This morning the U.S. government announced it is awarding $2 billion in grants to nine quantum computing companies and taking equity stakes in return.
Let that second part sink in. This isn't a research grant. When a government takes equity, it's making a strategic infrastructure bet. It's saying: we believe this technology is coming, it matters for national security, and we want to be positioned when it arrives.
For most security teams, quantum computing has been a "someday" problem. A future threat that lives on the roadmap but never quite makes it to the top of the priority list. Today's announcement should change that calculation.
Not because quantum computers can break encryption today. They can't. But because the people who understand the technology best, including the U.S. Commerce Department, just told you they're treating it as critical national infrastructure. And that means the timeline is compressing faster than most organizations are planning for.
What is post-quantum cryptography?
Post-quantum cryptography (PQC) refers to cryptographic algorithms designed to resist attacks from quantum computers. Most encryption in use today, including RSA and elliptic curve cryptography (ECC), relies on mathematical problems that quantum computers will eventually be able to solve efficiently. NIST published its first finalized post-quantum standards in August 2024, including FIPS 203 (CRYSTALS-Kyber), FIPS 204 (CRYSTALS-Dilithium), and FIPS 205 (SPHINCS+). Organizations are now expected to begin migrating to these algorithms ahead of the point at which current encryption becomes vulnerable.
PQC migration is not a single event. It is a multi-year program that starts with understanding what cryptographic assets an organization currently has, a process known as crypto asset inventory and discovery.
The wrong question most organizations are asking
When security teams do think about post-quantum cryptography, the conversation almost always goes straight to algorithm replacement. NIST published its post-quantum standards. We need to swap out RSA and ECC. How do we do that?
That's the right question eventually. But it's the second question, not the first.
The first question is harder: where does cryptographic trust actually live in your environment right now?
Certificates. Machine identities. Service accounts. Embedded cryptography in applications and devices. API keys. AI systems inheriting permissions from the accounts that created them. The cryptographic dependencies between systems that nobody fully mapped when they were built and nobody has mapped since.
Most organizations don't have a complete answer to that question. And you cannot replace what you cannot see.
What is crypto asset inventory?
Crypto asset inventory is the process of discovering and cataloging every cryptographic asset in an organization's environment, including certificates, keys, machine identities, service accounts, embedded cryptographic protocols, and the systems that depend on them.
NIST and CISA have both identified crypto asset inventory and discovery as the foundational first step in quantum readiness, ahead of algorithm replacement or migration planning. Without a complete and continuously updated inventory, organizations cannot accurately assess their cryptographic exposure, prioritize remediation, or build a credible PQC migration timeline.
A crypto asset inventory is not a one-time audit. It is a continuous visibility capability, because the cryptographic attack surface changes every time a new service is deployed, a new machine identity is created, or an AI agent inherits access from the account that spun it up.
The threat that is already active
Here is the part of the post-quantum conversation that does not get enough attention: you do not have to wait for a quantum computer to break encryption to have a problem.
Security researchers and intelligence agencies assess that adversaries are collecting encrypted data today with the explicit intention of decrypting it later. This is the harvest now, decrypt later threat, and both CISA and the NSA have publicly referenced it as an active concern. Nation-state actors with long time horizons and significant resources have every incentive to target long-lived sensitive data, including government communications, financial records, healthcare data, and intellectual property.
If your organization handles any data that would still be sensitive in five to ten years, that data may already be at risk. Not from a quantum attack today, but from an attacker who is patient.
What crypto inventory means in practice
A complete crypto asset inventory surfaces:
Every certificate in the environment, including what algorithm it uses, when it expires, what systems depend on it, and whether it uses a quantum-vulnerable algorithm.
Every machine identity, including service accounts, API keys, and workload credentials, with context about what they can access, who created them, and whether they are still actively needed.
Every cryptographic dependency between systems, including undocumented dependencies that were never formally recorded.
Every AI agent operating in the environment and the credentials it has inherited, including whether those credentials carry cryptographic trust that would need to be migrated.
That map is the starting point for any credible PQC migration plan. Without it, migration planning is guesswork.
Why the timeline matters more than most people think
Post-quantum migration is not a fast process. Replacing cryptographic infrastructure across a large enterprise environment takes years. You have to identify everything, assess what is most vulnerable, prioritize based on sensitivity and exposure, test replacements without breaking dependencies, and execute in a sequence that keeps systems running throughout.
