TL;DR: The new post-quantum executive order gives agencies 30 days to name a migration lead and begin cryptographic inventory work, while 2030 and 2031 deadlines sit further out, according to Axiad’s analysis of Executive Order 14409. The immediate governance issue is visibility: organisations cannot migrate what they have not mapped, especially when machine identities and AI agents inherit cryptographic credentials.
NHIMG editorial — based on content published by Axiad: The Real Deadline in the New PQC Executive Order Isn't 2030. It's 30 Days
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
Questions worth separating out
Q: What breaks if organisations treat PQC migration as a late-stage crypto refresh?
A: The programme usually fails at discovery, ownership, and sequencing before it fails at algorithm replacement.
Q: When should organisations prioritise cryptographic inventory over algorithm migration?
A: They should prioritise inventory first, because migration plans are only as good as the trust fabric they map.
Q: What do security teams get wrong about machine identities in PQC planning?
A: They often treat machine identities as implementation details rather than governance objects.
Practitioner guidance
- Stand up a named PQC migration owner Assign one accountable lead who reports into the CIO or equivalent security owner and owns cryptographic inventory prioritisation, dependency mapping, and remediation sequencing.
- Inventory cryptography by dependency, not asset label Map which certificates, keys, algorithms, and trust paths support authentication, signing, federation, APIs, and workload identity so you can see what breaks before you replace anything.
- Include machine identities in the first discovery wave Track service accounts, certificates, tokens, and AI-inherited credentials alongside human-facing systems because hidden non-human identities often carry the most fragile trust relationships.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- The specific executive order provisions and deadline wording that drive the 30-day migration lead requirement.
- The article's proposed sequence for standing up cryptographic inventory and prioritising assets.
- Axiad Mesh positioning for continuous discovery across certificates, machine identities, and AI-inherited credentials.
- The vendor's FAQ section on what agencies, contractors, and security teams must do first.
👉 Read Axiad's analysis of the new PQC executive order and identity inventory deadlines →
PQC migration inventory and identity scope: what teams need now?
Explore further
Inventory is the real cryptographic control plane: The executive order makes visibility the first governing action because migration cannot be sequenced without knowing what cryptography exists, where it sits, and who owns it. That is not just a technical scoping issue. It is a governance model that treats cryptographic discovery as the prerequisite for any PQC programme, and practitioners should recognise that the control plane starts with inventory discipline.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when cryptographic inventory is incomplete at the start of PQC migration?
A: Accountability should sit with the designated migration lead, but the broader answer is that identity, infrastructure, and application owners all share responsibility for the trust map. PQC migration fails when no one owns dependency truth. Governance frameworks should make that ownership explicit before deadlines tighten.
👉 Read our full editorial: PQC migration inventory is the real deadline in the new EO