Cryptographic inventory for PQC readiness: what IAM teams need now

TL;DR: Quantum-safe migration is being blocked less by algorithm choice than by the inability to inventory where vulnerable cryptography lives across identities, applications, and infrastructure, according to Axiad’s analysis of Gartner, CISA, and NIST guidance. The decisive issue is visibility: organisations cannot plan PQC transition until they can map certificates, keys, and dependencies end to end.

NHIMG editorial — based on content published by Axiad: Risk Experts Say Quantum Will Break Today’s Encryption by 2029

By the numbers:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should organisations start PQC migration when they do not know where cryptography is used?

A: Start with a cryptographic inventory that maps algorithms, keys, certificates, and the identities that depend on them.

Q: Why does post-quantum readiness matter for machine identities as well as human IAM?

A: Machine identities often carry the certificates, API keys, and federated trust relationships that hold enterprise systems together.

Q: How do teams know whether crypto-agility is actually working?

A: Crypto-agility is working when algorithms can be changed without major re-engineering and the inventory shows which systems will be affected before the change is made.

Practitioner guidance

• Build a cryptographic inventory with identity linkage Catalogue every certificate, key, algorithm, and embedded library, then tie each item to an application, service, or accountable owner.
• Prioritise high-value identity dependencies first Rank remediation by data sensitivity, privilege level, and business criticality rather than by discovery order.
• Test crypto-agility before setting migration dates Validate post-quantum candidates in representative environments, focusing on key size, signature size, latency, and compatibility with older systems.

What's in the full article

Axiad's full blog post covers the operational detail this post intentionally leaves for the source:

• Step-by-step cryptographic discovery workflow across PKI, cloud services, and application estates
• Operational examples of how identity systems, machine identities, and certificates are correlated in the platform
• AI/ML-based risk prioritisation logic for quantum-vulnerable algorithms, key lengths, and certificate lifecycles
• Deployment details showing how inventory is updated continuously as certificates and keys change

👉 Read Axiad’s analysis of PQC readiness and cryptographic inventory →

Cryptographic inventory for PQC readiness: what IAM teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →