Quantum readiness is becoming an identity governance problem

At a glance

What this is: DigiCert’s award coverage shows quantum readiness shifting from theory to operational governance, with Migros and NTT DATA highlighted for visibility, hybrid cryptography, and certificate discipline.

Why it matters: IAM, NHI, and PAM teams should treat cryptographic assets, certificate lifecycles, and trust inventory as governance scope now, because post-quantum readiness depends on identity operations rather than isolated crypto projects.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• NHIs outnumber human identities by 25x to 50x in modern enterprises.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

👉 Read DigiCert’s Quantum Readiness Awards coverage for Migros and NTT DATA

Context

Quantum readiness is the discipline of preparing cryptographic trust, certificates, and long-lived digital assets for a future where current public-key assumptions may no longer hold. In practice, that makes the problem less about a single algorithm swap and more about inventory, governance, rotation, and operational continuity across the identity and trust stack.

The article frames quantum preparedness as an operational issue rather than a research-only concern. That is the right posture for identity teams, because certificate lifecycle, trust visibility, and policy enforcement sit inside the same control plane that already governs machine identities, workload trust, and privileged access.

For IAM and NHI programmes, the relevant lesson is that cryptographic readiness must be managed as part of the broader identity lifecycle. If an organisation cannot see, classify, and rotate its trust anchors today, it will struggle to replace them safely when post-quantum migration pressure increases.

Key questions

Q: How should security teams prepare certificate governance for post-quantum migration?

A: Security teams should start with a complete inventory of certificates, keys, and trust dependencies, then classify which assets are long-lived, business critical, or embedded in hard-to-change systems. The next step is to prove rotation, renewal, and revocation at operational speed so hybrid cryptography can be adopted without service disruption. This is a governance programme, not a one-off crypto project.

Q: Why does quantum readiness matter to IAM and NHI programmes?

A: Quantum readiness matters because certificates and workload trust are part of the organisation’s identity fabric. If those assets are invisible or unmanaged, the same gaps that weaken NHI governance, such as poor ownership and slow rotation, will also weaken post-quantum transition planning. IAM teams must therefore treat cryptographic assets as governed identities with lifecycle control.

Q: What breaks when certificate lifecycle management is weak?

A: Weak certificate lifecycle management creates blind spots, stale trust, and higher outage risk during renewal or migration. It also prevents teams from knowing which services depend on which trust anchors, making hybrid cryptography harder to deploy safely. In practice, poor lifecycle discipline turns quantum readiness into guesswork and leaves operational continuity exposed.

Q: Who should own quantum readiness in an enterprise?

A: Quantum readiness should be owned jointly by identity, infrastructure, and risk leadership, with clear operational accountability for certificates, trust inventory, and renewal processes. If ownership sits only with a technical specialist team, the programme will struggle to scale across workloads and business units. Governance works when identity assets are managed as enterprise trust dependencies, not isolated crypto artifacts.

Technical breakdown

Cryptographic visibility as the starting point for quantum readiness

Quantum readiness begins with knowing where certificates, keys, and dependent trust paths exist. Cryptographic visibility means inventorying public and private trust assets, mapping where they are used, and identifying which services rely on long-lived certificates or embedded trust anchors. Without that view, organisations cannot prioritise what to migrate first or where exposure is greatest. This is why readiness programmes increasingly resemble asset governance programmes, not just cryptography projects. Practical implication: build a trust inventory that links certificates, workloads, owners, and renewal paths before planning any post-quantum transition.

Practical implication: Inventory cryptographic assets by owner, workload, and lifetime before attempting post-quantum migration.

Hybrid cryptography and certificate lifecycle management

Hybrid cryptography is the transitional model in which classical and post-quantum algorithms operate together while the organisation maintains service continuity. That approach only works if certificate lifecycle processes are already disciplined, because short renewal windows, policy enforcement, and automation reduce the operational risk of changing trust primitives. The key issue is not whether hybrid modes exist, but whether the environment can handle frequent cryptographic change without breaking services. Practical implication: treat certificate rotation, policy enforcement, and renewal automation as prerequisites for hybrid cryptography, not afterthoughts.

Practical implication: Prove that certificate rotation and policy enforcement work at speed before introducing hybrid cryptography.

Why quantum readiness belongs in identity governance

Quantum readiness is an identity governance issue because certificates, workloads, and access pathways are part of the organisation’s trust fabric. When trust artifacts are unmanaged, the risk is not just future cryptographic weakness but present-day operational fragility: weak ownership, poor visibility, and delayed remediation. The article’s emphasis on governance and executive support reflects a broader truth that migration succeeds only when ownership is explicit and lifecycle controls are mature. Practical implication: assign accountable owners for cryptographic assets and fold them into IAM and lifecycle governance processes.

Practical implication: Make cryptographic trust assets subject to the same ownership and lifecycle governance as other identities.

NHI Mgmt Group analysis

Quantum readiness is now a trust lifecycle problem, not a niche cryptography initiative. The article’s strongest signal is that organisations are being judged on whether they can govern certificates, visibility, and rotation as operating disciplines. That aligns with how modern identity risk accumulates across machine trust and workload access, where failure is usually about unmanaged lifecycle rather than a single weak cipher. Practitioner conclusion: post-quantum planning belongs in identity governance, not in a standalone crypto sandbox.

Certificate visibility is the named concept that should anchor this discussion. If an organisation cannot map where certificates live, which services depend on them, and how long they remain valid, then quantum migration becomes guesswork. This is not just a tooling gap, it is a governance gap that makes prioritisation impossible and increases the chance of migration-induced outages. Practitioner conclusion: visibility into trust assets is the prerequisite control for any credible readiness programme.

Hybrid cryptography works only when operational change is already normalised. The article highlights short-lived certificate practices and policy enforcement because those controls rehearse the change management required for a post-quantum future. That same discipline is relevant to machine identity governance, where frequent renewal and automated enforcement reduce the risk of stale trust. Practitioner conclusion: if a team cannot rotate and enforce certificates cleanly today, hybrid migration will expose the weakness immediately.

Executive sponsorship matters because quantum readiness crosses traditional control boundaries. The post describes governance and business alignment as part of readiness, which is consistent with identity programmes that fail when cryptography, infrastructure, and security teams operate separately. Quantum resilience is therefore a cross-functional control issue, not a specialist cryptology project. Practitioner conclusion: build a governance model that assigns ownership across identity, infrastructure, and risk management before migration pressure increases.

This announcement validates the broader shift from secret management to trust management. The market is moving toward programmes that manage the full lifecycle of digital trust artifacts, including certificates, renewal policy, and dependency mapping. That direction strengthens the case for integrated identity governance across machine identities and workloads, because those assets are already the operational carriers of trust. Practitioner conclusion: identity teams should plan for certificate and workload trust to be managed in one governance model.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, showing how visibility gaps turn into real operational harm.
• For the broader governance picture, read Ultimate Guide to NHIs , Key Research and Survey Results for the survey findings that underpin lifecycle and trust controls.

What this signals

Certificate visibility is becoming a board-level trust issue. As post-quantum planning moves from theory into programme work, organisations will be expected to show where trust artifacts live, who owns them, and how fast they can be rotated. The teams that already manage machine identities as governed assets will be the ones that can absorb that shift without disruption.

The practical signal is that quantum readiness will expose the same weaknesses seen in wider NHI governance: hidden assets, weak ownership, and slow remediation. That means certificate inventories and renewal automation need to sit inside identity operations, not in a separate cryptography tracker.

For programme leaders, the next step is to connect trust inventory work with lifecycle governance and policy enforcement. The organisations that do this early will reduce migration risk, improve audit readiness, and avoid treating post-quantum change as a last-minute compliance exercise.

For practitioners

• Build a cryptographic trust inventory Map certificates, keys, dependent services, owners, and renewal paths so you can see where long-lived trust exists and which assets require priority migration.
• Test certificate rotation at operational speed Rehearse renewal, revocation, and policy enforcement in production-like conditions so hybrid cryptography does not become a service continuity problem.
• Assign explicit ownership for trust assets Tie each certificate and workload trust dependency to a named team so lifecycle decisions are accountable and can be governed alongside IAM processes.
• Fold quantum readiness into identity governance Treat cryptographic assets as part of the broader identity programme, with review, escalation, and remediation paths aligned to IAM and NHI governance.

Key takeaways

• Quantum readiness is best understood as a governance challenge over certificates, trust inventory, and lifecycle control, not just a cryptography upgrade.
• The strongest operational signal in the article is the emphasis on visibility, ownership, and hybrid cryptography as prerequisites for safe migration.
• IAM and NHI teams should absorb cryptographic trust into their governance model now, before post-quantum change forces rushed decisions.

Key terms

• Cryptographic Visibility: Cryptographic visibility is the ability to discover, map, and track certificates, keys, and trust dependencies across an environment. It is the prerequisite for knowing what must be rotated, renewed, revoked, or migrated, and it turns quantum readiness from guesswork into governed inventory.
• Hybrid Cryptography: Hybrid cryptography uses classical and post-quantum algorithms together during a transition period. It allows organisations to maintain service continuity while changing trust primitives, but it only works when lifecycle controls, policy enforcement, and renewal automation are already reliable.
• Trust Inventory: A trust inventory is the structured record of certificates, keys, workload identities, and services that depend on them. It matters because organisations cannot manage post-quantum migration, revoke stale trust, or prioritise risk without knowing where cryptographic dependencies exist and who owns them.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by DigiCert: Migros named winner of the 2025 DigiCert Quantum Readiness Award. Read the original.