Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Cryptographic debt and PQC readiness: what IAM teams should watch


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: As post-quantum standards settle and government guidance shifts from research to readiness, organisations are being pushed to inventory cryptography, assign ownership, and confront the hidden technical debt buried in certificates, keys, and embedded secrets, according to DigiCert. The real blocker is not quantum capability itself but the inability to see, govern, and change cryptography at enterprise scale.

NHIMG editorial — based on content published by DigiCert: What the Dept. Of War’s PQC Push Reveals about Cryptographic Debt

By the numbers:

Questions worth separating out

Q: How should organisations start preparing for post-quantum cryptography?

A: Start with discovery, not algorithms.

Q: Why do long-lived certificates and embedded secrets create PQC risk?

A: Long-lived certificates and embedded secrets create risk because they are difficult to find, update, and retire at scale.

Q: What breaks when cryptography is not documented across the enterprise?

A: What breaks is decision-making.

Practitioner guidance

  • Build a cryptographic inventory with named ownership Catalogue where asymmetric keys, certificates, embedded secrets, and algorithm dependencies exist across applications, platforms, and third-party services.
  • Create a CBOM for critical systems first Start with systems that carry the most business risk, then document algorithms in use, key storage locations, certificate lifecycles, and upgrade constraints.
  • Separate agile from non-agile cryptography Classify systems that can tolerate algorithm changes from those bound to legacy libraries, embedded certificates, or vendor-locked dependencies.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

  • How DigiCert frames cryptographic technical debt across modern and legacy environments
  • The article's discussion of CBOMs as a practical inventory mechanism for PQC planning
  • Why the Department of War's ownership guidance matters for programme accountability
  • The vendor's view of how crypto-agility reduces future migration friction

👉 Read DigiCert's analysis of cryptographic debt and post-quantum readiness →

Cryptographic debt and PQC readiness: what IAM teams should watch?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Cryptographic debt is a governance failure before it is a quantum problem. The article correctly shifts attention away from abstract quantum timelines and toward the inventory and ownership gaps that already exist. Teams do not fail at PQC because they picked the wrong future algorithm; they fail because they never built a trustworthy map of where cryptography lives today. The practitioner conclusion is that readiness starts with governance structure, not migration theatre.

A few things that frame the scale:

  • 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which is why governance programmes fail when ownership and inventory are weak.

A question worth separating out:

Q: Who should own PQC migration in a large organisation?

A: PQC migration should have explicit cross-functional ownership, typically spanning security, infrastructure, application teams, and vendor management. The reason is simple: cryptographic change crosses technical and operational boundaries, so accountability has to be visible if the work is going to progress beyond assessment into execution.

👉 Read our full editorial: Post-quantum cryptography exposes the scale of cryptographic debt



   
ReplyQuote
Share: