Cryptographic debt and PQC readiness: what IAM teams should watch

TL;DR: As post-quantum standards settle and government guidance shifts from research to readiness, organisations are being pushed to inventory cryptography, assign ownership, and confront the hidden technical debt buried in certificates, keys, and embedded secrets, according to DigiCert. The real blocker is not quantum capability itself but the inability to see, govern, and change cryptography at enterprise scale.

NHIMG editorial — based on content published by DigiCert: What the Dept. Of War’s PQC Push Reveals about Cryptographic Debt

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should organisations start preparing for post-quantum cryptography?

A: Start with discovery, not algorithms.

Q: Why do long-lived certificates and embedded secrets create PQC risk?

A: Long-lived certificates and embedded secrets create risk because they are difficult to find, update, and retire at scale.

Q: What breaks when cryptography is not documented across the enterprise?

A: What breaks is decision-making.

Practitioner guidance

• Build a cryptographic inventory with named ownership Catalogue where asymmetric keys, certificates, embedded secrets, and algorithm dependencies exist across applications, platforms, and third-party services.
• Create a CBOM for critical systems first Start with systems that carry the most business risk, then document algorithms in use, key storage locations, certificate lifecycles, and upgrade constraints.
• Separate agile from non-agile cryptography Classify systems that can tolerate algorithm changes from those bound to legacy libraries, embedded certificates, or vendor-locked dependencies.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• How DigiCert frames cryptographic technical debt across modern and legacy environments
• The article's discussion of CBOMs as a practical inventory mechanism for PQC planning
• Why the Department of War's ownership guidance matters for programme accountability
• The vendor's view of how crypto-agility reduces future migration friction

👉 Read DigiCert's analysis of cryptographic debt and post-quantum readiness →

Cryptographic debt and PQC readiness: what IAM teams should watch?

Explore further

View Full Forum →  |  NHI Foundation Course →