The transition to post-quantum cryptography (PQC) has moved decisively from theory to execution. With NIST’s post-quantum cryptography standards now published, organizations are no longer debating if PQC matters, but how to adopt it responsibly, pragmatically, and at scale.
At NIST’s 6th Post-Quantum Cryptography Standardization Conference, SafeLogic CEO Evgeny Gervis participated in a series of Q&A discussions addressing the real-world challenges organizations face as they begin this transition. The questions and answers reflect what security leaders, architects, and executives are actively grappling with today.
Below are key takeaways from those discussions, organized to help organizations understand where PQC adoption stands, how to approach it, and what it takes to make progress.
One of the most notable shifts since the release of PQC standards has been the level of real-world engagement.
Evgeny notes that following the publication of standards, interest in PQC increased rapidly. Technology vendors and cybersecurity providers that previously monitored PQC from a distance are now actively testing and integrating post-quantum implementations. PQC has become a regular topic in customer and partner discussions — something far less common before the standards were finalized.
At the same time, a persistent challenge remains: skepticism. Despite evident progress in quantum computing research and visible vendor roadmaps, some leaders continue to question whether quantum computers will meaningfully impact encryption or whether the urgency of PQC is overstated.
This disconnect is increasingly difficult to justify. Long-lived, high-value data must be protected against future compromise, and leadership teams ultimately bear responsibility for that risk. Treating PQC as hypothetical ignores both technical progress and the realities of long-term data exposure.
Success in PQC migration does not begin with perfection. It begins with action.
Evgeny emphasizes that while planning and discovery are important, organizations must move beyond treating PQC as a large, linear waterfall project. Waiting to complete every assessment before acting often results in inertia rather than progress.
Instead, PQC should be approached iteratively with organizations aiming to become incrementally more quantum-resilient over time. Each step forward reduces exposure and builds momentum.
There are also practical steps organizations can take today. Securing common cryptographic touchpoints, such as TLS connections, can significantly reduce “harvest now, decrypt later” risk and deliver measurable improvements without waiting for full-scale transformation.
A common question is where to start.
Evgeny recommends beginning with an organizational threat model rather than a technology-first approach. This includes understanding:
This exercise is valuable regardless of organizational structure or geography. By mapping data sensitivity and cryptographic dependencies, organizations can prioritize PQC migration based on risk rather than convenience.
This risk-based approach ensures that early efforts focus on systems where quantum compromise would have the greatest impact, while also improving overall visibility into cryptographic posture.
PQC migration is often described as unglamorous but essential.
Evgeny compares it to infrastructure plumbing: rarely noticed until something breaks, but critical to long-term stability. No single vendor can deliver an end-to-end PQC migration, and a successful transition requires collaboration across tools, teams, and partners.
Just as importantly, organizations should focus on integrating PQC into existing environments rather than attempting wholesale replacement. Building crypto agility — the ability to adapt cryptography without repeated disruption — makes future transitions significantly easier.
Hybrid cryptographic approaches, such as those used in TLS, are a natural transition path for many organizations.
Evgeny explains that hybrid mode introduces both benefits and tradeoffs. While it can provide defense-in-depth and interoperability during transition, it also adds complexity that must be carefully managed.
From a cryptographic module perspective, supporting hybrid, pure PQC, and configurable modes enables organizations to align deployment with policy, compliance requirements, and risk tolerance. Standards and frameworks such as FIPS, CMVP, and CNSA 2.0 play an important role in shaping these decisions.
Ultimately, hybrid adoption is not a one-size-fits-all choice. It must be driven by policy and context rather than default assumptions.
Legacy systems remain a reality for most organizations, and supporting them securely is often a business decision rather than a purely technical one.
Evgeny highlights the importance of policy-driven cryptographic controls, particularly the ability to make decisions on a per-connection basis. For example, TLS configurations can be adjusted depending on whether an organization controls the endpoint or must interoperate with external systems.
In some cases, temporary downgrades may be necessary to maintain operations, but they should be treated as a risk-management decision—not a default state. Mitigation strategies, such as proxying or tunneling, can help reduce exposure when full remediation is not immediately feasible.
The implications of PQC extend beyond traditional data protection — they directly impact the safe adoption of AI.
Evgeny emphasizes that cryptography underpins trust in AI systems, from training data integrity and model provenance to identity verification and deepfake mitigation. Without strong cryptographic controls, it becomes difficult to determine whether data, models, or communications can be trusted.
Failure to complete the PQC transition risks undermining confidence in AI systems. In this sense, PQC is not simply a defensive upgrade, but a foundational enabler of trustworthy AI deployment.
Across these discussions, several themes emerge:
Organizations that begin making incremental progress today position themselves far better for future transitions.
Post-quantum cryptography is not a one-time project. It is an ongoing journey that requires thoughtful prioritization, collaboration, and adaptability.
By focusing on risk, building crypto agility, and integrating PQC into existing environments, organizations can move from standards of awareness to sustainable resilience — protecting critical data not just for today, but for decades to come.
SafeLogic works with technology vendors, enterprises, and government organizations to help operationalize post-quantum cryptography in real-world environments. Through validated cryptographic software, crypto-agile architectures, and standards-aligned implementations, SafeLogic supports organizations as they move from planning to execution in their PQC journey.
To learn more about SafeLogic’s work in post-quantum cryptography, request a consultation with a PQC expert today.