Quantum risk and crypto-agility: what IAM teams need to do now

TL;DR: The G7 Cyber Expert Group’s 2026 roadmap says quantum risk is no longer theoretical for financial services, pushing boards and security teams toward inventory, cryptographic agility, and phased migration planning across systems and third parties, according to Keyfactor. The real governance shift is that encryption dependencies now need enterprise ownership, not sporadic technical attention.

NHIMG editorial — based on content published by Keyfactor: When the G7 Signals Quantum Risk, It’s Time to Listen

Questions worth separating out

Q: How should security teams prepare identity systems for quantum risk?

A: Security teams should begin with a full inventory of cryptographic dependencies, then rank systems by data lifetime, business criticality, and migration difficulty.

Q: Why do long-lived data and credentials increase quantum risk?

A: Long-lived data increases quantum risk because information that is safe today may still need to remain confidential after quantum-capable attackers emerge.

Q: What breaks when cryptography is hard-coded into identity platforms?

A: Hard-coded cryptography breaks migration because the organisation cannot replace algorithms, keys, or signing methods without redesigning applications and trust flows.

Practitioner guidance

• Inventory cryptographic dependencies across identity systems Identify where certificates, keys, signed tokens, federation flows, and service-to-service trust are embedded across applications, workloads, and vendors.
• Prioritize long-lived and high-impact data first Rank systems by confidentiality lifetime, business criticality, and replacement complexity so migration effort starts where future decryptability would create the most damage.
• Test whether cryptography can change without service redesign Challenge teams to rotate algorithms or key material in a controlled environment and document which platforms fail when trust primitives change.

What's in the full article

Keyfactor's full blog covers the operational detail this post intentionally leaves for the source:

• The article’s phased roadmap for executive awareness, discovery, migration, and validation across financial institutions.
• The specific governance actions Keyfactor recommends for board reporting, third-party oversight, and long-term cryptographic planning.
• The timeline framing that links quantum readiness to 2025, 2026, and 2028 planning milestones.
• The discussion of how financial ecosystem interdependence affects crypto transition across vendors and platforms.

👉 Read Keyfactor’s analysis of the G7 quantum-risk roadmap for financial services →

Quantum risk and crypto-agility: what IAM teams need to do now?

Explore further

View Full Forum →  |  NHI Foundation Course →