Organizations that start that process with a complete inventory will have options. Organizations that start without one will be scrambling.
The government's $2 billion investment today is a signal about where the technology is heading and how fast. IBM alone is receiving $1 billion to build a foundry for quantum computing chips. D-Wave and Rigetti are each receiving approximately $100 million in funding in exchange for equity. These are not research bets. These are infrastructure bets.
The question for security teams is not whether to start building PQC readiness. It is whether you can see enough of your environment to know where to begin.
How Axiad Mesh supports PQC readiness
Axiad is an Identity Visibility and Intelligence Platform (IVIP) designed to surface the full identity and cryptographic trust fabric across an organization's environment, including human identities, machine identities, certificates, and AI agents that are increasingly inheriting access across enterprise systems.
Axiad Mesh is a crypto asset inventory and discovery platform that provides the continuous visibility layer NIST and CISA identify as the essential first step in PQC readiness. Unlike point-in-time audit tools, Axiad Mesh continuously monitors the cryptographic environment, surfacing new exposures as they appear and helping security teams understand what matters most and what needs to be addressed first.
For organizations beginning their PQC readiness journey, Axiad Mesh provides:
Continuous discovery of certificates, machine identities, and cryptographic dependencies across cloud, on-premises, and hybrid environments.
Risk scoring that identifies which cryptographic assets carry the highest exposure, including assets using quantum-vulnerable algorithms.
Prioritized remediation guidance that routes findings to the systems and teams responsible for acting on them.
Visibility into AI agent identities and the cryptographic credentials they inherit, an emerging exposure category most inventory tools were not built to handle.
You can assess your organization's cryptographic exposure today with a free risk score at discover.axiad.io. It takes about two minutes and gives you a concrete starting point for your PQC readiness conversation.
Frequently asked questions
What is the first step in post-quantum cryptography readiness?
NIST and CISA both identify crypto asset inventory and discovery as the foundational first step, before algorithm replacement or migration planning. Organizations need to know what cryptographic assets they have, where they live, and what systems depend on them before they can build a credible migration plan.
What is the harvest now, decrypt later threat?
Harvest now, decrypt later refers to a strategy in which adversaries collect encrypted data today with the intention of decrypting it once quantum computers become capable of breaking current encryption. Both CISA and the NSA have publicly identified this as an active concern for organizations handling long-lived sensitive data, including government records, financial data, healthcare information, and intellectual property.
What is a crypto asset inventory?
A crypto asset inventory is a complete, continuously updated catalog of every cryptographic asset in an organization's environment, including certificates, keys, machine identities, service accounts, embedded cryptographic protocols, and the AI agents that inherit cryptographic credentials. It is the starting point for any PQC migration program.
How does Axiad Mesh help with post-quantum readiness?
Axiad Mesh is an Identity Visibility and Intelligence Platform that provides continuous crypto asset discovery and inventory across cloud, on-premises, and hybrid environments. It surfaces certificates using quantum-vulnerable algorithms, identifies machine identities and AI agents with cryptographic exposure, and provides risk-prioritized guidance to help security teams understand what needs to be addressed first. For a deeper look at how Axiad Mesh differs from ISPM and CIEM tools, see how we answered a CISO who asked us the same question.
What are the NIST post-quantum cryptography standards?
NIST finalized its first post-quantum cryptographic standards in August 2024: FIPS 203 (based on CRYSTALS-Kyber, for key encapsulation), FIPS 204 (based on CRYSTALS-Dilithium, for digital signatures), and FIPS 205 (based on SPHINCS+, for digital signatures). Organizations subject to federal compliance requirements should be actively planning migration to these standards.
How long does post-quantum migration take?
PQC migration across a large enterprise environment typically takes several years. The process involves inventory and discovery, exposure assessment, prioritization, testing, and phased execution. Organizations that begin with a complete crypto asset inventory will have significantly more time and flexibility to execute migration before quantum threats become active.
Axiad is an Identity Visibility and Intelligence Platform (IVIP) focused on helping organizations operationalize identity risk at scale, including readiness for the post-quantum transition. Learn more at axiad.com or start your free cryptographic risk assessment at discover.axiad.io. Or explore how Gartner analysts view the IVIP category and what it means for your identity attack surface.