Quantum risk and crypto-agility: what IAM teams need to explain

TL;DR: Quantum computing is presented as an inevitable cryptographic disruption, and the article argues boards should treat post-quantum cryptography as a multi-year resilience programme rather than a speculative technical upgrade, according to Keyfactor. Delaying crypto-agility increases compliance, continuity, and technology-debt exposure while attackers already harvest encrypted data for later decryption.

NHIMG editorial — based on content published by Keyfactor: 4 Ways to Communicate Quantum Risk to Your Board

By the numbers:

• NIST has held five PQC standardization conferences so far and will host the sixth in late September 2025.

Questions worth separating out

Q: How should organisations plan for post-quantum cryptography in identity systems?

A: They should start with a cryptographic inventory that includes certificates, signing services, federation dependencies, and machine identities.

Q: Why does quantum risk matter to IAM and machine identity programmes?

A: Because IAM depends on cryptography to prove identity, sign tokens, and establish trust between users, services, and workloads.

Q: When should organisations prioritise crypto-agility over a full algorithm swap?

A: They should prioritise crypto-agility whenever their estate includes many dependent applications, vendors, or certificate chains, because replacement will be slower than a simple technology refresh.

Practitioner guidance

• Build a cryptographic inventory across identity systems Catalogue certificates, keys, signing services, federation endpoints, and workload trust dependencies so PQC planning starts from real exposure, not assumptions.
• Tie PQC migration to identity lifecycle ownership Assign owners for human authentication, machine identity, and privileged trust paths so certificate replacement and algorithm changes can be sequenced through normal governance.
• Prioritise crown-jewel systems with long confidentiality horizons Rank data, identities, and services by how long their secrecy must last, then move the longest-lived exposures first.

What's in the full article

Keyfactor's full blog covers the operational detail this post intentionally leaves for the source:

• A board-facing framing model for explaining quantum risk in business terms without technical overload
• Incremental business-case language for tying PQC to compliance, continuity, and cost decisions
• Examples of how to present discovery, prioritisation, and milestone planning to executive leadership
• References to external recommendations and standards discussed by the vendor in the source article

👉 Read Keyfactor's blog on communicating quantum risk to the board →

Quantum risk and crypto-agility: what IAM teams need to explain?

Explore further

View Full Forum →  |  NHI Foundation Course →