Strategic intelligence on governance, security, and organizational systems.https://chrischerry.me/en-ushttps://chrischerry.me/writing/2026-04-24-post-quantum-gap-pacs/https://chrischerry.me/writing/2026-04-24-post-quantum-gap-pacs/The cyber-versus-physical asymmetry in post-quantum migration reflects vendor prioritization rather than technical feasibility. The PACS industry has four years to align with a deprecation window the supplier channel is not yet building toward, and the security leader's job is to know which vendors are on the roadmap and which will be replaced before the procurement window narrows.Fri, 24 Apr 2026 00:00:00 GMTCyber infrastructure is transitioning to post-quantum cryptography, but physical access control is not. The necessary silicon is available, smart card platforms are mature, and standards are finalized. However, the Physical Access Control System (PACS) industry has yet to adopt these advancements. The deprecation schedule is public. NIST IR 8547, currently an Initial Public Draft, sets the public transition trajectory: 112-bit-strength public-key algorithms, including RSA-2048, ECDSA P-256, and ECDH P-256, are deprecated after 2030 and disallowed after 2035, with all quantum-vulnerable public-key cryptography disallowed after 2035. For procurement and architecture decisions, 2030 is not the cliff; it is the point at which new classical designs become indefensible. NIST finalized the three primary post-quantum standards in August 2024: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA, the Stateless Hash-Based Digital Signature Standard). CNSA 2.0 puts National Security Systems on the same trajectory, with earlier deadlines and a separate firmware signing requirement based on stateful hash-based signatures. FIPS 140-2 validations move to the CMVP Historical List on September 21, 2026; after that date, FIPS 140-2 modules should not be procured for new federal systems, though existing-system use remains a separate question. The deprecation deadlines that drive the migration are public and time-certain regardless of when a cryptographically relevant quantum computer (CRQC) arrives. NIST IR 8547 disallows 112-bit-strength public-key algorithms after 2035, with the deprecation window opening in 2030. PACS controllers installed today have 10 to 15 year service lives, which means controllers procured in 2026 are cryptographically constrained by the public deprecation window whether CRQC arrives in 2030 or 2040. The structural condition that defines the migration is the overlap between PACS procurement and integration cycles and the regulatory deprecation deadlines, not any specific CRQC arrival date. The compressed CRQC timeline produced by the past 18 months of research strengthens the case for urgency without being load-bearing. Caltech researchers reported in March 2026 that a functional quantum computer may be feasible by 2030 with 10,000 to 20,000 qubits rather than the millions previously estimated. Forrester's State of Quantum Computing 2026 positions Q-Day around 2030 as a credible horizon. Cloudflare moved its target for full post-quantum security to 2029. Google's Quantum AI team demonstrated an algorithmic speedup that reduces the number of qubits needed to break RSA-2048. AI systems are being used to discover new quantum algorithms and optimize existing ones, and the Oratomic team's breakthrough, reported in April 2026, was accelerated by AI. The structural argument holds whether the compressed timeline materializes or not; the compressed timeline shortens the planning horizon if it does. Four years falls within the hardware refresh cycle for controllers and readers bought today. It's shorter than the typical commercial real estate lease and shorter than a large enterprise PACS integration cycle. Meanwhile, the cyber side is already moving. AWS deployed hybrid ML-KEM TLS across KMS, S3, CloudFront, Application Load Balancer, and Certificate Manager in 2025. Microsoft integrated ML-KEM and ML-DSA into SymCrypt, the cryptographic engine inside Windows and Azure. Google Cloud rolled out quantum-safe KEMs in Cloud KMS preview in October 2025. Apple PQ3 has used ML-KEM for iMessage key encapsulation since 2024. Thales Luna hardware security modules (HSMs) ship ML-KEM and ML-DSA natively in firmware v7.9. TPM 2.0 version 1.85 added both. The hyperscalers, enterprise cryptography vendors, and platform operators are not waiting for deadlines. No major North American PACS credential vendor has announced a post-quantum product, and no leading controller manufacturer has published a post-quantum firmware signing roadmap. OSDP 2.2.2, the reader-to-controller protocol, still uses AES-128 with pre-shared keys, and no public roadmap for version 2.3 was identified as of April 2026. This lack of progress raises important questions for the industry. The argument that follows is not a compliance piece, because while the deprecation schedule is the forcing function, the more consequential question is what enterprises and their suppliers have actually built and not built in response to it. It is also not a federal policy piece in any direct sense, though CNSA 2.0 is illustrative because it sets the trajectory the commercial market increasingly follows through procurement obligations and contractor flow-down requirements. The frame throughout is the corporate enterprise deployment archetype, with HID-dominant controller infrastructure, multi-site real estate footprints, and security functions mature enough to ask post-quantum questions, including organizations where physical and information security are converged and organizations where they are not. In this article, "post-quantum-ready PACS" means that the credential, reader-controller, firmware-signing, and controller-host trust relationships can survive the retirement of quantum-vulnerable public-key cryptography without relying on classical roots, unmanaged exceptions, or vendor-specific dead ends. The argument applies most directly to corporate enterprise PACS, and the verticals discussed below carry different forcing functions and timelines that the text addresses where the difference matters. Mid-market deployments where PACS sits with IT or facilities have a different ownership structure that affects both the threat model and the migration path. Government deployments under Federal Information Processing Standards procurement and Federal Identity, Credential, and Access Management requirements face forcing functions commercial enterprises do not. Healthcare carries Health Insurance Portability and Accountability Act and HITRUST-driven pressures with a different cadence and different enforcement teeth. Financial services has distinct vault and trading floor patterns that require their own analysis. Hospitality and retail run installed bases measured in decades and operate under economic constraints that make voluntary cryptographic refresh implausible. The cryptographic argument applies across all of these, but the tactical response and the realistic timeline differ enough that readers should calibrate the products and timelines to their own environment rather than treating any single recommendation as universal. The technical migration the PACS industry has not made is not a single transition but four separate ones, each operating at a different layer of the stack and each carrying its own deprecation exposure. The reader-to-controller wire protocol, governed by the Open Supervised Device Protocol (OSDP) at version 2.2.2, runs AES-128 (Advanced Encryption Standard, 128-bit) with pre-shared keys and offers no crypto agility, no negotiated key establishment, and no public roadmap for a post-quantum revision from the standards body that maintains it. The card-to-reader credential format is the layer where the silicon and smart card platforms have shipped post-quantum-capable products and the PACS-branded credential channel has not built on them, leaving the installed base on AES-128 for the cards that have any cryptographic protection at all and on no cryptographic protection for the substantial residual proximity card population. The firmware signing layer is where controllers depend on RSA-2048 or ECDSA P-256 root signatures whose forgery becomes feasible inside the deprecation window, with a procurement-relevant choice between stateful hash-based signatures, specifically the Leighton-Micali Signature (LMS) or eXtended Merkle Signature Scheme (XMSS) as defined in NIST Special Publication 800-208 and required by CNSA 2.0, and the stateless SLH-DSA alternative whose signature size raises practical implementation questions for constrained controllers. The controller-to-host Transport Layer Security (TLS) layer is the easiest of the four because hyperscaler infrastructure is already migrating and the work is largely TLS-stack version management, but enterprise Public Key Infrastructure for PACS endpoints is informal in most deployments. ML-DSA certificates are issuable today through commercial CA platforms such as AWS Private CA and DigiCert Trust Lifecycle Manager, with comparable capability rolling out across the other major hyperscaler CA services, and RFC 9881 standardized the X.509 conventions in October 2025, but the migration for the median enterprise is gated more by certificate lifecycle maturity than by algorithm availability. A PACS deployment is post-quantum-ready only when all four migrations are complete, and none of the four is complete in the commercial channel as of April 2026. The asymmetry between cyber infrastructure and physical access control is the structural condition that defines the rest of the argument, and it reflects market signals about customer pressure and procurement priority rather than questions of technical feasibility, because both sides depend on the same primitives, both sides face the same deprecation deadline, and the standards work the cyber side built on is the same standards work the physical side could have built on through its own silicon and platform suppliers. The threat model that follows treats this asymmetry as an enterprise risk rather than an industry one, and it focuses on the compromise pathways that scale rather than the ones that the PACS industry tends to discuss, because the cryptographic deprecation question is consequential precisely because the architecture it sits on top of is consequential. ## The Compromise Pathways That Matter Are Not the Ones the Industry Discusses The dominant industry framing of post-quantum risk is harvest-now-decrypt-later, where adversaries intercept ciphertext today and decrypt it once a CRQC arrives. This framing is useful for long-lived confidential data, including diplomatic cables, medical records, intellectual property held in long-term custody, and the kind of crypto-asset key material whose value persists for decades. It is a weaker framing for physical access control, because most PACS traffic does not sit in the categories that adversaries warehouse for future decryption. Door-open events are ephemeral. Badge-swipe pattern-of-life data has some residual intelligence value when it concerns specific named individuals, but the bulk of the traffic is operational telemetry that loses value within hours. The harvest-now framing carries the cryptographic urgency narrative the broader industry has organized around, and it underweights the pathways through which PACS compromise produces consequence. The consequential post-quantum-contingent threat for PACS is signature forgery. When the classical signatures that bind firmware to controllers, certificates to credentials, and trust roots to manufacturers become forgeable, every cryptographic relationship that depends on those signatures becomes impersonable. An attacker who can forge the firmware signing root for a major controller platform converts a foothold like the 2022 Mercury vulnerability into something materially worse: a vendor-scale beachhead, where every controller in the installed base that trusts that root can be made to accept attacker-signed firmware through an accepted update path. HID Mercury controllers, by HID's own marketing, have approximately 5 million deployments globally across more than 20 OEM partners. A forged Mercury signing root is industry-wide beachhead placement across every enterprise that runs the platform, and the attacker's scaling factor is the market share of the vendor whose signing root they break rather than the security posture of any single deployment. The architectural problem for the defender is that the installed base cannot be re-signed retroactively, controllers deployed today with classical signing roots remain cryptographically fragile for their entire service life, and PACS controllers typically run for 10 to 15 years. Controllers installed in 2026 will still be in service when the deprecation window closes and through whatever period the CRQC question follows. ### PACS Compromise Is Network Compromise The framing most executives have not been given is that PACS is not an air-gapped physical security system, it is networked enterprise software. The head-end software—C·CURE, OnGuard, Pro-Watch, Synergis, Symmetry—runs on the corporate network and maintains active integrations with Active Directory or LDAP for operator authentication, with enterprise identity providers like Okta or Entra for badge provisioning workflows, with HR systems for identity lifecycle, and with video management, building management, visitor management, and elevator control systems through its integration layer. The controllers themselves are Linux devices on enterprise virtual local area networks, communicating with the head-end over TLS. Every layer of this stack is a networked software system, and every layer is reachable from the same enterprise network that hosts the rest of the organization's information technology. In June 2022, Trellix Threat Labs disclosed a chain of vulnerabilities in HID Mercury controllers, including CVE-2022-31481, an unauthenticated remote code execution flaw scored at the maximum CVSS value of 10.0. By chaining two vulnerabilities, the researchers achieved root on the device's Linux operating system remotely, ran arbitrary programs alongside the legitimate access control software, subverted monitoring and logging, and manipulated the controller at will. The Cybersecurity and Infrastructure Security Agency published an advisory. The affected products were sold through more than 20 OEM partners, including the Carrier-owned LenelS2 brand, which propagated the vulnerability across the channel. What that research demonstrated was not primarily a physical security incident, it was a remote unauthenticated foothold with root privileges on a Linux device connected to the enterprise network, and the distance from that foothold to the broader corporate network follows the standard compromise playbooks of credential harvesting, pivot through service accounts, lateral movement to the head-end, and escalation through Active Directory trust relationships. The PACS controller is a forgotten server class in most enterprises. It is rarely in scope for the cybersecurity oversight that an equivalent enterprise Linux server would receive, rarely monitored by the security operations center, and runs on patch cycles measured in quarters or years rather than days. Nozomi Networks' 2026 research found that only 0.3% of operational technology (OT) wireless networks use enterprise-grade authentication, with adoption concentrated on IP-edge devices like cameras where the supplicant is supported, and roughly 70% of OT systems are now connected to enterprise information technology networks by recent industry estimates. Segmentation between PACS virtual local area networks and the enterprise core is aspirational in most deployments rather than rigorously enforced. The 2022 Trellix research was an anomaly only in that it was disclosed publicly, and the architectural reality it exposed—Linux servers on the corporate network running out-of-scope cryptography with minimal cybersecurity oversight—persists after the specific common vulnerabilities and exposures are patched. The on-premise controller-as-Linux-device scenario does not describe the majority deployment reality anymore. Most enterprises run hybrid configurations, with some sites on-premise, others hosted in the customer's own cloud tenant, and others delivered through vendor-managed software-as-a-service, and few are cloud-only. The major PACS and video surveillance system platforms offer at least three deployment modes: on-premise bare metal, customer-hosted cloud where the vendor publishes an Amazon Machine Image or equivalent Azure deployment that the customer runs in their own cloud account under standard licensing, and vendor-managed single-tenant software-as-a-service where the vendor operates the cloud tenant on the customer's behalf. Each model shifts the cybersecurity configuration responsibility to a different party, and the customer-hosted cloud model is the one that most expands the lateral movement surface in ways executives frequently do not recognize. When PACS is hosted in the customer's own cloud tenant, the head-end becomes a compute instance running in a virtual network the customer configured, with identity and access management roles the customer assigned, network connectivity patterns the customer architected, and audit logging that the customer enabled or did not. The PACS application's identity and access management permissions frequently include access to object storage for video evidence archives, managed database instances for the PACS database, and cross-account trust relationships to the enterprise identity provider. Each of those grants is a potential over-permission, and vendor deployment templates default toward permissive configurations because they optimize for deployment success rather than for least privilege. The network architecture decisions made at deployment determine whether a head-end compromise stays scoped to the PACS workload or pivots into production systems through virtual network peering, transit hub sharing, or cross-account trust relationships designed without input from the cloud security engineering function that would normally govern those decisions. The cloud-hosted PACS also inherits the hyperscaler's post-quantum transport-layer migration, which can create the appearance of post-quantum readiness even though the PACS application's own internal cryptography remains classical, because the major hyperscalers have deployed hybrid ML-KEM transport across their core managed services, but the PACS vendor's firmware signing, credential authentication, and internal certificate handling are unchanged by where the workload runs. ### The Identity Bridge The second consequential pathway operates through enterprise identity infrastructure, where PACS systems integrate imperfectly with the broader identity stack and the seams compound the operational consequence of any single compromise. Service accounts are frequently shared between PACS head-end software and other information technology systems, certificates issued from enterprise public key infrastructure sign both classes of system, and operator accounts on the PACS console sometimes have administrative privileges on the underlying Windows server that hosts the head-end. Terminated employees can lose single sign-on access in minutes through the identity provider while retaining badge access for days or weeks through a manual human resources to PACS deprovisioning handoff, which is a security control failure, and they can also retain shared service-account credentials that propagate across systems, which is a more consequential one because the service account exposure outlasts the offboarding event by indefinite duration. User access reviews for physical access are less consistent than for logical access in most enterprises, and the physical access entitlement corpus is often the least-audited identity store in the organization despite being typically connected to the corporate directory. Access drift across role changes accumulates over years without a corrective mechanism that matches the cadence of logical access governance. None of this is a Q-Day problem. It is a present-tense identity governance problem, and the cryptographic deprecation window makes it more urgent by raising the consequence of any single identity compromise rather than by introducing a new failure mode. ### What the Attacker Does Not Need Three negations narrow the threat model and clarify where the urgency sits. The attacker does not need to break the AES, because symmetric primitives are not the PACS weakness, and the structural assumption underneath the post-quantum migration is that AES at appropriate key lengths remains secure against quantum cryptanalysis with the practical effective security halving that Grover's algorithm implies. The attacker does not need a CRQC for most of the threat surface, because the 2022 Mercury vulnerabilities required no quantum capability at all, the protocol-level Bluetooth vulnerabilities discussed later in this analysis are present-day exploits, and the identity governance failures that compound them are present-day operational deficits. The attacker does not need industry cooperation, because the silicon and smart card platforms discussed in the next section are already shipping in production volumes from major suppliers, and the gap that defines the rest of this analysis is one of PACS-vendor product development rather than one of cryptographic feasibility or component availability. The threat model that makes the case to a skeptical executive is not that physical access control is suddenly going to fail, it is that PACS is already a compromise path with consequences that scale beyond the building, the cryptographic deprecation window makes those consequences worse, and the supplier channel has not responded to either the present-day exposure or the deprecation timeline. ## The Silicon Has Shipped, the Smart Card Platforms Have Shipped, the PACS Supply Chain Has Not Followed The reader-to-controller wire protocol is the OSDP, currently at version 2.2.2 released by the Security Industry Association in October 2024 and codified internationally as IEC 60839-11-5:2020. The protocol uses AES-128 with cipher-based message authentication code over a Secure Channel Base Key that is established at commissioning, and the specification defines a hardcoded default key that the protocol uses during install mode before the controller issues a unique key through the secure key set command. The specification does not require rotation of the unique key after provisioning, and industry practice on rotation cadence varies considerably across deployments. The cadence at the standards body is its own data point: OSDP 2.1.7 shipped in 2015, OSDP 2.2 shipped in December 2020, and the nine-year gap between substantive updates frames the trajectory at the protocol level. Version 2.3 is in working group draft with no announced timeline and no public statement from the standards body on a post-quantum revision identified as of April 2026. Adoption of OSDP itself, even at the current version, is below 30% of new projects according to 2022 industry data, which means the majority of installed readers are still running Wiegand, a 1980s protocol with no cryptographic protection at all. HID released OSDP Transparent Mode patents in March 2026 to enable broader implementation across reader manufacturers, which is a positive architectural development that does not address the post-quantum question directly. The migration the protocol requires is the replacement of pre-shared symmetric keys with negotiated key establishment through post-quantum key encapsulation, the addition of signature verification for reader firmware and configuration data, and the introduction of crypto agility that does not require specification revisions for future algorithm rotations. The computational budget on currently shipping reader system-on-chips is insufficient for ML-KEM or ML-DSA operations in the majority of currently shipping reader products, no major reader vendor has announced a post-quantum-ready stock keeping unit as of April 2026, and the installed base of OSDP readers cannot be field-upgraded to post-quantum cryptography in most cases. ### The Credential Format Is Where the Verification Reframes the Argument Infineon's SLC27 security controller began shipping on October 14, 2025. It is a contactless and dual-interface security controller with a Common Criteria-certified cryptography library that supports both ML-KEM and ML-DSA. The controller is built on the TEGRION platform with the Integrity Guard 32 architecture, which provides side-channel and fault-attack resistance at a level appropriate for smart card and secure element applications. It supports in-field updates and crypto agility, which means the algorithms it implements today are not the only algorithms it will be able to implement during its service life. The SLC27 is available in sample volumes and in high-volume production today. The certification work that produced it built on Infineon's earlier achievement, in January 2025, of the world's first Common Criteria EAL6 certification for a post-quantum-cryptography-ready security controller, which established the cryptographic and side-channel resistance architecture that the SLC27 productizes. Thales launched the MultiApp 5.2 Premium PQC on October 7, 2025, becoming the first European smart card to be certified at Common Criteria EAL6+2 by France's national cybersecurity agency, ANSSI. The card integrates ML-DSA at parameter set 65 as its post-quantum signature algorithm, and it is positioned for European national identity cards, electronic health cards, driver's licenses, and electronic passports. The certification scope is specific to European government identity applications, but the underlying smart card platform is adaptable to other applications. The October 2025 launch represents the first complete quantum-safe smart card solution to obtain augmented EAL6 certification, and it gives Thales a structural lead in the smart card segment that will carry through the procurement cycles that follow. NXP announced MIFARE DUOX, a contactless smart card integrated circuit with a feature set that includes AES-256, 256-bit elliptic curve cryptography on the National Institute of Standards and Technology P-256 and brainpoolP256r1 curves, and public key infrastructure certificate handling. Safetrust announced an integration partnership with NXP in February 2025 that positioned MIFARE DUOX as a post-quantum-ready credential within the Safetrust ecosystem, with the readiness positioned as a migration bridge through hardened classical cryptography rather than as native ML-KEM or ML-DSA support. The partnership represents the most post-quantum-forward public positioning from any vendor adjacent to the PACS credential channel as of April 2026. The credentials in enterprise deployment are HID Crescendo and iCLASS Seos, the Avigilon Alta and Brivo mobile credentials, and the MIFARE-family proximity cards still in widespread use. Neither the Infineon SLC27 nor the Thales MultiApp 5.2 will land in those deployments. Thales targets European government identity, where the certification scope and lifecycle expectations do not match enterprise corporate access, and Infineon's secure element is upstream of a different supply chain than HID and the other credential vendors source from. Both are cited here as existence proofs that post-quantum silicon and certified smart card platforms are productizable at industrial scale, not as the path forward for enterprise PACS, which runs through NXP shipping post-quantum silicon and HID extending post-quantum into its credential application layer. What the PACS industry has built on this foundation is the gap. No major North American PACS-branded credential vendor has announced a post-quantum-native credential product, and the installed base of credentials continues to ship with cryptographic protections that range from triple Data Encryption Standard on the older MIFARE DESFire generations, to AES-128 on the current generations, to no cryptographic protection at all on the substantial residual proximity card population at 125 kilohertz that remains particularly common in the North American enterprise installed base. The MIFARE DESFire installed base is itself heterogeneous by geography, with NXP holding greater share in Europe than in North America according to Allegion's own characterization of the market, and the EV3 generation that introduced the most recent capability set was announced only in June 2020, which means the EV3-equipped portion of the installed base is recent rather than dominant. The card-format gap is not silicon, it is not smart card platform certification, and it is not standards work. It is PACS-vendor product development, and the European government identity market has now shipped post-quantum-native smart cards while the PACS credential vendors have not built equivalent products. The fact that government identity smart cards and PACS credentials are different product categories with different procurement cycles is true, and it does not change the structural observation that the underlying technology has shipped from the silicon and platform vendors and the PACS channel has not built on it. Whether the deployed credential population can be re-keyed in field or whether the substrate forces replacement is the operational question that determines what a migration costs. The two outcomes differ in cost by an order of magnitude. The answers depend on the chip. For credentials in enterprise deployment today, 125-kHz proximity cards have no cryptographic key to rotate, which forces substrate replacement at any post-quantum migration point. MIFARE DESFire and similar smart card families are technically re-keyable in field through the chip's secure messaging channel, but only if the issuance infrastructure exists to push new keysets at scale and only if the chip itself supports the new algorithms, which means a post-quantum migration on these families requires new chips with post-quantum-capable secure elements rather than just key rotation. HID iCLASS Seos faces the same constraint, because the underlying secure element does not support post-quantum algorithms today. Mobile credentials including Avigilon Alta, Brivo, and HID Mobile Access re-key by pushing software to the device on demand, which is the strongest operational reason to favor mobile-first credential architectures in enterprises planning around the deprecation window. Three questions are worth putting to credential vendors at the next procurement review. Can the keyset be rotated in field after issuance, and what is the operational workflow for a deployment-wide rotation? When a new cryptographic algorithm is required, is the migration a software update or a substrate replacement? What architectural features in the secure element preserve crypto agility after the credential has been issued? Vendors who cannot answer these questions concretely are selling credentials whose operational migration cost is unknowable, and that uncertainty is itself the procurement finding. The LEAF Consortium, founded in 2023 by Wavelynx and a small group of independent reader and credential vendors, publishes an open credential format that multiple vendors can read and issue against. The open multi-vendor structure changes the migration dynamic in a way the HID-dominant channel cannot match, because the moment one consortium member ships post-quantum credentials, the rest face competitive pressure to follow. No LEAF member has announced a post-quantum-native product as of April 2026. For enterprises whose procurement cycles align with the deprecation window, LEAF-compatible readers and credentials specified in the procurement stack create migration optionality that proprietary HID-only stacks do not. Personal identity verification cards used in federal contexts are a specific exception governed by their own migration path, with Federal Information Processing Standard 201 compliance and CNSA 2.0 trajectory applying directly, and federal credential issuance has distinct requirements that this commercial-focused analysis treats as adjacent rather than central. ### Firmware Signing Is Where the Deprecation Risk Is Sharpest The firmware signing layer is the layer where the deprecation risk is most acute architecturally and where supplier readiness is the hardest to verify from outside the vendor relationship. PACS controllers sign firmware classically, using either RSA-2048 or ECDSA on the National Institute of Standards and Technology P-256 curve, both of which are within the deprecation window that NIST IR 8547 establishes. HID Mercury's MP series, which is the platform that dominates the North American installed base under HID Global's ownership through ASSA ABLOY, features ARM TrustZone, secure boot, AES-256 for data at rest, and TLS at versions 1.2 and 1.3 for the controller-to-host connection. None of these are post-quantum primitives. Public material from HID Mercury as of April 2026 does not reference ML-KEM, ML-DSA, the LMS, the XMSS, or post-quantum cryptography in product documentation, firmware release notes, partnership announcements with post-quantum silicon vendors, or CNSA 2.0 compliance statements. The absence of these indicators is not definitive proof that no such work is underway, but it is the set of signals that would exist if post-quantum support were present or planned in any visible form, and none of them are observable in the public record. Open-source root-of-trust projects have demonstrated that post-quantum-capable controller silicon is achievable through reasonable engineering work. Microchip's PSOC Control C3 Performance Line is marketed as CNSA 2.0-compliant for firmware verification beginning in 2025. The OpenTitan project supports the SPHINCS+ precursor to SLH-DSA, and the Caliptra project supports LMS. These are not drop-in replacements for HID Mercury controllers, and substituting them would require significant integration work, but they establish that the engineering is not blocked by physics or by the availability of cryptographic implementations. What CNSA 2.0 specifies for firmware and software signing is stateful hash-based signatures, specifically LMS or the XMSS as defined in NIST Special Publication 800-208, rather than the stateless SLH-DSA that NIST standardized in FIPS 205. This distinction is procurement-relevant because the two families have different operational requirements. Stateful signatures require state management infrastructure where each signing operation consumes a one-time key, and key reuse compromises the security of the entire scheme, which means the signing infrastructure must reliably track which keys have been used and never reuse them. SLH-DSA avoids the state management requirement, but it produces signatures on the order of 16 kilobytes at security category 3, which raises practical implementation questions for firmware update workflows on controllers with constrained network bandwidth or limited storage for cached signatures. A controller vendor who cannot articulate the choice between LMS, XMSS, and SLH-DSA for their firmware signing roadmap, and who cannot describe the state management architecture they will use if they choose the stateful path, is not actually building to the standard regardless of any general post-quantum positioning they may claim. This is the question to put to every PACS controller vendor at the next product review. Hybrid signature schemes that combine classical and post-quantum signatures with both verified at update time are the defensible transitional posture for the period between now and full post-quantum confidence. They preserve backward compatibility while establishing the migration path. Commercial PACS controller vendors have not publicly adopted hybrid signing as of April 2026. ### Controller-to-Host TLS Is the Easiest of the Four The controller-to-host TLS layer is the easiest of the four migrations from a cryptographic-availability standpoint, and it is the migration most likely to be partially in place at any given enterprise without explicit effort. Controllers communicate with head-end software over TLS, with modern deployments running version 1.2 or 1.3 with elliptic curve Diffie-Hellman ephemeral key exchange and either RSA or ECDSA certificates. Legacy deployments run earlier TLS versions or unauthenticated control channels, which is a separate and serious problem that any security leader auditing a PACS deployment should look for, because it is more common than the industry openly acknowledges. The migration to post-quantum at this layer is largely a question of TLS stack version management and certificate authority capability rather than fundamental engineering work. Hybrid key exchange combining the X25519 elliptic curve with ML-KEM at parameter set 768 is the emerging de facto standard across major TLS implementations and is deployed at scale by Cloudflare, Amazon Web Services, Google, and Microsoft. OpenSSL 3.2 and later versions have experimental support, and BoringSSL has production support. ML-DSA certificates exist, the National Institute of Standards and Technology predicted in 2024 that the first post-quantum certificates would be commercially available in 2026, and the Certificate Authority and Browser Forum is working on the identifier standardization that broader adoption requires. The harder problem at this layer is not cryptographic availability, it is enterprise public key infrastructure maturity. Most enterprise certificate authorities do not yet issue ML-DSA certificates at production scale, and the certificate lifecycle management for PACS endpoints is informal in most deployments, with certificates issued at installation, rarely rotated, and not tracked in enterprise public key infrastructure inventory systems. The migration is achievable by 2028 to 2029 for enterprises with mature public key infrastructure governance, and it is not achievable on that timeline for the median deployment because the median deployment does not have mature public key infrastructure governance for PACS endpoints to begin with. Remote Authentication Dial-In User Service-based certificate authentication for PACS endpoints exists in some government deployments but is not standard practice in the commercial channel. The inheritance confusion that the cloud-hosting analysis flagged is particularly acute at this layer, because the hyperscalers have deployed hybrid ML-KEM TLS across their managed services, and a cloud-hosted PACS deployment inherits the partially-migrated transport posture for free. That inherited posture does not extend to the PACS application's internal cryptographic primitives, which means a deployment running on modern cloud infrastructure can appear post-quantum-migrated at the transport layer while remaining fully classical at the application layer where the firmware signing certificates and credential authentication ceremonies actually live, and the application layer is the layer that determines whether a controller's firmware signing root or a credential's authentication exchange is post-quantum. The supplier-side gap is the structural condition that defines what enterprises can and cannot procure within the deprecation window. A methodology note on the negative claims in this section: the assertion that no major North American PACS-branded credential vendor has announced a post-quantum-native product, that no leading controller manufacturer has published a post-quantum firmware signing roadmap, and that no public OSDP 2.3 timeline exists, reflects a public-record review conducted in April 2026 across