TL;DR: Quantum computing threatens RSA and ECC, while the NIST has already finalised three post-quantum cryptographic standards and signalled more to come, according to GlobalSign. The real issue for identity teams is not algorithm awareness but migration scope, because every device, server, browser, certificate, and communication path that depends on public-key trust will need a replacement path before quantum risk becomes practical.
NHIMG editorial — based on content published by GlobalSign: a guide to quantum computing readiness and post-quantum cryptography standards
By the numbers:
- RSA recommendations moved from a minimum of 1024 bits in 2015 to 2048 bits today.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
Questions worth separating out
Q: How should security teams prepare identity systems for post-quantum cryptography?
A: They should start with a complete inventory of where cryptography underpins authentication, federation, signing, and encrypted transport.
Q: Why does post-quantum planning matter for IAM teams and not just PKI owners?
A: Because identity systems use public-key cryptography everywhere, from authenticating devices to validating browser sessions and workload certificates.
Q: What do security teams get wrong about quantum readiness?
A: They often treat quantum readiness as a future encryption upgrade rather than an identity and trust migration.
Practitioner guidance
- Inventory every RSA and ECC dependency Build a complete map of certificates, device identities, browser trust paths, code signing, and service-to-service communications that still depend on classical public-key cryptography.
- Classify trust paths by migration urgency Separate externally exposed identities, long-lived certificates, and regulated communications from lower-risk internal uses so replacement sequencing follows business impact.
- Assess CA and HSM compatibility together Test whether certificate authorities, hardware security modules, and downstream consumers can issue, store, and validate post-quantum-safe credentials before planning rollout.
What's in the full article
GlobalSign's full article covers the operational detail this post intentionally leaves for the source:
- A deeper walkthrough of the NIST post-quantum standards and how each one maps to encryption or signatures.
- Discussion of certificate authority and browser ecosystem readiness, including the constraints slowing adoption.
- Context on hardware security module support and why that matters for issuing post-quantum-safe certificates.
- The article’s view of how "harvest now, decrypt later" changes the urgency of migration planning.
👉 Read GlobalSign's analysis of post-quantum cryptography readiness for identity systems →
Post-quantum cryptography readiness: what IAM teams need to rework?
Explore further
Post-quantum readiness is an identity trust migration problem, not just a cryptography upgrade. Certificates, device trust, browser trust, and workload identity all depend on public-key assumptions that quantum computing undermines. That means identity governance teams have to think in terms of trust replacement paths, not isolated cipher changes. The implication is that PKI, IAM, and infrastructure owners need a shared migration map.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why identity inventory quality remains a gating issue for any cryptographic transition.
A question worth separating out:
Q: Who is accountable for quantum migration when certificates and identities span multiple teams?
A: Accountability should sit with the identity and cryptography governance owners, but execution must be shared across PKI, infrastructure, application, and compliance teams. If no single group owns the dependency map and migration timetable, the transition will fragment and legacy trust paths will survive longer than intended.
👉 Read our full editorial: Post-quantum cryptography readiness is now an identity problem