Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Post-quantum encryption by 2029: what should security teams do now?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Google says organizations should expect threat actors with previously stolen encrypted material to begin cracking it with quantum techniques by 2029, and urges an immediate transition to post-quantum encryption as standards such as ML-DSA mature. The critical risk is not a sudden collapse of all encryption, but a long-dated exposure window for data already collected today.

NHIMG editorial — based on content published by Swarmnetics: When Will “Q-Day” Happen, Really? Google Says Be Ready With Encryption Transition by 2029

By the numbers:

Questions worth separating out

Q: How should organisations prepare for post-quantum cryptography without breaking existing systems?

A: Start with a complete cryptographic inventory, then prioritise the systems that protect long-lived sensitive data, identity proofs, and signing workflows.

Q: Why does post-quantum risk matter for IAM and NHI programmes?

A: IAM and NHI systems depend on certificates, keys, signatures, and token validation to establish trust between services and users.

Q: What breaks if organisations leave long-lived encrypted data untouched?

A: The main failure is deferred exposure.

Practitioner guidance

  • Inventory all cryptographic dependencies Catalog every system, application, certificate chain, signing workflow, and secret store that relies on RSA, ECC, or long-lived keys.
  • Prioritise long-retention data first Rank encrypted archives, identity records, and regulated datasets by how long they must remain confidential.
  • Map certificate and signature dependencies Identify where digital signatures, certificate trust chains, and token verification are embedded in operational workflows.

What's in the full article

Swarmnetics' full analysis covers the transition detail this post intentionally leaves at a governance level:

  • How Google’s 2029 framing relates to current post-quantum standardisation efforts and what that means for migration planning
  • The specific reasons stored encrypted material is the most credible early Q-Day exposure path
  • Where organizations should begin a cryptographic inventory across applications, signatures, and trust chains
  • Why simply updating product versions does not solve long-term encryption exposure

👉 Read Swarmnetics' analysis of Q-Day timelines and post-quantum encryption transition →

Post-quantum encryption by 2029: what should security teams do now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Q-Day creates a cryptographic governance problem before it becomes a cryptographic failure. The article’s central warning is that organisations can no longer treat post-quantum transition as a distant R&D topic. Once encrypted materials are stolen, the exposure window can extend far beyond the original breach. For identity and access programmes, that means secrets, certificates, and signed trust artifacts must be evaluated for long-term value, not just current protection. Practitioners should treat cryptographic ageing as a governance issue, not a tooling refresh.

A question worth separating out:

Q: Who should own post-quantum migration decisions inside the enterprise?

A: Ownership should sit with security architecture and crypto governance, but the work must involve IAM, application owners, data protection, and infrastructure teams. That model ensures certificates, secrets, signing services, and retention policies are changed together. For most organisations, the right control is a cross-functional migration programme, not a single technical team.

👉 Read our full editorial: Q-Day by 2029 sharpens the case for post-quantum encryption transition



   
ReplyQuote
Share: