Notifications
Clear all
Topic starter
22/06/2026 10:07 am
TL;DR: Post-quantum cryptography is moving into planning and policy across APAC, with Australia setting 2026, 2028, and 2030 milestones and regulators in Singapore, Japan, Taiwan, and Hong Kong issuing readiness guidance. The practical issue is not the algorithm swap alone, but inventory, risk prioritisation, and crypto-agility across identity and access systems.
NHIMG editorial — based on content published by SSH Communications Security: Post-quantum cryptography readiness in APAC
Questions worth separating out
Q: How should security teams start preparing for post-quantum cryptography migration?
A: Start with a cryptographic inventory that covers identity, access, and operational trust paths, then rank systems by business criticality and replacement complexity.
Q: Why does PQC planning matter to IAM and PAM teams?
A: Because authentication, privileged access, and workload trust all depend on cryptographic primitives that may need post-quantum replacement.
Q: Where do organisations usually underestimate quantum migration risk?
A: They underestimate embedded dependencies inside tunnels, certificates, access brokers, and third-party connectivity paths.
Practitioner guidance
- Build a cryptographic asset inventory now Map certificates, secure tunnels, tokens, signed workloads, and privileged access paths so you know where quantum-sensitive trust exists before migration deadlines tighten.
- Rank systems by business criticality and dependency depth Prioritise identity, access, and infrastructure components that would create the most operational disruption if cryptographic primitives had to change quickly.
- Add crypto-agility requirements to architecture reviews Require new and refreshed systems to support algorithm replacement, certificate renewal changes, and key lifecycle updates without full redesign.
What's in the full article
SSH Communications Security's full article covers the operational detail this post intentionally leaves for the source:
- APAC partner lab examples showing how demo environments are being used to trial PQC-related access patterns
- Practical inventory and assessment services for identifying which cryptographic assets need prioritisation first
- Details on how PrivX Insights and related capabilities can support the discovery phase of migration planning
- Regional context on how partners in Singapore and Australia are building out the readiness ecosystem
👉 Read SSH Communications Security's analysis of APAC PQC readiness and migration planning →
Post-quantum readiness in APAC: what IAM teams need to know?
Explore further
22/06/2026 10:52 am
PQC readiness exposes the difference between inventory maturity and migration maturity. Many organisations can say they support cryptography, but far fewer can show where it is embedded across identity, access, and operational trust paths. That gap becomes visible when regulators move from advisories to deadlines. The implication is that crypto discovery is now a governance capability, not a technical side task.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why inventory-led governance remains the starting point for NHI control.
A question worth separating out:
Q: Who should own post-quantum readiness inside the enterprise?
A: Ownership should sit across security architecture, identity governance, infrastructure, and application teams, with clear executive sponsorship. The programme is too cross-cutting for a single control owner because the cryptographic changes affect access, trust, and operational continuity at the same time.
👉 Read our full editorial: PQC readiness in APAC is shifting from theory to planning
