PQC hybrid confusion and crypto-agility: what teams need now

TL;DR: Hybrid and composite cryptography are creating uneven post-quantum migration paths because policy, tooling, and certification requirements differ across regions and environments, according to Keyfactor’s conference reflections. The practical issue is not algorithm preference alone, but whether an organisation can inventory cryptography, test interoperability, and change trust at speed without breaking systems.

NHIMG editorial — based on content published by Keyfactor: Hybrid Confusion, Composite Promise, Reflections from the PKI Consortium’s 2025 PQC Conference

By the numbers:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should security teams plan PQC migration when hybrid and composite standards are still evolving?

A: Security teams should plan PQC migration by separating near-term compatibility work from longer-term standard adoption.

Q: Why do hardware and certification dependencies slow post-quantum migration?

A: Hardware security modules, smartcards, and firmware-bound devices often lag behind software libraries in supporting new algorithms.

Q: What breaks when an organisation has no crypto-agility strategy?

A: Without crypto-agility, teams cannot change algorithms, certificates, or trust anchors quickly when standards or regulations shift.

Practitioner guidance

• Build a complete cryptographic inventory Map every place cryptography is used, including certificates, APIs, embedded devices, applications, and external trust relationships.
• Prioritise systems by business impact and technical feasibility Start with workloads that protect sensitive data for long periods or sit in devices that will remain deployed for years.
• Test hybrid and pure PQC paths in controlled environments Use development or non-production environments to validate interoperability, identify breakpoints, and document where current libraries or integrations fail.

What's in the full article

Keyfactor's full blog covers the operational detail this post intentionally leaves for the source:

• The event-specific discussion of hybrid cryptography and composite certificate terminology as presented by Keyfactor contributors.
• Implementation context on where organisations can test PQC today and where HSM, smartcard, or firmware dependencies still block production use.
• The article's practical migration recommendations on inventorying cryptography, prioritising systems, and running proof-of-concept testing.
• Keyfactor's explanation of crypto-agility as an operating model for changing trust anchors and policies over time.

👉 Read Keyfactor's reflections on hybrid and composite cryptography at the PQC Conference →

PQC hybrid confusion and crypto-agility: what teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →