Notifications
Clear all
Topic starter
06/06/2026 2:29 am
TL;DR: Quantum computing is compressing the timeline for breaking today’s cryptography, with Google moving its internal post-quantum migration target to 2029 and NIST already finalizing the first post-quantum standards, according to Keyfactor and NIST. The shift turns cryptography inventory, crypto-agility, and trust lifecycle governance into core IAM and NHI priorities, not specialist infrastructure work.
NHIMG editorial — based on content published by Keyfactor: World Quantum Day: What We’re Not Talking About Enough
By the numbers:
- The timeline for when a quantum computer could potentially break standard 2048-bit RSA encryption has compressed from 1 billion physical qubits in 2012 to 1 million noisy qubits in recent research.
- Google moved its internal deadline for being fully migrated to post-quantum cryptography to 2029.
Questions worth separating out
Q: How should security teams prepare identity systems for post-quantum cryptography?
A: They should start with a complete inventory of where cryptography underpins authentication, federation, signing, and encrypted transport.
Q: Why does post-quantum risk matter for NHI and workload identity?
A: Because service accounts, certificates, and signed machine-to-machine assertions all depend on cryptographic trust.
Q: What breaks if organisations treat cryptography as static infrastructure?
A: They miss hidden dependencies in certificates, token signing, software delivery, and federation flows.
Practitioner guidance
- Inventory cryptographic dependencies across identity paths Catalog where RSA, certificates, signed artefacts, and encrypted sessions support human login, workload identity, and federation.
- Prioritise long-lived trust objects for migration Start with code signing, partner federation, certificates with long validity, and any identity assertion that must remain trustworthy for years.
- Build an algorithm-swap runbook before urgency arrives Test how identity, PKI, and application teams will replace one cryptographic method with another without breaking authentication or signed delivery.
What's in the full article
Keyfactor's full blog covers the operational detail this post intentionally leaves for the source:
- A clearer walkthrough of the 2012, 2019, and recent qubit estimates behind the RSA timeline compression.
- The practical case for crypto-agility in enterprise environments, including why static cryptography assumptions fail governance tests.
- Examples of where trust infrastructure changes affect software updates, machine-to-machine authentication, and identity systems.
- The PQC Lab learning path for teams that want to test migration concepts before committing to production change.
👉 Read Keyfactor's analysis of why post-quantum cryptography matters now →
Post-quantum cryptography: what IAM and NHI teams need to change?
Explore further
06/06/2026 4:10 am
Crypto-agility is now identity governance, not infrastructure hygiene. The article shows that cryptography is the trust substrate for authentication, signing, and machine-to-machine exchange. Once algorithms become time-limited, identity programmes inherit the obligation to know where trust is anchored and how quickly it can be reissued. Practitioners should treat cryptographic lifecycle management as part of IAM and NHI governance, not a separate engineering concern.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, which makes cryptographic and secret governance part of the same control plane.
A question worth separating out:
Q: Who owns post-quantum migration in an identity programme?
A: It should be shared across IAM, PKI, platform, application, and security governance teams, with clear accountability for trust inventory and algorithm transition. If ownership sits only with infrastructure teams, identity dependencies get missed. The right model is lifecycle governance for cryptography, because trust objects age just like credentials do.
👉 Read our full editorial: Post-quantum cryptography is becoming an identity governance problem
