Notifications
Clear all
Topic starter
25/06/2026 2:39 pm
TL;DR: The PKI Consortium’s PQC Conference 2025 shifted the conversation from algorithm selection to execution, with discovery, inventory, maturity, and automation now treated as the practical starting points, according to Keyfactor’s conference reflections. The real governance challenge is no longer whether post-quantum change is coming, but whether identity and cryptographic programmes can adapt continuously without creating new technical debt.
NHIMG editorial — based on content published by Keyfactor: From Kuala Lumpur to Crypto-Agility: Reflections from the PKI Consortium’s PQC Conference 2025
By the numbers:
Questions worth separating out
Q: How should security teams start building crypto-agility for PQC transition?
A: Start with discovery and inventory.
Q: Why does crypto-agility matter for IAM and machine identity programmes?
A: Crypto-agility affects how systems prove identity and trust each other over time.
Q: What do teams get wrong about PQC readiness?
A: The most common mistake is treating PQC as a one-time algorithm decision instead of a long-running governance programme.
Practitioner guidance
- Inventory cryptographic dependencies across identity and infrastructure Map certificates, keys, algorithms, and trust anchors across applications, CI/CD systems, workloads, and third-party integrations so migration scope is measurable before any PQC decision is made.
- Assess where manual certificate handling still creates fragility Identify renewal, rotation, and exception workflows that still depend on human coordination, because those paths will not scale through repeated cryptographic change.
- Reuse existing automation for cryptographic change Extend current certificate lifecycle automation where possible instead of creating a separate migration process, so future trust changes can be repeated without adding operational drag.
What's in the full article
Keyfactor's full blog covers the operational detail this post intentionally leaves for the source:
- Chris Hickman’s event reflections on the PKI Consortium PQC Conference in Kuala Lumpur and the readiness themes he heard in sessions
- The Post-Quantum Cryptography Maturity Model introduced by the PKI Consortium Working Group and the questions it is designed to answer
- The practical five-step action list for discovery, prioritisation, automation, and crypto-agility planning
- The conference observations on hybrid PKI, compliance, and how organizations can begin preparing now
👉 Read Keyfactor’s reflections on PQC conference takeaways and crypto-agility →
Crypto-agility after PQC 2025: what IAM teams should prioritise?
Explore further
25/06/2026 3:47 pm
Crypto-agility is now an identity governance requirement, not an encryption upgrade project. The article correctly shows that the work has moved from algorithm debate to operational readiness. That shift matters because cryptographic dependencies now govern access between systems, services, and workloads. Practitioners should treat quantum readiness as part of identity and trust governance, not a separate security initiative.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: How do organisations measure whether crypto-agility is actually improving?
A: Measure whether cryptographic assets are discoverable, whether renewal workflows are automated, and whether teams can change trust components without service disruption. Those are practical signs that the programme can absorb future algorithm shifts. If change still depends on manual coordination or incomplete asset visibility, crypto-agility is still theoretical rather than operational.
👉 Read our full editorial: Crypto-agility after the PQC conference: what practitioners need now
