Many post-quantum migration plans begin with public websites and customer-facing TLS. That is understandable, but it misses a large part of the real backlog. Machine identities are everywhere: service certificates, workload identities, API clients, signing keys, device credentials, Kubernetes secrets, VPN profiles, CI tokens, and HSM-backed keys.
They are also easy to underestimate because they rarely belong to one team. Platform engineering owns some. Security owns some. Vendors issue some. Product teams create some quietly because a release needs to ship.
Why machine identity matters for PQC
Post-quantum migration is not only about changing algorithms. It is about knowing which systems trust which keys, what breaks if a certificate format changes, how long a credential lives, and whether rotation can happen without a service outage.
Machine identity debt becomes visible when a team asks a basic question and cannot answer it: where do we still rely on RSA or elliptic-curve cryptography for system-to-system trust?
Build the inventory in layers
- External certificates: websites, APIs, partner endpoints, gateways, and customer-visible services.
- Internal certificates: service mesh, mTLS, databases, brokers, administrative planes, and observability tooling.
- Signing identities: code signing, container signing, firmware signing, package repositories, and document workflows.
- Hardware-backed keys: HSM profiles, TPM-backed credentials, smart cards, and device roots of trust.
- Vendor-controlled identities: managed services where the algorithm decision sits outside your direct control.
The metric that helps
Do not start with a single percentage called quantum-ready. It will hide more than it reveals. Use a smaller metric first: percentage of machine identities with an owner, expiry date, algorithm, key length, issuing system, rotation path, and business criticality. If that number is low, migration planning is still guesswork.
Where to begin
Pick the identities that protect long-lived confidential data, privileged administration, software updates, and cross-boundary trust. Those systems have the strongest reason to move early because failure is expensive and migration is rarely instant.
The right 2026 goal is not to replace every machine identity at once. It is to make sure each important identity is visible, owned, and technically movable. Once that is true, post-quantum transition becomes an engineering program instead of a scavenger hunt.
Further reading: CISA Post-Quantum Cryptography Initiative, NIST PQC project, NIST CSWP 39 on crypto agility.