Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

PQC pressure and crypto inventory: what IAM teams need now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: The Department of War’s November memorandum makes cryptography inventory, named migration leads, test artifacts, and approval gates mandatory, while also rejecting quantum key distribution as a confidentiality substitute and setting phase-out expectations for weaker key-establishment approaches, according to DigiCert. The real message is that crypto-agility, not optimism, now determines whether identity and certificate programmes can survive post-quantum transition.

NHIMG editorial — based on content published by DigiCert: No Time to Wait: PQC Pressure from the Dept. of War

Questions worth separating out

Q: How should security teams prepare for PQC migration in identity-heavy environments?

A: Start by inventorying every cryptographic dependency, then assign ownership to the teams that operate those systems.

Q: Why does PQC pressure matter for machine identity programmes?

A: Machine identity systems often assume stable algorithms, long renewal cycles, and predictable trust chains.

Q: What do organisations get wrong about crypto-agility?

A: They often treat crypto-agility as a future state or a product feature rather than an operational capability.

Practitioner guidance

  • Build a cryptographic dependency inventory Map every certificate, key, trust anchor, and embedded identity to a system owner, renewal path, and business criticality.
  • Assign named migration leads per cryptographic domain Give responsibility to specific owners for PKI, workload identity, device identity, and application trust so accountability survives across teams and vendors.
  • Validate algorithm agility in the certificate pipeline Test issuance, renewal, revocation, and validation workflows against transition profiles before production cutover.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

  • How DigiCert says to inventory cryptographic dependencies across certificates, IoT identities, embedded keys, and service-to-service trust.
  • What PQC-ready PKI and lifecycle management look like in practice, including issuance, renewal, revocation, and algorithm rotation.
  • How the PQC Labs environment is used to test interoperability scenarios before production deployment.
  • Which procurement and compliance artefacts the vendor says customers can produce for migration evidence.

👉 Read DigiCert's guidance on PQC migration pressure and crypto inventory →

PQC pressure and crypto inventory: what IAM teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Crypto inventory is now an identity governance control, not a back-office catalogue. The article’s central point is that every cryptographic dependency must have an owner, because unmanaged trust paths become migration blockers the moment algorithms change. That matters for NHI, certificate lifecycle, and service identity governance alike. Organisations that treat cryptography as an abstract security property will miss the operational ownership model needed for transition.

A few things that frame the scale:

  • DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
  • Companies are dedicating an average of 32.4% of their security budgets to secrets management and code security, with US organisations leading at 40.8%, according to The State of Secrets in AppSec.

A question worth separating out:

Q: Who should own PQC migration risk across the enterprise?

A: Ownership should sit with the teams responsible for PKI, workload identity, device identity, and application trust, backed by programme leadership that can prioritise by risk. PQC migration crosses infrastructure, security, and application boundaries, so it fails when treated as a narrow cryptography project.

👉 Read our full editorial: PQC migration pressure forces crypto inventory and algorithm agility



   
ReplyQuote
Share: