Your Inventory Dashboard is Not a Migration Strategy

Episode notes

Post-quantum cryptography migration is not primarily about choosing Kyber or ML-KEM. It is about whether your organization can rotate keys, abstract cryptography away from developers, and adapt under pressure. In this episode, Stefan Kölbl shares an operator-level perspective from inside Google’s PQC rollout, including early hybrid deployments that predated final NIST standards. He explains why encryption in transit was prioritized, why signing remains harder than key exchange, and how Store Now, Decrypt Later risk justified early action. The discussion moves beyond theory into operational friction: cache misses triggered by heap allocation behavior, lifecycle blind spots revealed by inventory tools, and the difficulty of prioritizing thousands of signing keys without ownership context. Stefan’s core message is simple but powerful: PQC is not a one-time upgrade. It is an opportunity to fix key management. Organizations that treat migration as an agility exercise rather than an algorithm swap, will be the ones able to adapt when standards evolve again.