HID, Mercury, LenelS2, Honeywell Pro-Watch, Johnson Controls C·CURE, Genetec Synergis, AMAG Symmetry, Avigilon Alta, Brivo, Kisi, Allegion, Wavelynx, Safetrust, and SIA OSDP materials. Search terms covered post-quantum, PQC, ML-KEM, ML-DSA, SLH-DSA, LMS, XMSS, CNSA 2.0, quantum-safe, firmware signing, and crypto agility. Absence of public evidence is not proof of no internal roadmap work, but it is the procurement-relevant signal available to enterprise buyers. ## The Credential Hierarchy the Industry Teaches Is Not the Hierarchy That Holds Up Under Examination The post-quantum question is not isolated to algorithm selection. It changes how credential architectures should be ranked, because the credential substrate determines where secrets live, whether trust roots can migrate, and whether the vendor roadmaps behind the credential can plausibly survive the deprecation window. Industry training materials and integrator sales conversations teach a credential hierarchy organized by the strength of the authentication ceremony at the reader, with biometric readers ranked highest, then smart cards with personal identification numbers, then smart cards alone, then mobile credentials, and proximity cards ranked lowest because they offer no cryptographic protection at all. This hierarchy ranks the credential presentation, not the credential infrastructure. It treats the reader as the security boundary, which is appropriate for evaluating the moment of authentication but inappropriate for evaluating the lifecycle question of where secrets live, how they are protected at rest, what happens to the population when a single template store is breached, which suppliers have post-quantum roadmaps that match the deprecation window, and whether the underlying vendor will still be supporting the credential in five to ten years. Under honest analysis the hierarchy reorders, not uniformly and not as dramatically as some mobile-wallet vendor marketing would suggest, but enough that the conventional ranking is a poor guide for credential decisions made in 2026. ### The Reconsidered Hierarchy The first tier of credential architecture is the mobile wallet credential held in a hardware secure element on a known-good device platform. On iPhone with Apple Secure Element, the credential is stored in a hardware secure element with biometric authentication mediated by the Secure Enclave, which never stores raw biometric images and instead derives a mathematical representation that is bound to a device unique identifier inaccessible to Apple. The near-field communication tap requires physical proximity at approximately 5 centimeters, which structurally constrains the attack surface compared to Bluetooth Low Energy alternatives that operate over much longer ranges. The secure element architecture is uniform across supported iPhones, which is a structural advantage in a bring-your-own-device workforce because the security leader can reason about the substrate without per-device variability. Apple does not have visibility into the access events, the credential never transits Apple's servers in a form that could be correlated to physical locations, and Express Mode and Power Reserve cover the operational convenience cases that physical cards have historically claimed as their advantage. Apple's own post-quantum work is informative for the credential architecture, with Apple PQ3 in iMessage using ML-KEM for key encapsulation, but Apple has not publicly extended ML-DSA to the secure element for signatures, which means the current generation Apple Wallet credential's post-quantum posture is bounded by the secure element silicon Apple has shipped and a hardware refresh would be required for full post-quantum capability. The vendor dependency point that matters here is that Apple Wallet employee badges do not exist independently of the PACS credential layer. Apple partnered with HID Global and ASSA ABLOY, with Allegion in the broader partner set, to build the employee badge program, and the badge is a wallet-form representation of a credential whose intelligence still flows through the PACS industry. Silverstein Properties' World Trade Center deployment, for example, runs the SwiftConnect Access Cloud as the orchestration layer, HID Origo for credential lifecycle management, HID Seos as the underlying credential technology, and HID Signo readers at the doors. The wallet form factor substitutes for the physical card form factor, but it does not substitute for the credential channel's role in the architecture. Apple's strength is the device substrate and the secure element, and the credential intelligence is still coming from HID and its partners. This is not a critique of the wallet architecture, it is the structural reality that the vendor dependency analysis later in the section needs to account for. The Pixel and Galaxy flagship implementations occupy the same architectural tier as iPhone with structural caveats. Google's Pixel 6 through 10 use the Titan M2 secure element, which is RISC-V based and certified at Common Criteria EAL4+ AVA_VAN.5. Samsung's Galaxy S21 and later flagship devices use Knox Vault, certified at Common Criteria EAL4+ under Protection Profile 0084 from the German Federal Office for Information Security and additionally validated under FIPS 140-2. Titan M3 is rumored for the Pixel 11 in late 2026 with post-quantum positioning, though no public confirmation exists. Google Wallet's corporate badge implementation uses hardware secure element through MIFARE 2GO on capable devices rather than cloud-based host card emulation, which keeps the credential in hardware. The Android Ready SE Alliance, founded in March 2021 with members including Giesecke+Devrient, Kigen, NXP, STMicroelectronics, and Thales, exists because secure element quality varies materially across Android original equipment manufacturers, and a security leader in a bring-your-own-device workforce cannot assume uniform substrate quality across the Android device population the way the leader can on iPhone. The second tier is the match-on-card biometric Fast Identity Online 2 smart card, with Thales SafeNet IDPrime FIDO Bio as the canonical example and FEITIAN and AuthenTrend as architecturally equivalent alternatives. The biometric sensor lives on the card itself, the template never leaves the card, and the secure element on Thales IDPrime is certified at Common Criteria EAL6+. The architecture is compliant with the three requirements that International Organization for Standardization 24745 published in 2022 sets for biometric template protection: irreversibility, unlinkability, and revocability. The operational cost is real because the architecture requires enrollment infrastructure, card issuance workflow, and replacement and revocation processes that proximity card and basic smart card deployments do not need. In life sciences and biomedical research environments where biometric enrollment is already a regulated operational practice, this tier is more accessible than in a typical corporate office because the enrollment overhead is partially absorbed by existing compliance work. The third tier is the converged personal identity verification and Fast Identity Online 2 public key infrastructure card with personal identification number, with HID Crescendo C2300 as the exemplar product. The card combines Fast Identity Online 2 capability, public key infrastructure operations, and embedded PACS credentials—Seos, iCLASS Standard Edition, MIFARE DESFire—on a single physical credential. It is certified at Federal Information Processing Standard 140-2 Level 2 or Level 3 depending on the specific stock keeping unit, and at Common Criteria EAL5+. It is compatible with the Personal Identity Verification standard for federal contexts. The architecture combines a personal identification number as a knowledge factor with the card as a possession factor, which provides strong cryptographic assurance for the authentication ceremony but weaker user verification than the on-card biometric of the second tier or the device-based biometric of the first tier. The fourth tier is the commercial biometric reader operating in a match-on-device mode, where the template lives on the reader rather than on the card or on the user's device. HID Signo 25B can operate in match-on-card mode, but most deployments default to on-device storage because it simplifies enrollment. IDEMIA SIGMA, IDEMIA VisionPass, and IDEMIA MorphoWave default to match-on-device or match-on-server. Suprema BioStation 3, after the BioStar 2 breach in 2019, added a Face Template on Mobile option that stores the template on the user's device, although the default deployment mode remains on-device or server-backed. Alcatraz.ai stores templates on the device by design, which is architecturally cleaner than the IDEMIA and Suprema defaults, but the architectural improvement is bundled with a proprietary closed-stack deployment that introduces commercial portability problems. The fifth tier is the commercial biometric reader operating in match-on-server mode, where raw or lightly-encrypted biometric templates are stored centrally in the PACS infrastructure or in the biometric vendor's backend. This architecture violates all three of the requirements that International Organization for Standardization 24745 sets for biometric template protection, and it creates mass exfiltration risk that is permanent because the underlying biometric cannot be rotated the way a password or a certificate can. This is the BioStar 2 architecture, and it remains the industry default for server-backed biometric deployments in 2026 despite the lessons that should have been learned. ### What BioStar 2 Demonstrated About Template Architecture The BioStar 2 breach in August 2019 exposed 27.8 million records totaling 23 gigabytes of data, including over one million individuals' fingerprint templates in raw form. The affected organizations included the United Kingdom Metropolitan Police, multiple banks, defense contractors, and approximately 5,700 organizations in total. The exposure occurred through a poorly configured Elasticsearch database that researchers were able to both read from and write to, which meant they could replace fingerprint records, alter access entitlements, and delete logs that would have evidenced the manipulation. Plaintext administrator passwords were among the exposed data. The Suprema system integrated with Nedap AEOS, which serves enterprises across 83 countries, which extended the architectural lessons of the breach to a much broader installed base than Suprema's own customer count would suggest. The exposure is permanent rather than recoverable, and the academic literature on biometric template reconstruction explains why. Cappelli and colleagues, writing in the Institute of Electrical and Electronics Engineers Transactions on Pattern Analysis and Machine Intelligence in 2007, demonstrated reconstruction of fingerprint images from International Organization for Standardization 19794-2 templates with greater than 90 percent success against commercial fingerprint recognition systems. Ross, Shah, and Jain published companion template-to-image reconstruction work in the same journal in the same year. Galbally's later survey work documents that template irreversibility, the assumption underneath the entire architectural premise of "biometric templates are not biometric data," is academically discredited rather than merely contested. PrintListener and PrintListener++ research published at the Network and Distributed System Security Symposium in 2024 extended the attack surface by inferring fingerprint features from audio recordings of finger swipes. MasterPrint research from New York University demonstrated synthetic fingerprints that match significant fractions of the population at default sensor sensitivity settings. The National Institute of Standards and Technology's position is that conventional cryptographic hashing cannot be applied to biometrics because biometric data is probabilistic rather than deterministic, which means the same finger presented at two different times produces slightly different sensor outputs and a hash function that produces different outputs for those slightly-different inputs is not useful for matching. Cancelable biometrics remain an active research area rather than a deployed standard. International Organization for Standardization 24745 published in 2022 is the authoritative standard on biometric information protection, and the three requirements it sets—irreversibility, unlinkability, revocability—are the architectural floor that any biometric deployment should be evaluated against. BioStar 2 violated all three, and the server-backed template storage pattern that BioStar 2 represented remains the industry default in 2026 rather than a discontinued architecture. ### The Vendor Dependency Question Every credential architecture involves vendor dependency, and the honest evaluation question is which dependencies are most defensible rather than which architecture eliminates dependency. The conventional industry framing is that open standards such as MIFARE DESFire and OSDP provide vendor independence. This framing is partially accurate at the protocol level and substantially less accurate at the product level. A MIFARE DESFire deployment depends on NXP as the chip vendor, on the specific PACS vendor's credential issuance and key management infrastructure, on the reader vendor's firmware implementation, and on the integration with the head-end software. The wire protocol is open, the commercial stack that delivers the protocol is not necessarily portable, and the operational dependencies that determine whether the deployment can survive a vendor exit are different from the standards-level dependencies that the procurement team evaluates. The privacy-forward biometric vendors offer architecturally better template handling than the legacy biometric vendors, with Alcatraz.ai as the clearest example, but they bundle the architectural improvement with proprietary closed-stack deployments that create their own portability problems. Adopting Alcatraz.ai means committing to infrastructure without a clean migration path to a different vendor's architecture later if the business requirements change. The architectural improvement comes with a commercial-portability cost, and a security leader has to price both costs against the alternative of a more open but architecturally weaker template handling pattern. Smart cards from Thales, FEITIAN, and AuthenTrend are architecturally excellent at the credential layer and depend on enrollment and issuance infrastructure that creates organizational dependency rather than vendor dependency in the traditional sense. The enterprise becomes dependent on the card vendors' product roadmaps, which in turn depend on the secure element silicon roadmaps from the chip vendors. This dependency chain is longer than the mobile wallet chain, and each link introduces a vendor whose business decisions can affect the deployment's continuity. Mobile wallet credentials depend on Apple, Google, and Samsung continuing to invest in the corporate badge form factor as a product. Apple and Google have demonstrated multi-year commitment through their respective wallet programs, and both companies are better-capitalized than any pure-play PACS vendor by orders of magnitude, which matters for the 2030 to 2035 horizon that the post-quantum migration runs on. The dependency analysis that favors the mobile wallet form factor is not "Apple and Google are independent of the PACS industry" because as the partnership structure with HID and ASSA ABLOY shows they are not, it is that the wallet vendors are likely to outlast the integration partners and the mobile wallet form factor is more likely to receive continued post-quantum investment than the physical card form factor receives from PACS-branded credential vendors. Open-standard credentials carry the advantage that the protocol persists through vendor transitions. A building can change integrators, change card vendors, change reader vendors, and retain protocol-level compatibility. Wallet-based credentials are transient and replaceable in ways that physical cards and fobs are not, with credentials provisionable remotely when a phone is lost or damaged and credentials evaporating when an employee leaves the organization. The transience is an operational strength because it solves problems the physical card form factor never solved well, and it is also a dependency on the wallet provider's continued program investment because the operational simplicity disappears if the wallet program changes direction. The honest assessment is that no credential choice eliminates vendor dependency, the dependencies look different across architectures in their failure modes and substitution costs, and the credential selection decision is properly framed as which portfolio of dependencies the enterprise can defend rather than which architecture is independent. A biometric startup going under is a different problem than a physical card stock vendor changing product lines, and rolling from one physical card format to another is expensive and slow while rolling from one mobile wallet provider to another is fast once the underlying credential layer is portable. The right credential strategy for a given enterprise depends on the timeline horizon, the portability requirements, the vendor risk appetite, and the differential consequence of credential compromise across the enterprise's specific portfolio of facilities and assets. ## Bluetooth Low Energy Has Failed at the Protocol Level Often Enough That the Pattern Is the Argument The case for treating Bluetooth Low Energy differently from near-field communication in PACS architecture rests on roughly a decade of protocol-level and implementation-level vulnerability disclosures that share a structural pattern, and the case is strong enough that it should outweigh the operational convenience arguments that vendor-app Bluetooth Low Energy products typically lead with. The pattern begins with BlueBorne, disclosed by Armis in September 2017, which exposed eight common vulnerabilities and exposures spanning Android, iOS, Linux, and Windows and put more than 5 billion devices at risk for zero-interaction remote code execution and man-in-the-middle attacks. A year after disclosure, approximately 2 billion devices remained unpatched, which is roughly 40 percent of the affected population. The Key Negotiation of Bluetooth attack, disclosed by Antonioli and colleagues at the USENIX Security Symposium in 2019 and tracked as CVE-2019-9506, affected Bluetooth Basic Rate and Enhanced Data Rate from version 1.0 through 5.1 by forcing negotiation of 1-byte entropy keys that rendered the encryption brute-forceable. The flaw was in the protocol itself rather than in any specific vendor's implementation, all four major Bluetooth silicon vendors were affected, and the addressable population was roughly 1 billion devices. BlueFrag, tracked as CVE-2020-0022 and disclosed in February 2020, was a zero-click remote code execution vulnerability affecting Android 8.0 through 9.0 that required only the target's Bluetooth media access control address, which on some devices could be deduced from the device's WiFi media access control address. The Bluetooth Forward and Future Secrecy attack, disclosed by Antonioli at the Association for Computing Machinery Conference on Computer and Communications Security in 2023 and tracked as CVE-2023-24023, affected Bluetooth versions 4.2 through 5.4, which is every modern version of the protocol in active deployment. The research demonstrated six novel attacks where compromise of a single session key broke forward and future secrecy of all sessions between the two affected devices. The attacks were tested successfully against 17 Bluetooth chips across 18 devices from Intel, Broadcom, Apple, Samsung, Google, Qualcomm, and other major silicon vendors. The vulnerability was architectural in the Bluetooth standard rather than in any specific implementation, which means the standards body bears responsibility rather than any individual vendor. CVE-2023-45866, disclosed by researcher Marc Newlin in December 2023, enabled keystroke injection through a simulated Bluetooth keyboard pairing without user confirmation, and it affected Android 4.2 through 14, iOS 16.6, macOS 13.3.3 including Lockdown Mode, and Linux. The cross-platform implementation pattern indicates a class of vulnerability rather than a vendor-specific flaw. The cadence of these disclosures matters. Roughly one major protocol-level Bluetooth vulnerability disclosure per year since 2017, with most affecting the protocol itself rather than implementation choices that vendors could have made differently. No other widely-used wireless protocol that PACS deployments could plausibly use as a credential transport has a comparable record of fundamental architectural security failures over this time horizon. The pattern is the argument, and the argument does not depend on any single vulnerability being unpatched in any specific deployment, it depends on the structural observation that the protocol's history establishes a high prior probability that the next major architectural vulnerability is closer than any vendor's roadmap acknowledges. ### The Android Implementation Fragmentation Problem Academic consensus on Android security fragmentation is consistent across multiple independent research lines, and the consequences for a security leader operating a bring-your-own-device workforce are quantifiable. Wu and colleagues, Zhou and colleagues, and Thomas and colleagues found in separate studies that 64 to 85 percent of Android security vulnerabilities derive from vendor customization of the underlying Android Open Source Project rather than from the Android codebase itself, and that 87 percent of Android devices in the field have at least one unpatched critical vulnerability at any given time. A Bluetooth Low Energy specific study of 3,501 applications drawn from the Androzoo corpus found that all of them were subject to downgrade and man-in-the-middle attacks at ranges of up to 76 meters in line-of-sight conditions. Translated into the practical question a security leader has to answer, applied to a 5,000-person bring-your-own-device workforce as a rough heuristic, this implies on the order of 4,350 devices statistically carrying at least one known critical vulnerability at any given moment, and the leader cannot patch them because the leader does not own them and cannot enforce patch compliance against personal devices without policy mechanisms that most workforces will not absorb without significant friction. This is structural attack surface that exists independent of any specific PACS vendor's Bluetooth Low Energy implementation quality, and it cannot be remediated through vendor selection because it is a property of the substrate the credential rides on rather than a property of the credential itself. Bluetooth Low Energy address randomization, the mechanism the standard provides to prevent device tracking through fixed identifiers, is implemented inconsistently across Android original equipment manufacturers. Some manufacturers leave addresses static for periods longer than the 15-minute advisory threshold the Bluetooth Special Interest Group recommends, which means the substrate cannot reliably provide the privacy property the protocol nominally offers. ### The Architectural Comparison and the Operational Conclusion The architectural distinction at the level a security executive needs to evaluate is structural rather than feature-by-feature. Wallet-native near-field communication stores the credential in a hardware secure element with a certified applet, requires physical proximity at approximately 5 centimeters for a reader to interact with the credential, has no listening surface when the device is at rest because the near-field communication radio is not constantly broadcasting, and inherits crypto agility from the device platform vendor's roadmap rather than from the PACS vendor's roadmap. Vendor-app Bluetooth Low Energy stores the credential in operating-system-managed application storage, operates over ranges of 10 to 100 meters depending on environmental conditions, requires the Bluetooth radio to be active when the credential is in use and frequently keeps the radio active when the credential is not in use, and inherits crypto agility from the PACS vendor's roadmap rather than from the device platform vendor's roadmap. The attack surface for the near-field communication path is the near-field communication stack, which is narrow and well-scrutinized because it is the same stack that handles payment transactions and transit credentials. The attack surface for the Bluetooth Low Energy path is the Bluetooth stack, which is broad, fragmented across operating system versions and original equipment manufacturer customizations, and has the disclosure history documented earlier in this section. Vendor-app Bluetooth Low Energy PACS systems in current deployment are common rather than exotic. Brivo runs Bluetooth Low Energy through its mobile application. Openpath, now Avigilon Alta under Motorola Solutions following the 297 million dollar acquisition in 2021, built its product positioning around Bluetooth Low Energy "Wave to Unlock" gesture-based authentication. Kisi uses Bluetooth Low Energy through its application with near-field communication available for Apple Wallet integration. HID's own Mobile Access application supports both Bluetooth Low Energy and near-field communication paths. The pattern that deserves preservation in the public record is the workaround behavior itself. Bluetooth Low Energy in the PACS market has not been deployed as a vanilla protocol — every major vendor has layered its own cryptographic constructions on top of the underlying transport, and the workaround is the admission. When vendors layer custom crypto over an underlying protocol, the security boundary moves from the well-scrutinized public protocol to the vendor's private implementation. This is not always worse, because some vendors are very good at the cryptographic work, but it is harder to evaluate from outside the vendor relationship, and the burden of proof shifts onto the vendor to demonstrate that their workarounds actually address the protocol-level problems rather than merely papering over them. IPVM's July 2021 editorial titled "NFC Is Better Than BLE For Mobile Access" made