Notifications
Clear all
Topic starter
25/06/2026 10:41 pm
TL;DR: Post-quantum cryptography readiness is no longer just a PKI problem, because Keyfactor argues that inventory, automation, governance, and cross-functional planning all have to move together as harvest-now-decrypt-later threats and shorter certificate lifecycles raise the cost of delay. The governing assumption that cryptography can be modernised in isolated pockets is already breaking.
NHIMG editorial — based on content published by Keyfactor: PQC 4-Sight, How to Prepare Your Organization for Post-Quantum Cryptography
By the numbers:
- Manual PKI management becomes harder as certificate lifespans are expected to be as short as 47 days by 2029.
Questions worth separating out
Q: How should organisations prepare for post-quantum cryptography without breaking identity trust?
A: Start with a full inventory of cryptographic assets, then prioritise the systems that carry the most exposure or the longest replacement cycle.
Q: Why does PQC readiness matter for IAM and workload identity teams?
A: Because certificates, keys, and trust chains underpin authentication, service-to-service access, and auditability.
Q: What do security teams get wrong about certificate migration?
A: They often treat certificate replacement as a narrow technical task instead of a lifecycle problem.
Practitioner guidance
- Inventory every cryptographic dependency Map certificates, private keys, algorithms, protocols, embedded cryptography, and OT systems before defining migration priority.
- Prioritise dual-stack coverage for exposed systems Identify high-exposure assets that need both post-quantum and traditional certificates during transition.
- Automate certificate issuance and renewal Replace manual PKI workflows with automated issuance, renewal, replacement, and logging wherever certificate volumes or lifespans make human handling unreliable.
What's in the full article
Keyfactor's full blog covers the operational detail this post intentionally leaves for the source:
- A step-by-step PQC transition framework for discovery, triage, automation, and ongoing governance.
- Examples of how dual certificates support backwards compatibility during the migration window.
- Specific guidance on prioritising high-exposure systems such as OT, IoT, and highly sensitive data platforms.
- Keyfactor's view on certificate automation and governance tooling in a post-quantum environment.
👉 Read Keyfactor's post on preparing for post-quantum cryptography →
Post-quantum cryptography readiness: what IAM teams need to change?
Explore further
25/06/2026 11:19 pm
Post-quantum migration exposes a crypto-agility gap, not just a cipher upgrade task. The article is right to frame PQC as an organisation-wide transformation because identity trust depends on discovery, ownership, automation, and change control across many systems at once. The weak point is not whether a new algorithm exists, but whether the enterprise can replace cryptographic dependencies before they expire. Practitioners should treat PQC as a governance programme with operational dependencies, not a product refresh.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who should own PQC migration when multiple teams depend on the same trust assets?
A: Ownership should sit with a cross-functional programme that includes security, IT, legal, compliance, and product teams. No single function can map dependencies, approve risk, and coordinate change across all affected services. The right model is shared accountability with clear operational ownership for each cryptographic domain.
👉 Read our full editorial: Post-quantum cryptography readiness demands enterprise identity governance
