Notifications
Clear all
Topic starter
07/06/2026 8:29 pm
TL;DR: Enterprises cannot scope post-quantum cryptography migration without a complete cryptographic inventory, and the article argues that identity-linked discovery is the practical starting point, according to Axiad and cited guidance from Gartner, CISA, and NIST. The real constraint is not algorithm choice, but visibility into where certificates, keys, and machine identities actually live.
NHIMG editorial — based on content published by Axiad: NIST, CISA, and Gartner experts say quantum will break today's encryption by 2029
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
Questions worth separating out
Q: How should security teams build a cryptographic inventory for post-quantum migration?
A: Start by mapping every algorithm, certificate, key, and dependency to an owner and the system that uses it.
Q: Why do machine identities matter in post-quantum cryptography planning?
A: Because machine identities often hold the certificates and keys that actually secure business systems.
Q: What breaks when cryptography is not inventoried before PQC migration?
A: Migration breaks into isolated replacements with no clear order, no reliable ownership, and no way to see which systems depend on vulnerable algorithms.
Practitioner guidance
- Build a cryptographic inventory tied to identity owners Map every certificate, key, algorithm, and dependency to a named owner and system record.
- Prioritise legacy algorithms by business criticality Rank RSA, ECC, and other quantum-vulnerable uses by data sensitivity, certificate lifecycle, and the privilege level of the identity they protect.
- Treat machine identities as part of the PQC scope Include service accounts, API keys, SSH keys, and code-signing certificates in the same governance workstream as user-facing certificates.
What's in the full article
Axiad's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step descriptions of how Axiad Mesh discovers certificates, keys, and identity dependencies across hybrid environments.
- The article's risk-prioritisation logic for ranking quantum-vulnerable cryptography by lifecycle status and criticality.
- Implementation detail on continuous scanning and how the inventory is kept current as systems change.
- Examples of how identity and cryptography correlation supports migration sequencing and ownership assignment.
👉 Read Axiad's analysis of post-quantum cryptography readiness and identity visibility →
Post-quantum cryptography inventory gaps: what IAM teams need now?
Explore further
07/06/2026 10:23 pm
Cryptographic inventory is the missing governance layer in PQC migration. The article is right to treat visibility as the prerequisite, because algorithm replacement without asset knowledge only creates a false sense of readiness. PQC programmes fail when they start from standards selection instead of identity-linked discovery, ownership, and dependency mapping. Practitioners should treat inventory completeness as the gating control, not a reporting exercise.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
A question worth separating out:
Q: How do organisations know if their PQC readiness programme is working?
A: They should be able to answer where each cryptographic asset lives, who owns it, which identities depend on it, and what will change when an algorithm is replaced. If those answers are missing, the programme is still in discovery, not readiness.
👉 Read our full editorial: Post-quantum cryptography readiness starts with identity visibility
