They stall because ownership, budget, and coordination are often unclear. PQC affects multiple teams at once, including identity, PKI, infrastructure, and application owners, so progress slows when no one is accountable for end-to-end delivery. Understanding the risk is not enough if the operating model cannot execute the transition.
Why This Matters for Security Teams
Post-quantum cryptography is not stalled by a lack of technical awareness. It stalls when the transition is treated as a cryptography upgrade instead of an enterprise change program. The risk touches certificate authorities, key exchange, service identities, application dependencies, and procurement cycles, so the work spans teams that do not normally share a delivery queue. That is why framework discipline matters as much as algorithm choice, especially when aligning to the NIST Cybersecurity Framework 2.0.
NHI governance shows the same pattern: security teams often know the exposure exists, but execution fails when ownership is diffuse and remediation depends on multiple control owners moving in sync. NHIMG research on Ultimate Guide to NHIs — Why NHI Security Matters Now shows that 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, yet the operating model still breaks under shared accountability. In practice, many security teams encounter PQC deadlock only after certificate inventories, vendor dependencies, and application owners have already drifted out of sync.
How It Works in Practice
The transition usually stalls because no single team owns the full path from discovery to retirement. A workable program starts by mapping where cryptography is actually used, including TLS endpoints, code-signing, VPNs, SSO, API integrations, and certificate automation. From there, teams classify what must change first: algorithm agility in libraries, certificate lifecycle tooling, or identity systems that depend on long-lived keys.
For security leaders, the practical question is not only “which algorithms are post-quantum ready?” but “which systems can accept change without breaking authentication, trust chains, or service-to-service communication?” That is where policy, inventory, and migration sequencing matter. The Top 10 NHI Issues and the Ultimate Guide to NHIs — Key Challenges and Risks both reinforce a core lesson: unmanaged identities and secrets do not fail gracefully, and cryptographic transitions are no different.
- Assign one accountable owner for crypto inventory, one for platform remediation, and one for application readiness.
- Use an inventory to identify certificates, keys, and protocols that depend on vulnerable primitives.
- Prioritize systems with long-lived trust, external exposure, or difficult rollback paths.
- Build migration paths that support hybrid or algorithm-agile operation before forcing a cutover.
Most successful programs pair this with governance metrics: what is inventoried, what is remediated, what is vendor-dependent, and what is blocked by budget or release cycles. These controls tend to break down in environments with legacy appliances, embedded systems, and third-party platforms because the cryptography cannot be upgraded independently of the product lifecycle.
Common Variations and Edge Cases
Tighter crypto migration control often increases short-term operational burden, requiring organisations to balance faster risk reduction against change-window constraints and dependency management. That tradeoff becomes sharper in regulated environments, where certificate pinning, audit evidence, and vendor attestations can slow remediation even when leadership agrees with the risk.
Best practice is evolving on how much to centralise the transition. Some organisations run PQC as a central architecture program, while others embed it into existing platform or identity roadmaps. There is no universal standard for this yet, but the strongest programs treat PQC as a portfolio issue, not a one-off engineering task. They also connect it to broader identity hygiene, since weak secret management and opaque service-account ownership can undermine any cryptographic improvement.
For practitioners, the common edge case is vendor lock-in: if a core platform cannot support post-quantum readiness, the project may pause even when internal teams are aligned. In that case, the right move is often to document the dependency, negotiate roadmap commitments, and reduce exposure with compensating controls rather than waiting for a perfect end state.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.IM-1 | PQC stalls when crypto assets are not inventoried and understood. |
| NIST AI RMF | Program governance and accountability are required to execute cross-team transitions. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Long-lived secrets and identity dependencies often block crypto modernization. |
Build a complete cryptographic asset inventory and track migration progress as part of continuous improvement.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 25, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
