Quantum readiness and certificate governance: what IAM teams need to know

TL;DR: Post-quantum preparation is increasingly being treated as an operating discipline, with governance, cryptographic visibility, hybrid cryptography, and rapid certificate rotation at the centre of the response, according to DigiCert’s Quantum Readiness Awards highlighting how Migros and NTT DATA are approaching the issue.

NHIMG editorial — based on content published by DigiCert: Migros named winner of the 2025 DigiCert Quantum Readiness Award

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• NHIs outnumber human identities by 25x to 50x in modern enterprises.

Questions worth separating out

Q: How should security teams prepare certificate governance for post-quantum migration?

A: Security teams should start with a complete inventory of certificates, keys, and trust dependencies, then classify which assets are long-lived, business critical, or embedded in hard-to-change systems.

Q: Why does quantum readiness matter to IAM and NHI programmes?

A: Quantum readiness matters because certificates and workload trust are part of the organisation’s identity fabric.

Q: What breaks when certificate lifecycle management is weak?

A: Weak certificate lifecycle management creates blind spots, stale trust, and higher outage risk during renewal or migration.

Practitioner guidance

• Build a cryptographic trust inventory Map certificates, keys, dependent services, owners, and renewal paths so you can see where long-lived trust exists and which assets require priority migration.
• Test certificate rotation at operational speed Rehearse renewal, revocation, and policy enforcement in production-like conditions so hybrid cryptography does not become a service continuity problem.
• Assign explicit ownership for trust assets Tie each certificate and workload trust dependency to a named team so lifecycle decisions are accountable and can be governed alongside IAM processes.

What's in the full analysis

DigiCert's full press release covers the operational detail this post intentionally leaves for the source:

• Award criteria and judging context for the 2025 Quantum Readiness Awards.
• The specific operational practices Migros used to organise its company-wide quantum readiness programme.
• NTT DATA's certificate lifecycle and hybrid cryptography operating model across cloud environments.
• The vendor's framing of why these readiness patterns matter for post-quantum migration planning.

👉 Read DigiCert’s Quantum Readiness Awards coverage for Migros and NTT DATA →

Quantum readiness and certificate governance: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →