How a large national insurer approached cryptographic visibility at enterprise scale

The company’s cryptography security leader is candid about where things stood. The organization had over 1.2 million cryptographic elements across the enterprise. That number, he noted at RSA Conference 2026, is probably an undercount - because like most large organizations, the company didn’t have a clean, authoritative picture of what it had, where it lived, or who was responsible for it.


The inventory problem was bigger than most teams expected. It wasn't just certificates issued by known CAs. It was self-signed certs, developer shadow IT, third-party libraries, platform-baked crypto buried in legacy systems older than a decade. Most existing tools could tell you how much crypto you had. They couldn't tell you where it was, who owned it, or what your actual risk posture looked like.

Two requirements emerged as non-negotiable. First, no additional agents - the company already had extensive agent deployment and wasn’t willing to add another layer. Second, the solution had to be actionable: not just a map, but a path to migration and remediation that included the human side of the problem - who owns what, who needs to act, and in what order.

The security leader framed the core insight clearly at RSA: this isn’t a technology problem. It’s a people problem. Cryptographic assets are distributed across an organization. They’re owned by different teams, embedded in different platforms, governed by different policies. If you discover a vulnerable asset but can’t identify the single person responsible for it, you can’t fix it without creating outages.


The post-quantum threat made urgency concrete. When a cryptographic algorithm is broken, the fallback option of "allow the weaker algorithm" disappears. You're left with one choice: shut it down. At scale, that's an existential problem - unless you've already mapped ownership, planned migration sequences, and built the organizational alignment to act.

The company is now two years into its crypto modernization program, running seven parallel workstreams. The visibility work - anchored by Axiad Mesh - sits at the center of it, feeding the migration planning, the algorithm agility work, and the third-party vendor pressure campaign.


The security leader also made a point about organizational politics that resonated with the RSA audience: the carrot that got other teams to engage wasn’t fear of quantum. It was automation. When you can show a platform team that the end state removes cert rotation burden from their plate, they become partners in the engineering work rather than resistors to it.


The FAIR integration adds a financial translation layer that makes the case at the executive level. Instead of "we have crypto assets that need to be fixed," the conversation becomes "here is the projected cost to the business if we don't act, in terms that insurance companies recognize."