the equivalent argument in the trade press five years before this analysis, and the case has only strengthened since then as the disclosure cadence has continued. The operational reality for a security leader in most organizations is that the function selecting the PACS architecture is typically physical security, which may or may not consult information security on cryptographic substrate questions, and the architecture has to work on personal devices the enterprise does not control. Mandating iPhone over Android is not available as a control in most workforces. Patching personal devices is not available. Enforcing operating system version minimums is rarely available without triggering friction the business will not absorb. The defensible posture under these constraints is wallet-native near-field communication on devices selected from an approved list, with iPhone on supported iOS versions and Android flagship devices with confirmed hardware secure element such as Pixel 6 and later or Galaxy S21 and later, with physical smart card fallback for high-security zones and for employees who cannot or will not use mobile wallet, and for environments where phone policies prohibit mobile credentials. These environments include sensitive compartmented information facilities, certain healthcare and manufacturing floors, and frontier facilities with OT and information technology convergence concerns where the calculus around personal devices in the secure zone is more restrictive than in standard office space. The posture should explicitly acknowledge that Android fragmentation is a residual risk that cannot be fully eliminated within a bring-your-own-device policy and that the residual risk is the price of the bring-your-own-device convenience the organization has chosen to operate under. This is not an elegant architecture. The alternative of vendor-app Bluetooth Low Energy on unrestricted bring-your-own-device is worse under honest analysis, and the burden of proof for any vendor proposing the Bluetooth Low Energy path should be the protocol's disclosure history rather than the vendor's marketing claims about their own implementation. ## The Industry Has Not Moved Because the Forcing Functions Have Not Reached the Vendors Who Would Have to Move The ownership pattern in mid-to-large enterprises with mature physical security functions follows a predictable structure that produces predictable outcomes. Human resources owns onboarding and offboarding end-to-end. Physical security owns PACS end-to-end including physical identity and access management. Information technology owns the network and the enterprise identity provider. Information security may or may not be consulted on PACS architecture decisions, and the consultation is more often driven by individual relationships between specific security leaders than by formal coordination mechanisms. Facilities owns elements of the physical plant that vary by organization and by building, with door hardware and conduit usually under facilities ownership and active hardware sometimes shared between facilities and physical security. In mid-market organizations the pattern shifts because PACS often sits with information technology or facilities directly, since physical security has not been stood up as a distinct function with its own budget and reporting line. In government deployments the pattern shifts again because Federal Information Processing Standards procurement and Federal Identity, Credential, and Access Management requirements introduce forcing functions that commercial deployments do not face, which means the ownership question matters less because the procurement standards constrain the vendor selection upstream of the ownership decision. In healthcare, the Health Insurance Portability and Accountability Act and HITRUST compliance frameworks introduce their own forcing functions that operate on a different cadence than the procurement-driven government model. Where information security is not in the room when credential standards and PACS architecture are selected, the cryptographic assessment of those standards depends on the physical security function's judgment. Physical security organizations are staffed for operational continuity, response coordination, and physical risk management rather than for cryptographic product evaluation, and the staffing model is appropriate for the function's primary responsibilities. The selection of PACS components in this configuration happens in integrator sales conversations, and the resulting stack is whatever the integrator is positioned to sell, which is whatever the integrator's manufacturer relationships allow them to deliver at margin. This is structure rather than failure, and the structure produces the predictable outcomes that this analysis has documented throughout: factory default credentials persisting on management interfaces, pre-shared keys set at commissioning without subsequent rotation policy, firmware update cadences measured in quarters or years rather than days, and identity lifecycle handoffs that are manual and slow. The HID Mercury LP1501 installation manual, for a controller line still in widespread enterprise deployment though superseded by the MP series, lists the factory default as username "admin" and password "password" with no required rotation at provisioning, which is the kind of artifact that signals the maturity of the security expectations the channel was originally built to meet. Whether these patterns persist in any specific enterprise depends on that enterprise's specific operational maturity and the reach of its information security function into the physical security domain. They are the reported industry default rather than a universal claim about every deployment. The cloud-hosting deployment model that increasingly characterizes hybrid PACS environments adds a fifth stakeholder that the four-party ownership pattern does not accommodate. The cloud security engineering function, which lives inside information security in some organizations and inside platform engineering in others, owns cloud landing-zone architecture, cross-account identity and access management, virtual network segmentation, and security group posture for the enterprise's cloud workloads. When PACS is deployed as a customer-hosted cloud workload, these are the configuration decisions that determine whether a head-end compromise stays scoped to the PACS workload or pivots into production systems through trust relationships that the cloud security engineering function was not consulted to design. The cloud security function is almost never consulted on these deployments. The physical security team does not know to ask them. The integrator deploying the vendor's cloud image does not know to loop them in. The cloud security function discovers the PACS workload during a quarterly account inventory or during a security event that the workload contributed to, and by then the architectural decisions that determined the blast radius have already been made. The four-party coordination problem becomes a five-party problem for any hybrid or cloud-hosted deployment, and the fifth party is typically the one best equipped to prevent the lateral movement scenario the threat model treats as the consequential pathway. The federal market's flow-down to commercial PACS is the structural mechanism most likely to move the supplier channel before commercial customer pressure alone would. CNSA 2.0 sets the trajectory for federal contractors handling classified and controlled-unclassified data, and the Department of Defense's CMMC framework, FedRAMP authorization, and DFARS clauses propagate that trajectory through prime contractor obligations to subcontractors. A defense contractor whose facility runs a particular PACS controller and credential family has to migrate that PACS to post-quantum on the federal timeline or lose contract eligibility. The PACS vendor whose product is deployed in that facility has to ship post-quantum or lose the defense contractor as a customer. Once that vendor ships a post-quantum product line for the federal customer, the same line becomes available across the commercial market, because PACS vendors do not maintain federal-only and commercial-only product families for the same purpose. The flow-down is the reason commercial enterprises with no federal exposure will see post-quantum PACS options earlier than their own market signals would predict. ### The Identity Gap Is the Compounding Factor The gap between the enterprise identity provider and the PACS credential system is where the ownership pattern compounds into operational consequence. Information technology owns the identity provider, which is typically Okta, Microsoft Entra, Ping Identity, or ForgeRock at large enterprises and which connects to the rest of the enterprise's logical access infrastructure through standard protocols. Physical security owns the PACS credential issuance system, which speaks its own data formats and connects to the identity provider through custom integration code that is maintained outside of standard identity governance tooling. The integration is typically point-to-point, brittle in ways that surface during identity provider upgrades or PACS vendor version changes, and rarely instrumented for the kind of monitoring that logical access integrations receive by default. The operational consequence is that a terminated employee can lose single sign-on access in minutes through the identity provider while retaining badge access for days or weeks through a manual human resources to PACS deprovisioning handoff. A role-changed employee retains physical access appropriate to their previous role because the physical access review process is less consistent than the logical access review process, and the access drift accumulates across role changes over years without a corrective mechanism that matches the cadence of logical access governance. User access reviews for physical access are a security standard in information security practice, but they are less uniformly adopted in PACS environments than in logical access environments, and the physical access entitlement corpus is often the least-audited identity store in the enterprise despite being typically connected to the corporate directory through the same kinds of trust relationships that the logical access entitlement corpus uses. Identity and access governance platforms—SailPoint, Saviynt, One Identity, C1, and others—are designed to govern logical and physical domains together through a single policy and audit framework. Few enterprises actually use them this way. Where the integration exists, it is usually point-to-point between specific systems rather than a unified governance layer, and the enterprise pays for the gap in audit complexity, in breach response time when an identity-related incident requires coordinated revocation across both domains, and in the accumulated access drift that operates as a slow leak rather than an acute failure. None of this is caused by the post-quantum question. All of it compounds the post-quantum question, because an organization that cannot deprovision a terminated employee's badge within 24 hours will not execute a firmware signing certificate revocation within 24 hours when a cryptographic primitive is compromised. Operational hygiene is a prerequisite for cryptographic migration rather than an adjacent concern, and the enterprises that can execute the four migrations described earlier in this analysis are the same enterprises that have already solved the operational hygiene problems that the migrations depend on for execution. ### The Commercial Real Estate Dimension Is Distinct Base building PACS is a problem most tenant-side security leaders have not analyzed in detail. The landlord owns the access control for shared amenities including the main lobby, elevators, parking, common areas, loading docks, and any shared conference or event spaces. The tenant owns the access control for office floors, conference rooms, information technology closets, and any tenant-specific amenities. An employee carries credentials for both systems, often on the same physical card or mobile wallet, which means the employee experience masks the architectural separation. The cryptographic sophistication of the tenant's credential is constrained by the weakest link in the combined system, because the credential has to work across both systems and the joint architecture is bounded by the more conservative system's capabilities. If the base building runs 1990s-era proximity readers, the tenant's mobile wallet with hardware secure element architecture is irrelevant at the lobby turnstile because the credential has to fall back to the base building's protocol to authenticate at all. Many high-assurance tenants have not inventoried the base-building PACS they depend on, which means the actual cryptographic posture of the combined credential is unknown to the function nominally responsible for it. Mobile wallet integration at a base building is also a sourcing and lifecycle problem. The architecture typically spans multiple vendors operating at distinct layers: a credential orchestration layer with SwiftConnect as the most visible name in this