Unmanaged cryptography – rather than broken encryption – is one of the biggest cyber security risks facing companies today, according to Glen Leonhard, director of key management at Cryptomathic.
Speaking at the ITWeb Security Summit 2026 in Johannesburg, Leonhard said artificial intelligence (AI) is making it easier for attackers to exploit vulnerabilities, steal credentials and target poorly managed cryptographic assets. While AI is not breaking modern encryption, it is significantly reducing the time companies have to detect and respond to threats.
“AI provides an easy, scalable and accessible way to exploit vulnerabilities that exist in systems today,” Leonhard said. “The greatest cryptographic risk today is not broken encryption, but unmanaged cryptography.”
Leonhard explained that companies have moved from simple, siloed IT projects to complex environments spanning multiple cloud platforms and geographies. Cryptographic assets such as keys and certificates are often scattered, with ownership becoming unclear over time.
“Applications may have been running for years, and the ownership is kind of gone because it has become a maintenance project,” he said. “But the risk associated with those assets still exists.”
This lack of visibility leaves companies exposed to expired certificates and poorly protected keys. AI-powered attacks are compounding the problem by making phishing and malware more targeted.
Leonhard stressed that gaining visibility into cryptographic assets is the critical first step towards improving security. “You cannot modify what you cannot see, govern or control,” he said.
He urged companies to establish an inventory of their cryptographic assets, understand where they are located and identify who owns them. “There are no shortcuts,” he said. “Discovery tools can assist, but organisations still need to put in the work to build ownership and accountability.”
Beyond immediate risks, Leonhard warned that companies must prepare for quantum computing. While quantum computers capable of breaking widely used cryptography are not yet available, attackers are already collecting encrypted data today for future decryption.
“If you have sensitive data already out there, it can be captured and stored for years to come,” he said. “You may already be affected by it.”
He noted that companies in healthcare, automotive and critical infrastructure – where systems often operate for decades – should already be planning their transition to post-quantum cryptography.
'Cryptographic agility' as an operating model
Leonhard advocated for what Cryptomathic calls “cryptographic agility” – the ability to adapt quickly to evolving threats and standards. Building this agility begins with visibility, followed by risk assessment, governance and standardised life cycle management.
“Cryptographic agility is not a product feature,” he said. “It is an enterprise operating model.”
He also called for companies to move away from fragmented cryptographic operations managed by individual application teams towards a centralised control model. Under such a model, applications consume cryptographic services through centrally managed platforms rather than handling keys directly. This simplifies compliance and reduces risk, while making future transitions – including to post-quantum algorithms – significantly easier.
“If we decouple the cryptography from the application itself, we can make changes behind the scenes without disrupting business services,” Leonhard explained.
He encouraged companies to begin assessing their cryptographic maturity today. “The journey will take time,” he said. “The first question organisations need to ask is whether they have the visibility needed to understand and manage their cryptographic assets.”
Share
