Architectural Integration and Strategic Risk Management of Post-Quantum Cryptography in Hybrid Enterprise Networks: A Systematic Review of Crypto-Agility, Implementation, and Policy Compliance.

Abstract

Hybrid enterprise environments combining public cloud, private infrastructure, and edge devices—rely fundamentally on classical public-key cryptography (PKC) for secure key exchange, authentication, and digital signatures. The emergence of cryptographically relevant quantum computers (CRQCs) threatens to dismantle these foundations via algorithms such as Shor's, rendering current data confidentiality and long-term security guarantees obsolete.¹ This systematic review transitions the focus from pure cloud security to the complex architectural challenge of integrating Post-Quantum Cryptography (PQC) across distributed enterprise landscapes. The analysis examines the foundational PQC candidates (NIST selection), assesses architectural dependencies (PKI, KMS, ZTA), reviews implementation hurdles (side-channels, performance overhead in IoT), and details the strategic necessity of crypto-agility. Furthermore, this report critically examines the global regulatory framework, including US CNSA 2.0 and FIPS 140-3, highlighting critical gaps in migration planning, governance, and compliance readiness required to mitigate the systemic risk of the "Harvest Now, Decrypt Later" threat model.