Post-quantum migration drafts: what security teams need to prepare for

TL;DR: NIST NCCoE draft guidance on migration to post-quantum cryptography shifts the conversation from algorithm selection to migration planning, inventory, and cryptographic agility, according to Keyfactor. For IAM, PKI, and workload identity teams, the real issue is not only replacing algorithms but proving where cryptography lives and how fast it can change.

NHIMG editorial — based on content published by Keyfactor: NIST NCCoE Publishes Drafts on Migration to Post-Quantum Cryptography

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities , 46% confirmed, 26% suspected.
• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.

Questions worth separating out

Q: How should security teams prepare for post-quantum cryptography migration?

A: Security teams should start with discovery, inventory, and dependency mapping before choosing algorithms or migration waves.

Q: Why do certificate inventories matter for post-quantum migration?

A: Certificate inventories matter because they reveal where cryptographic trust is embedded in identity flows, service authentication, code signing, and device trust.

Q: What breaks if organisations treat post-quantum migration as a one-time upgrade?

A: What breaks is the assumption that cryptographic change is isolated to one platform or one algorithm.

Practitioner guidance

• Inventory cryptographic dependencies across identity estates Map every certificate issuer, consumer, signing workflow, and trust anchor across applications, devices, cloud platforms, and service identities.
• Separate migration waves by dependency risk Group systems by exposure, business criticality, and trust chain complexity so that fragile workloads are not migrated alongside low-risk ones.
• Test replaceability of trust components Validate whether certificate authorities, workload identity systems, and code-signing flows can change algorithms or trust anchors without redesigning adjacent services.

What's in the full analysis

Keyfactor's full newsroom post covers the operational detail this post intentionally leaves for the source:

• The NIST NCCoE draft context and why the migration guidance is being discussed now.
• The vendor's framing of how post-quantum change intersects with certificate lifecycle automation and cryptographic discovery.
• Practical implications for organisations modernising PKI, workload identity, and signing workflows.
• How the drafts connect to the broader trust and compliance agenda Keyfactor focuses on.

👉 Read Keyfactor's newsroom post on NIST NCCoE post-quantum migration drafts →

Post-quantum migration drafts: what security teams need to prepare for?

Explore further

View Full Forum →  |  NHI Foundation Course →