Cryptographic algorithms designed to remain secure against attacks from sufficiently powerful quantum computers. In practice, PQC is a migration problem as much as an algorithm problem because organisations must replace trust anchors, certificates, and secrets without breaking identity-dependent systems.
Expanded Definition
Post-quantum cryptography, or PQC, is the class of public-key and related algorithms intended to resist attacks from quantum computers. In NHI security, the term matters less as a theoretical breakthrough and more as a migration discipline that touches certificates, key exchange, signing, and every system that depends on machine identities.
Definitions vary across vendors on whether PQC includes only new quantum-resistant algorithms or also the surrounding migration controls, but no single standard governs this yet. Practitioners usually distinguish PQC from crypto-agility: PQC is the destination, while crypto-agility is the capability to switch algorithms without redesigning identity workflows. That distinction is critical for NHI systems because service accounts, workload certificates, and API authentication paths often have long replacement cycles. For standards context, PCI DSS v4.0 reinforces the broader expectation that strong cryptography and sound key management must be maintained even as algorithms evolve.
The most common misapplication is treating PQC as a pure encryption upgrade, which occurs when teams swap algorithms but leave certificate lifetimes, trust stores, and automated rotation workflows unchanged.
Examples and Use Cases
Implementing PQC rigorously often introduces compatibility and performance constraints, requiring organisations to weigh long-term cryptographic resilience against short-term application and hardware costs.
- Reissuing workload certificates with hybrid or PQC-capable trust chains so service-to-service authentication can survive a future harvest-now, decrypt-later threat.
- Updating code-signing pipelines for agents and automation tools so signed binaries remain trustworthy when signature algorithms are eventually retired.
- Hardening API clients that depend on long-lived secrets by combining PQC readiness with better secret hygiene, as described in the Ultimate Guide to NHIs.
- Testing identity federation flows where certificates, tokens, and mutual TLS are chained together, then validating whether fallback paths exist if a legacy algorithm is deprecated.
- Planning procurement and lifecycle policy so new NHI platforms can adopt cryptographic agility before a forced migration creates outage risk.
Current guidance from the IETF and NIST shows that migration strategy matters as much as algorithm selection, because PQC adoption will be uneven across stacks and trust boundaries. Teams that ignore dependency mapping often discover that one legacy signing service can block an otherwise ready workload estate.
Why It Matters in NHI Security
PQC is directly relevant to NHI security because non-human identities generate, present, and validate secrets at machine speed. If an adversary records encrypted traffic today and decrypts it later with quantum capability, then certificates, tokens, and signed artifacts that outlive their intended crypto era can become liabilities. The Ultimate Guide to NHIs notes that 71% of NHIs are not rotated within recommended time frames, which magnifies any cryptographic transition problem because old credentials and old algorithms tend to persist together.
That persistence is why PQC cannot be treated as a laboratory project. It intersects with access governance, device identity, secrets management, and incident response. If an organisation already struggles with certificate sprawl or unmanaged service accounts, quantum readiness will fail at the exact point where identity inventory is weakest. For control expectations around resilient authentication and key lifecycle discipline, PCI DSS v4.0 is a useful external reference even when the environment is not payment-related.
Organisations typically encounter PQC as an urgent issue only after a crypto deprecation, a major certificate failure, or an identity incident forces mass reissuance, at which point the migration becomes operationally unavoidable.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | PQC migration depends on managing machine secrets, certificates, and rotation safely. |
| NIST Zero Trust (SP 800-207) | Zero Trust depends on strong identity and encrypted trust pathways that PQC will reshape. | |
| NIST CSF 2.0 | PR.DS | PQC aligns with protecting data in transit and maintaining cryptographic resilience. |
Map cryptographic transitions to PR.DS and track where legacy algorithms still protect NHI traffic.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 28, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