space alongside rf IDEAS, Sharry, and Safetrust in adjacent roles, a reader manufacturer such as Wavelynx or HID, the tenant experience application that the landlord operates, the mobile wallet platform layer at Apple, Google, or Samsung, and the underlying access control system. Lateral integrations into smart lockers, parking readers, and the enterprise identity platform on the tenant side extend the dependency surface further. When any vendor in this stack changes product direction, exits the market, or has a serious security incident, the integration typically falls back to legacy physical credentials while the affected component is replaced, and the coordination required across vendors is what determines the recovery timeline. The joiner-mover-leaver problem specific to commercial real estate is that the tenant's identity system is not integrated with the landlord's credential issuance. Onboarding a new employee for base-building access is typically a manual ticket from the tenant to the landlord. Modifying access as the employee's role changes is a manual ticket. Offboarding a terminated employee is a manual ticket. The tenant cannot automate what the landlord has not exposed, and the manual process has no enforcement mechanism against the tenant's actual human resources ground truth. Someone will invariably retain base-building access who should not have it, because the manual ticket process produces gaps that the tenant's automated identity governance would have closed if it could reach the landlord's credential issuance system. The forcing function that does not yet exist in commercial real estate is leasing terms. Corporate real estate executives on the tenant side have leverage over base-building security posture that has not been used at scale, and elevated leasing terms that at minimum give the tenant organization optionality to adopt heightened standards, bridge technologies, and integrated joiner-mover-leaver operations—written into the lease rather than negotiated after signing—are the lever most likely to shift large landlord posture. It would not take many sophisticated tenants with large portfolios to change the calculus for base-building operators because Class A commercial real estate is a competitive leasing market, and a consistent tenant requirement for base-building PACS cryptographic hygiene and joiner-mover-leaver automation would be operationally binding on landlords within two or three lease cycles. As of April 2026, this is rarely surfaced as a leasing term in corporate real estate negotiations even at organizations whose security posture would benefit from it. ### Not All Environments Carry the Same Consequence High-security PACS does not matter equally across all environments, and the analysis should not pretend otherwise because a tone that treats every deployment as equally exposed reads as zero-risk advocacy rather than calibrated expertise. The environments where the cryptographic posture matters most are those where the consequential systems adjacent to the PACS deployment are themselves consequential. Artificial intelligence research and frontier model development environments hold model weights, training infrastructure, and research data that carry nation-state adversary interest, and PACS compromise in these environments is a pivot point toward those assets through the lateral movement pathway documented in the threat model. Robotics, autonomy, and drone development facilities combine OT and information technology convergence with safety-system connectivity that carries regulatory scope, and PACS compromise in these environments is adjacent to safety-certified systems where the failure modes extend beyond the building. Biomedical research and life sciences environments combine regulated biometric enrollment with patient data exposure and research intellectual property, and the International Organization for Standardization 24745 compliance interacts with the Health Insurance Portability and Accountability Act and the General Data Protection Regulation in ways that compound the consequence of any single template breach. Cryptocurrency custody, trading, and cold storage facilities face vendor longevity as a first-order risk because the question of whether a specific PACS vendor will still exist in 2032 carries different weight for a firm holding billions of dollars in digital assets than it does for a typical corporate office. Defense-adjacent environments including government contractors, classified-capable facilities, and supply chain roles for defense primes inherit federal procurement standards asymmetrically, and the PACS posture has to meet the federal compliance framework whether the enterprise has formally opted into the framework or not. The environments where the cryptographic posture matters less include generic low-to-medium-assurance corporate office space where the consequential systems are themselves not high-value targets, environments already physically supervised by present personnel where credential compromise is a secondary control rather than a primary one, and short-lease or temporary facilities where the installed-base lifetime argument that drives the urgency does not apply because the tenant will be gone before the deprecation window matters. Hospitality and retail sit in their own category where the cryptographic posture matters in principle but the economics of the industries make voluntary cryptographic refresh implausible, with hotel PACS dominated by magnetic stripe and legacy radio frequency identification lock systems using triple Data Encryption Standard or weaker proprietary cryptography, and retail back-office installed base running on 125 kilohertz proximity with no cryptographic protection at all. Combined installed base in these sectors is measured in tens of millions of readers globally, replacement cycles are driven by break-fix economics rather than by security refresh, and even if the enterprise corporate segment achieves post-quantum migration on the optimistic timeline the hospitality and retail installed base will remain cryptographically legacy for the decade beyond. When classical signing roots become forgeable, tens of millions of hospitality and retail credentials become forgeable in parallel, sitting at the intersection of payment systems, loyalty programs, employee access workflows, and stored-value services in industries that touch nearly every commercial transaction. Hotel keycards interact with room-charge billing. Retail employee badges control point-of-sale access. Loyalty credentials are linked to stored-value systems. The cryptographic legacy posture of the underlying PACS layer determines how cleanly compromise propagates across those adjacencies, and a permanently-vulnerable installed base of that scale shifts the failure-mode question from individual-site exposure to systemic exposure. There is a second-order effect on the supplier channel. The PACS vendors who serve hospitality and retail also serve the commercial enterprise segment. A vendor whose largest-volume customer base does not refresh on cryptographic timelines has limited business case to invest in post-quantum products across the product line, and the supplier channel's post-quantum investment is partially driven by the volume customers who are not asking. Hospitality and retail inaction depresses post-quantum investment that the enterprise segment would benefit from, even though the enterprise segment is willing to pay for it. The reader who does not operate in the environments where the cryptographic posture matters most is not the primary audience for the urgency in this analysis. The reader who does operate in those environments, and there are more of them than the industry's self-conception suggests, should calibrate the urgency to their own portfolio rather than to the industry average. A single facility in the matters-most category in a portfolio that is otherwise generic office is enough to justify the architecture work that the analysis recommends, because the consequence of compromise at the consequential facility is not averaged against the unconsequential ones. The portfolio question is properly evaluated facility by facility rather than as an aggregate, and the architecture should be calibrated to the highest-consequence facility in the portfolio rather than to the median. ## What Would Have to Be True for the Industry to Meet the Deadline The conditions for a different outcome are accountable rather than aspirational, and most of them are unlikely to materialize on the timeline that would matter. The honest assessment is the structural condition of the supplier channel, the platform layer, and the enterprise operational hygiene that the migration depends on, evaluated against the four-year planning horizon set by the deprecation window. The migration is staged against refresh cycles and procurement specifications, not a forklift replacement of the installed base. PACS credential vendors would need to ship post-quantum-native products by 2028 to give enterprise procurement and integration cycles enough time to reach meaningful installed-base coverage by 2030. Thales has the MultiApp 5.2 Premium PQC in field for European government identity and the underlying smart card platform is adaptable to other applications, and the equivalent PACS-positioned product from HID, Allegion, or a comparable vendor would require announcement in 2026 for delivery in 2028. The Infineon SLC27 silicon and equivalent secure element platforms provide the foundation. The constraint is vendor prioritization rather than technical feasibility, and the likelihood is moderate if customer pressure materializes through procurement specifications and request-for-proposal language and low otherwise. The customer pressure has not yet materialized at the scale that would shift vendor roadmaps. The OSDP working group would need to publish version 2.3 with post-quantum support by 2027 to give vendors enough time to implement the standard by 2028, and the installed base would need field-upgrade paths that most currently shipping reader hardware does not support, which means even a successful standards revision would not address the installed base for the deployments running readers that cannot accept the firmware updates the new specification would require. The likelihood is very low because no version 2.3 timeline has been announced and the protocol revision cadence has been roughly nine years between substantive updates over the past decade. Controller vendors would need to ship post-quantum firmware signing roadmaps by 2029 to align with the deprecation window. HID Mercury would need to announce a roadmap with specific algorithm choices, ideally LMS or XMSS to align with CNSA 2.0 specifications, and the comparable competitors would need similar announcements. Microchip's PSOC Control C3 demonstrates that CNSA 2.0-compliant controller silicon exists and is achievable through reasonable engineering work. The likelihood is low without customer pressure that has not yet emerged from the enterprise security buyers who would have to drive it. Mobile wallet platforms would need to achieve full post-quantum capability by 2030 across the three relevant secure element architectures: Apple's Secure Element with ML-DSA extension to support credential signatures, Google's Titan M3 or successor with native post-quantum support across the Pixel device population, and Samsung's Knox Vault evolution with similar capability across the Galaxy flagship line. The Titan M3 is rumored for Pixel 11 in late 2026 with post-quantum positioning that has not been publicly confirmed. The likelihood is moderate, because platform vendors have clearer commercial incentives, tighter product refresh cycles, and deeper engineering capacity than PACS-industry vendors, and the post-quantum work in adjacent product categories at Apple and Google demonstrates the institutional capability to execute the migration when the platform business case is sufficient. Commercial real estate standards would need to mature by 2029 in a way that obligates landlords to specific cryptographic posture for base-building PACS. The Building Owners and Managers Association, the Urban Land Institute, or a comparable industry body would need to publish guidance, and as of April 2026 nothing of this nature is in development. Tenant-side leasing pressure is the more likely forcing function and is achievable on a faster timeline than industry-wide standards work, with the likelihood low organically and moderate if sophisticated tenants begin including cryptographic hygiene and joiner-mover-leaver requirements as standard leasing terms during the 2026 to 2028 lease renewal cycles. Enterprise operational hygiene would need to improve to support cryptographic migration. Factory password rotation, pre-shared key management with documented rotation cadence, integrated joiner-mover-leaver operations across logical and physical access, user access reviews for physical access at the same cadence as logical access, and public key infrastructure infrastructure mature enough to support certificate lifecycle management for PACS endpoints would all need to become standard practice rather than the aspirational state most enterprises currently