Quantum computing often appears in corporate conversations as a distant promise: an immature technology with the potential to transform industries but without a clear timeline to impact daily operations. However, in security, the logic is different. The issue is not only when advanced quantum systems will arrive capable of challenging traditional cryptography but also what will happen to the data being encrypted today that needs to remain confidential for years.
With that in mind, Kyndryl (NYSE: KD), a provider of critical enterprise IT services, announced on December 11, 2025, its new Quantum Safe Assessment. This service is designed to help organizations prepare for the opportunities and threats posed by quantum computing. The approach combines technical analysis and planning: identifying cryptographic risk exposure across the IT environment and building a realistic roadmap to evolve toward “quantum-safe” security using post-quantum cryptography (PQC), with a focus on long-term protection and regulatory requirements.
Concerns are no longer futuristic—they are strategic
Kyndryl frames the launch with a clear message: “preparing” for quantum security is no longer a laboratory issue. Kris Lovejoy, the company’s Global Head of Security and Resilience, describes it as a strategic imperative: if traditional encryption methods become vulnerable to advanced quantum systems, the impact could hit three fronts simultaneously: data security, regulatory compliance, and business continuity.
The key is that cryptography is a cross-cutting layer. It doesn’t protect just a “system,” but identities, transactions, networks, backups, third-party integrations, and internal communications. Therefore, when talking about quantum risk, it’s not about a quick fix but a transition that can affect hundreds of applications and dependencies.
What does the Quantum Safe Assessment do: inventory, prioritize, plan
Kyndryl’s service is a comprehensive evaluation of an organization’s digital environment to advise, prepare, design, and implement “quantum-safe” solutions. Practically, the assessment aims for two main goals:
- Identify where cryptography is used and how.
- Determine which parts of the business are most exposed and establish the migration order.
To achieve this, the analysis focuses on systems and interconnection points that typically contain sensitive data or critical transactions. Kyndryl explicitly cites common examples in large organizations: payment gateways, customer databases, cloud infrastructure, mainframe systems, and third-party interfaces. Prioritization is based on two variables: data sensitivity and time horizon (how long the encrypted data must remain secure).
CBOM: the “map” of cryptography within the company
One element highlighted by Kyndryl as part of the service is Encryption Discovery, a process that identifies the encryption methods protecting services, applications, networks, systems, and data layers. The result is the creation of a Cryptographic Bill of Materials (CBOM): a structured inventory to understand where cryptography is applied and with which components.
In practice, this approach addresses a common problem in large organizations: cryptography is so integrated into libraries, configurations, certificates, protocols, and dependencies that many organizations lack a complete view of “what uses what.” Without this map, any transition to post-quantum standards turns into a blind race, risking critical systems being left out, duplicated efforts, or introducing incompatibilities.
From diagnostic to execution: roadmap and “crypto-agility”
The second phase of the approach is turning the diagnosis into a phased transformation. Kyndryl proposes a Transformation Roadmap that moves toward encryption standards resilient to quantum threats and progresses toward a final goal: crypto-agility.
The term reflects a growing idea: it’s not enough to change algorithms once; organizations must build the technical and organizational capacity to change them again if needed (due to new threats, regulatory shifts, or standards updates). For many companies, the challenge is not just adopting PQC but doing so without breaking integrations, disrupting operations, or losing interoperability with third parties.
Integration with Zero Trust: identity, network, and data under one umbrella
Kyndryl also links quantum readiness to its Zero Trust Adoption Framework, aiming for the plan not to be an isolated “cryptography project,” but part of a broader security framework. In practice, the goal is to strengthen controls around identity, endpoints, network, and data protection, aligning the post-quantum transition with principles of least privilege, segmentation, and continuous verification.
This approach offers additional value: many organizations are modernizing security and architecture simultaneously (hybrid cloud, refactoring, automation). Integrating the post-quantum transition into these initiatives can reduce friction and prevent the project from being postponed as “something for later.”
A striking fact: only 4% see quantum as a short-term priority
Despite the sense of urgency, Kyndryl admits a perception gap. According to its Kyndryl Readiness Report 2025, only 4% of leaders believe quantum computing will have the greatest impact on their business within the next three years. This disconnect explains why many organizations have not yet inventoried their cryptography or drafted a migration plan: the perceived risk is “distant,” even though preparation is precisely what takes the most time.
A transition affecting the entire digital “heritage”
Ultimately, Kyndryl’s announcement highlights a shift in mindset regarding security: cryptography is no longer managed as a black box. It is handled as an asset with inventory, dependencies, and lifecycle management. In a world where the standardization of post-quantum algorithms is underway, the first step isn’t necessarily “migrating tomorrow” but understanding what needs to be migrated, in what order, and with what operational impact.
In a market where resilience is measured by a company’s ability to continue operating under pressure, a challenging but inevitable question arises: how many critical systems depend on algorithms that could become obsolete sooner than expected? Kyndryl aims to turn that answer from a guess into a concrete plan.
Frequently Asked Questions
What is a Quantum Safe Assessment, and how does it benefit a company?
It’s an evaluation that identifies cryptography usage across the IT environment, assesses exposure to quantum threats, and defines a roadmap to migrate towards post-quantum cryptography (PQC) in a structured way.
What is a CBOM, and why is it key for post-quantum cryptography?
A CBOM (Cryptographic Bill of Materials) is an inventory of cryptographic components used by an organization (algorithms, libraries, configurations, dependencies). It helps identify where encryption is applied and what needs updating to migrate to PQC.
Which systems generally have higher priority in a post-quantum transition plan?
Typically, those handling sensitive data or critical transactions: payment gateways, customer databases, cloud infrastructure, third-party integrations, and in many large organizations, mainframe environments.
What does “crypto-agility” mean in quantum security?
It’s the ability to change cryptographic algorithms and settings with minimal friction as standards evolve or threat levels increase, avoiding dependence on a single scheme for years.
via: kyndryl