Important News:SafeLogic Announces CryptoComply Go v4.0 with Comprehensive PQC Capabilities!! Read the announcement.
January 9, 2026 •SafeLogic
The transition to post-quantum cryptography (PQC) has moved decisively from theory to execution. With NIST’s post-quantum cryptography standards now published, organizations are no longer debating if PQC matters, but how to adopt it responsibly, pragmatically, and at scale.
At NIST’s 6th Post-Quantum Cryptography Standardization Conference, SafeLogic CEO Evgeny Gervis participated in a series of Q&A discussions addressing the real-world challenges organizations face as they begin this transition. The questions and answers reflect what security leaders, architects, and executives are actively grappling with today.
Below are key takeaways from those discussions, organized to help organizations understand where PQC adoption stands, how to approach it, and what it takes to make progress.
What’s Been Surprising and Hard About PQC Migration
One of the most notable shifts since the release of PQC standards has been the level of real-world engagement.
Evgeny notes that following the publication of standards, interest in PQC increased rapidly. Technology vendors and cybersecurity providers that previously monitored PQC from a distance are now actively testing and integrating post-quantum implementations. PQC has become a regular topic in customer and partner discussions — something far less common before the standards were finalized.
At the same time, a persistent challenge remains: skepticism. Despite evident progress in quantum computing research and visible vendor roadmaps, some leaders continue to question whether quantum computers will meaningfully impact encryption or whether the urgency of PQC is overstated.
This disconnect is increasingly difficult to justify. Long-lived, high-value data must be protected against future compromise, and leadership teams ultimately bear responsibility for that risk. Treating PQC as hypothetical ignores both technical progress and the realities of long-term data exposure.
What Does Success Look Like in PQC Migration Today?
Success in PQC migration does not begin with perfection. It begins with action.
Evgeny emphasizes that while planning and discovery are important, organizations must move beyond treating PQC as a large, linear waterfall project. Waiting to complete every assessment before acting often results in inertia rather than progress.
Instead, PQC should be approached iteratively with organizations aiming to become incrementally more quantum-resilient over time. Each step forward reduces exposure and builds momentum.
There are also practical steps organizations can take today. Securing common cryptographic touchpoints, such as TLS connections, can significantly reduce “harvest now, decrypt later” risk and deliver measurable improvements without waiting for full-scale transformation.
How to Prioritize PQC Migration
A common question is where to start.
Evgeny recommends beginning with an organizational threat model rather than a technology-first approach. This includes understanding:
- Where sensitive data resides
- How long must that data remain protected
- Which cryptographic controls are currently relied upon
This exercise is valuable regardless of organizational structure or geography. By mapping data sensitivity and cryptographic dependencies, organizations can prioritize PQC migration based on risk rather than convenience.
This risk-based approach ensures that early efforts focus on systems where quantum compromise would have the greatest impact, while also improving overall visibility into cryptographic posture.
What Tools and Teams Are Needed for PQC Migration
PQC migration is often described as unglamorous but essential.
Evgeny compares it to infrastructure plumbing: rarely noticed until something breaks, but critical to long-term stability. No single vendor can deliver an end-to-end PQC migration, and a successful transition requires collaboration across tools, teams, and partners.
Organizations typically need a combination of:
- Cryptographic discovery and assessment
- Planning and integration support
- Quantum-resistant cryptographic libraries
- Deployment and operational capabilities
- Supporting infrastructure such as HSMs and certificate lifecycle management
Just as importantly, organizations should focus on integrating PQC into existing environments rather than attempting wholesale replacement. Building crypto agility — the ability to adapt cryptography without repeated disruption — makes future transitions significantly easier.
Hybrid Mode in PQC: Flexibility vs. Complexity
Hybrid cryptographic approaches, such as those used in TLS, are a natural transition path for many organizations.
Evgeny explains that hybrid mode introduces both benefits and tradeoffs. While it can provide defense-in-depth and interoperability during transition, it also adds complexity that must be carefully managed.
From a cryptographic module perspective, supporting hybrid, pure PQC, and configurable modes enables organizations to align deployment with policy, compliance requirements, and risk tolerance. Standards and frameworks such as FIPS, CMVP, and CNSA 2.0 play an important role in shaping these decisions.
Ultimately, hybrid adoption is not a one-size-fits-all choice. It must be driven by policy and context rather than default assumptions.
Supporting Legacy Systems Without Inviting Downgrade Attacks
Legacy systems remain a reality for most organizations, and supporting them securely is often a business decision rather than a purely technical one.
Evgeny highlights the importance of policy-driven cryptographic controls, particularly the ability to make decisions on a per-connection basis. For example, TLS configurations can be adjusted depending on whether an organization controls the endpoint or must interoperate with external systems.
In some cases, temporary downgrades may be necessary to maintain operations, but they should be treated as a risk-management decision—not a default state. Mitigation strategies, such as proxying or tunneling, can help reduce exposure when full remediation is not immediately feasible.
Cryptography as the Foundation for Safe AI Adoption
The implications of PQC extend beyond traditional data protection — they directly impact the safe adoption of AI.
Evgeny emphasizes that cryptography underpins trust in AI systems, from training data integrity and model provenance to identity verification and deepfake mitigation. Without strong cryptographic controls, it becomes difficult to determine whether data, models, or communications can be trusted.
Failure to complete the PQC transition risks undermining confidence in AI systems. In this sense, PQC is not simply a defensive upgrade, but a foundational enabler of trustworthy AI deployment.
Key Takeaways for Security and Technology Leaders
Across these discussions, several themes emerge:
- PQC adoption is accelerating now that standards are available
- Success depends on starting, not waiting for perfect conditions
- Risk-based prioritization is more effective than blanket approaches
- Crypto-agility reduces long-term disruption
- PQC, AI trust, and long-lived data protection are tightly connected
Organizations that begin making incremental progress today position themselves far better for future transitions.
From Standards to Sustainable Resilience
Post-quantum cryptography is not a one-time project. It is an ongoing journey that requires thoughtful prioritization, collaboration, and adaptability.
By focusing on risk, building crypto agility, and integrating PQC into existing environments, organizations can move from standards of awareness to sustainable resilience — protecting critical data not just for today, but for decades to come.
SafeLogic works with technology vendors, enterprises, and government organizations to help operationalize post-quantum cryptography in real-world environments. Through validated cryptographic software, crypto-agile architectures, and standards-aligned implementations, SafeLogic supports organizations as they move from planning to execution in their PQC journey.
To learn more about SafeLogic’s work in post-quantum cryptography, request a consultation with a PQC expert today.
