TL;DR: The G7 Cyber Expert Group’s 2026 roadmap says quantum risk is no longer theoretical for financial services, pushing boards and security teams toward inventory, cryptographic agility, and phased migration planning across systems and third parties, according to Keyfactor. The real governance shift is that encryption dependencies now need enterprise ownership, not sporadic technical attention.
NHIMG editorial — based on content published by Keyfactor: When the G7 Signals Quantum Risk, It’s Time to Listen
Questions worth separating out
Q: How should security teams prepare identity systems for quantum risk?
A: Security teams should begin with a full inventory of cryptographic dependencies, then rank systems by data lifetime, business criticality, and migration difficulty.
Q: Why do long-lived data and credentials increase quantum risk?
A: Long-lived data increases quantum risk because information that is safe today may still need to remain confidential after quantum-capable attackers emerge.
Q: What breaks when cryptography is hard-coded into identity platforms?
A: Hard-coded cryptography breaks migration because the organisation cannot replace algorithms, keys, or signing methods without redesigning applications and trust flows.
Practitioner guidance
- Inventory cryptographic dependencies across identity systems Identify where certificates, keys, signed tokens, federation flows, and service-to-service trust are embedded across applications, workloads, and vendors.
- Prioritize long-lived and high-impact data first Rank systems by confidentiality lifetime, business criticality, and replacement complexity so migration effort starts where future decryptability would create the most damage.
- Test whether cryptography can change without service redesign Challenge teams to rotate algorithms or key material in a controlled environment and document which platforms fail when trust primitives change.
What's in the full article
Keyfactor's full blog covers the operational detail this post intentionally leaves for the source:
- The article’s phased roadmap for executive awareness, discovery, migration, and validation across financial institutions.
- The specific governance actions Keyfactor recommends for board reporting, third-party oversight, and long-term cryptographic planning.
- The timeline framing that links quantum readiness to 2025, 2026, and 2028 planning milestones.
- The discussion of how financial ecosystem interdependence affects crypto transition across vendors and platforms.
👉 Read Keyfactor’s analysis of the G7 quantum-risk roadmap for financial services →
Quantum risk and crypto-agility: what IAM teams need to do now?
Explore further
Quantum readiness is now an identity governance problem, not just a cryptography problem. Authentication, federation, workload trust, and secrets protection all depend on cryptographic assumptions that can outlive the current algorithm set. The G7 roadmap matters because it pulls that dependency into board-level risk management rather than leaving it inside technical standards discussions. Practitioners should treat cryptography as part of the identity control plane, not a background implementation detail.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable for quantum readiness in financial services?
A: Accountability should sit with enterprise risk and executive governance, not only with security engineering. Quantum readiness cuts across identity, infrastructure, vendors, and data retention, so it needs ownership through existing boards, risk committees, and architecture review forums. If no group is tracking milestones, discovery and migration will stall.
👉 Read our full editorial: Quantum risk is becoming a governance issue for financial identities