, renewal, validation, and revocation workflows can survive algorithm transition with minimal service disruption and clear ownership.
- Machine Identity: Machine identity is the identity assigned to a non-human system such as a workload, device, service, or automation process. It is usually expressed through certificates, keys, tokens, or other credentials that establish trust between systems and must be governed through lifecycle controls.
- Cryptographic Inventory: A cryptographic inventory is the record of where cryptography is used, who owns it, and how it is renewed or replaced. For identity teams, it is the starting point for migration because it exposes dependencies in certificates, embedded keys, trust anchors, and operational workflows.
- Algorithm Agility: Algorithm agility is the practical ability to move from one cryptographic algorithm to another without breaking existing identity and trust relationships. It depends on tooling, policy, and renewal automation that can accept new algorithms while preserving service continuity.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by DigiCert: No Time to Wait: PQC Pressure from the Dept. of War. Read the original.
Published by the NHIMG editorial team on 2026-02-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
