Cryptographic bill of materials: what it means for IAM teams

TL;DR: A CBOM inventories the cryptographic components built into software, but Keyfactor argues it does not capture real-world configuration, key handling, or operational use, leaving organisations without a full cryptographic posture view. The real control gap is that visibility at build time still fails if inventory does not follow runtime usage and governance.

NHIMG editorial — based on content published by Keyfactor: Introducing the Cryptographic Bill of Materials (CBOM): A Foundation for Modern Cryptographic Management

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 73% of vaults are misconfigured, leading to unauthorised access and exposure of sensitive data.

Questions worth separating out

Q: How should teams govern cryptographic assets across software and production environments?

A: Teams should govern cryptographic assets as a lifecycle problem, not a software inventory problem.

Q: Why does a static cryptographic inventory fail to reduce real risk?

A: A static inventory fails because real cryptographic risk comes from configuration drift and operational use, not just from what a package can support.

Q: What signals show that cryptographic governance is out of control?

A: The clearest signals are outdated rotation records, unknown key owners, certificate expiry close to production use, and inconsistent algorithm settings across environments.

Practitioner guidance

• Separate cryptographic capability from cryptographic control Use CBOM data to identify what software can do, then verify which algorithms, key sizes, and protocols are actually enabled in production.
• Build a cryptographic inventory that includes ownership and lifecycle states Track keys, certificates, secrets, keystores, and dependent systems in one register with named owners, issue dates, rotation rules, and retirement criteria.
• Align cryptographic refresh with identity review and renewal cycles Review certificate expiry, secret rotation, and algorithm deprecation together so cryptographic change is treated as a governed lifecycle event, not a one-off technical task.

What's in the full article

Keyfactor's full blog covers the operational detail this post intentionally leaves for the source:

• How CBOM maps to specific cryptographic components such as algorithms, libraries, keys, and supported key sizes
• Examples of how cryptographic inventory extends beyond software release data into enterprise configuration and usage
• The article's discussion of post-quantum readiness as a driver for continuous cryptographic posture management
• The source author's practical framing of why CBOM and inventory are complementary rather than competing models

👉 Read Keyfactor's analysis of the cryptographic bill of materials and inventory gap →

Cryptographic bill of materials: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →