Key takeaways
- Google’s 2029 quantum-safe deadline establishes a 3-5 year PQC migration window. Organizations must begin migration efforts now to prevent operational disruption and compliance gaps.
- Adversaries are harvesting encrypted data today for decryption once quantum computers mature.
- Most organizations lack visibility into cryptographic assets and documented PQC readiness roadmaps, despite knowing the 2029 deadline.
- Building flexibility to swap algorithms without infrastructure redesigns is critical for quantum readiness.
- Start with a cryptographic asset inventory to understand your migration scope and dependencies.
Remember when “the perimeter” meant a firewall? Then came zero trust, then identity-first security, and we’ve spent the better part of a decade rebuilding our defenses around the principle that identity is the new perimeter.
Well, here’s the uncomfortable truth: every one of those identities, human, machine, workload, AI agent, is anchored in cryptography that’s running on borrowed time.
Google’s 2029 PQC Target
CNN ran a piece on Q-Day, the moment a quantum computer can break current encryption algorithms that protect almost everything.
Two numbers from the article stood out: Google is now targeting 2029 to be quantum-safe. A recent Google co-authored paper showed that breaking elliptic curve cryptography may need roughly 20x fewer qubits than we thought just months ago. Yet, per data cited in the piece based on a report from McKinsey, over 90% of businesses still don’t have a roadmap for PQC migration.
Let’s digest that. The threat just accelerated. The window just shrank. And the vast majority of organizations haven’t started building a roadmap or migration path.
This isn’t a hypothetical scenario; it’s an impending reality. And like every major shift before it, the cost of being late will be devastating.
PQC Migration Timelines: Why 2029 Isn’t as Far Away as It Seems
Most organizations assume they have until 2035 or later to worry about quantum threats. Google’s 2029 target changes that calculation entirely. Factor in supply chain delays, legacy system dependencies, and organizational readiness gaps, and the real migration window is much tighter.
| Phase | Timeline | What Needs to Happen |
| Discovery & Visibility | Now – 2027 | Inventory all cryptographic assets across the infrastructure |
| Planning & Standards Alignment | 2027 – 2028 | Align with NIST PQC standards, evaluate vendors, and build a roadmap |
| Pilot & Testing | 2028 – 2029 | Test PQC algorithms in non-critical environments, and validate compatibility |
| Full Migration | 2029+ | Deploy PQC across all systems, retire legacy crypto |
Post-Quantum Cryptography Breaks Zero Trust
A few things every security leader should be internalizing right now:
- “Harvest now, decrypt later” is happening today. Adversaries are siphoning encrypted traffic and sitting on it, patiently. Anything with a long confidentiality shelf life, like IP, source code, patient records, M&A data, government comms, biometrics, is already mortgaged against a future we can’t time.
- Identity is based on cryptography. Every certificate, every signed token, every machine identity, every API authentication, every code signature – it all rests on RSA or ECC. When those break, identity breaks. And when identity breaks, zero trust breaks with it.
- You can’t migrate what you can’t see. Most organizations can’t produce an accurate inventory of where their cryptographic assets live across certificates, code-signing pipelines, IoT firmware, HSMs, SaaS, and legacy apps. That visibility gap is 50% of the migration timeline.
- The real Q-Day may happen quietly. State-backed labs don’t issue press releases. As the CNN piece puts it, “covert successes would remain invisible for some time.” In fact, it may already be a reality today.
Here’s the shift in mindset we need to bring about: crypto-agility is the new zero trust. It’s the architectural principle that lets us swap algorithms without re-architecting the world every time a standard moves. NIST finalized its first PQC standards back in 2024. The algorithms exist. The runway doesn’t.
How AppViewX Enables Your PQC Migration
At AppViewX, we’re working with customers on exactly this problem, bringing visibility, automation, and crypto-agility to certificate and machine identity lifecycles so PQC migration becomes a managed program, not a 2029 emergency. Because the organizations that make it through this transition won’t be the ones who moved fastest at the end – they’ll be the ones who started earliest.
The organizations that will navigate this transition successfully aren’t the ones racing to the finish line in 2029. They’re the ones who started building visibility and crypto-agility into their infrastructure today. That means taking stock of where your cryptographic assets actually live, understanding your migration dependencies, and establishing a roadmap that treats PQC not as a 2029 emergency, but as a managed evolution of your security architecture.
Ready to assess your PQC readiness? Explore how AppViewX helps security leaders gain visibility into their certificate and machine identity landscape.
Tags
About the Author
Rohan Ramesh
Director of Product Management, AppViewX
Product leader who has worked with global teams to successfully launch and scale enterprise products in cyber security, networking and cloud. Rohan is experienced in leading cross functional teams and managing multiple product portfolios.