inhabit. These are widely reported as inconsistently implemented across the enterprise PACS installed base. The likelihood is low without a forcing event, and the forcing events that would change this typically arrive as breach disclosures rather than as procurement maturation. ### The Synthesis | Condition | Required by | Likelihood | |---|---|---| | PACS credential vendors ship post-quantum-native products | 2028 | Low to moderate | | OSDP v2.3 with post-quantum support | 2028 | Very low | | Controller firmware signing post-quantum roadmaps | 2029 | Low | | Mobile wallet platforms achieve full post-quantum capability | 2030 | Moderate | | Commercial real estate standards or leasing-term pressure | 2029 | Low organically | | Enterprise operational hygiene matures | 2028 | Low | One condition is moderately likely. Four are unlikely. One is very unlikely. The honest assessment that follows from this distribution is that the conditions for the PACS industry to meet the 2030 deprecation deadline, are not in place. The realistic planning horizon is that PACS trails the cyber side by three to five years at minimum, that enterprises in high-consequence verticals will need to drive their own hybrid or parallel migrations rather than waiting for the supplier channel to produce fully aligned product, and that the recommendations in the next section have to assume the industry will not solve the problem on the timeline the deprecation window requires. ## What the Different Audiences Should Actually Do The recommendations that follow are organized by the audience that has the authority and the operational responsibility to act, because the same recommendation lands differently when it is directed at the security leader who has to execute it, the physical security director who has to coordinate the change, the corporate real estate executive who has to negotiate the leasing terms, the vendor who has to ship the product, and the board member who has to ask the right question at the next cybersecurity review. The audiences are not interchangeable, and the recommendations should not pretend they are. ### For Information Security Leaders Five questions are worth asking at the next PACS strategy review, and the answers will locate the organization on the migration curve more reliably than any vendor's roadmap presentation will. The first question is what the written post-quantum roadmap is from each PACS vendor in the stack, covering credential, reader, controller, and head-end software, and covering each of the four migrations. A vendor who cannot produce a written roadmap with specific algorithm names, specific implementation milestones, and a specific timeline through 2030 is not actually building to the deprecation deadline regardless of any general post-quantum positioning their marketing produces, and the planning assumption should be that vendors without written roadmaps by late 2026 will not deliver in 2028. The second question is where the PACS sits on the network and who audits its cybersecurity posture. The 2022 Trellix vulnerability chain on HID Mercury demonstrated unauthenticated remote code execution at the maximum CVSS score on the controller, which is a Linux device with network connectivity, and the controllers should be in scope for security operations center monitoring, OT-appropriate network behavior monitoring through tools like Nozomi, Claroty, or Dragos, network segmentation review, and vulnerability management cycles aligned with the vendor's firmware release cadence. If they are not, that is the finding the security leader should report to leadership rather than waiting for the next vulnerability disclosure to surface the gap. For any portion of the PACS hosted in the organization's own cloud tenant, the question extends to which Amazon Web Services or Azure account the workload lives in, what identity and access management permissions the PACS application holds, whether the workload's virtual private cloud shares trust relationships with production accounts or with accounts holding customer data, and whether the enterprise's cloud security engineering function has reviewed the deployment architecture. The answer to the last question is frequently no, and when the answer is no the finding is not a PACS problem, it is a cloud governance gap that the PACS deployment has exposed. The third question is the measured lag between human resources offboarding and badge deactivation, and how physical access is reviewed over the lifecycle of an employment relationship. A lag measured in days or weeks rather than minutes indicates a manual identity lifecycle, and the same manual process will not accommodate the cryptographic migration's automated revocation requirements when a firmware signing certificate or a credential authentication certificate has to be revoked across the installed base. Physical access should be covered by user access review cycles equivalent to those for logical access, and the absence of this coverage is itself the finding. The fourth question is the current state of cryptographic hygiene on PACS endpoints, including factory default credentials on management interfaces, whether a documented pre-shared key rotation policy exists for OSDP secure channels and whether the deployment supports executing it, and firmware update cadence for controllers. These patterns are widely reported as the industry default rather than as universal failures, and whether they apply in any specific environment is verifiable rather than assumed. Their presence is not a migration blocker in itself, but it signals whether the operational foundation exists for the migration the article calls for. The fifth question is where in the portfolio PACS compromise is most consequential and whether the architecture is calibrated to that consequence. The artificial intelligence research environment, the cryptocurrency custody facility, the biomedical research floor, the defense-contract space — these do not need the same PACS posture as generic office space, and treating them uniformly underinvests in the exposed environments and overinvests in the unexposed ones. Two additional recommendations do not fit the question format. New deployments should favor wallet-native near-field communication over vendor-app Bluetooth Low Energy, with the explicit recognition that the wallet sits on top of the PACS credential layer rather than replacing it, because the architectural case for near-field communication over Bluetooth Low Energy is overwhelming and the platform vendors have clearer post-quantum roadmaps than the PACS-industry incumbents. New match-on-server biometric systems should not be deployed at all, because they violate the requirements that International Organization for Standardization 24745 sets for biometric template protection and they create permanent-harm exposure that cannot be undone through subsequent remediation. ### For Physical Security Leaders The physical security function has the operational responsibility for PACS and the relationships with the integrator channel that determine which products get installed, and the function's highest-impact action in 2026 is to build enough cryptographic fluency to ask vendors the right questions. The distinction between ML-KEM for key exchange and ML-DSA for signatures, the procurement-relevant choice between LMS, XMSS, and SLH-DSA for firmware signing, and the architectural reasons why OSDP 2.2.2 is not a post-quantum answer, are all learnable in a two-day workshop with the information security function. Vendors who cannot answer at this level of specificity are selling roadmap rather than product, and the cryptographic fluency is what allows the physical security leader to distinguish between the two without having to take the vendor's word for it. Coordination with information security that does not happen by default should be initiated by the physical security function rather than waited for. The ownership pattern documented in the previous section does not self-correct, and physical security functions that invite information security into credential standard selection, PACS network security architecture, and firmware management decisions close the structural exclusion before a forcing function does it for the organization. This works in both directions, because information security functions that have not engaged with physical security typically have not surfaced the PACS attack surface to the security operations center either, and the coordination produces visibility benefits across both functions. ### For Commercial Real Estate Leaders Base-building PACS will become a tenant expectation in high-consequence verticals, and the corporate real estate function on the landlord side should anticipate the conversation rather than wait for it. Financial services, federal contractors, biomedical and life sciences, frontier artificial intelligence and robotics tenants will begin asking post-quantum questions during 2027 and 2028 lease negotiations, and Class A buildings that cannot answer will lose differentiation in leasing markets where alternatives exist. Open-architecture readers from Wavelynx, rf IDEAS, and comparable vendors are a structural preference over proprietary stacks, because proprietary stacks create provider-dependency failure modes where a single vendor's product direction change forces the entire deployment back to legacy credentials while the integration is rebuilt. Reader refresh cycles should be aligned with the deprecation window. Readers installed in 2025 will need replacement or upgrade by 2030 on the NIST IR 8547 deprecation timeline. Capital planning cycles need to incorporate the deprecation pressure in the 2026 budget year rather than in 2028 when the procurement window has compressed. The most effective forcing function on the tenant side is leasing terms that include cryptographic hygiene and joiner-mover-leaver requirements as standard conditions written into the lease rather than negotiated after signing, and a small number of sophisticated tenants with large portfolios is enough to shift the calculus for base-building operators in competitive leasing markets. ### For PACS Vendors Post-quantum roadmaps should be published in 2026. The customers who will still be customers in 2030 are the ones asking now, and vendors who cannot respond will be replaced by competitors who can. Match-on-server biometric systems should be retired from active marketing as "high security" deployments because the architecture is indefensible under International Organization for Standardization 24745:2022 and the sophisticated customer increasingly knows it. OSDP Transparent Mode should be supported across reader platforms because HID's March 2026 patent opening enables better architectures across the industry, and the vendors that adopt it will benefit from the broader interoperability. The customer conversation has changed, and the security leaders who were not asking post-quantum questions in 2024 are asking in 2026, will ask loudly in 2028, and will have set the market expectation by 2030 that vendors who cannot answer will not be invited into procurement processes. ### For Board Members and Audit Committees Three questions are worth asking at the next cybersecurity review. The first is who owns PACS cryptographic strategy in the organization. If the answer is ambiguous, the ownership gap is itself the finding the board should escalate, because the cryptographic deprecation window will not be met by an organization that has not assigned the responsibility for meeting it. The second question is when the organization's PACS will be post-quantum-ready and what the specific deliverables are for the current fiscal year. If management cannot answer with specifics, the audit finding is that management does not know, and the work that should be on this fiscal year's plan has not been planned. The third question is where in the organization's portfolio PACS compromise is most consequential and whether the architecture is differentiated to match. The artificial intelligence research environment is not generic office space, and the cryptocurrency custody facility is not generic office space, and treating consequential environments uniformly with generic environments accumulates risk silently rather than acutely. The board does not need the cryptographic details. The board needs to understand that vague answers, missing answers, and deferred answers are themselves the audit finding. ## The Architecture Is Ready. The Industry Is Not. The cryptographic primitives underneath physical access control face a deprecation window that is shorter than it looks, and they sit on a supply chain that has not moved. The silicon has been productized, with Infineon's SLC27 dual-interface security controller in production volume since October 2025. The smart card platform has been certified, with Thales's MultiApp 5.2 Premium PQC implementing ML-DSA at parameter set 65 and certified at Common Criteria EAL6+2 since October 2025. The standards are finalized, with FIPS 203, FIPS 204, and FIPS 205 published in August 2024 and the broader ecosystem of NIST IR 8547 and CNSA 2.0 setting the trajectory the commercial market is increasingly following. The hyperscalers, the HSM vendors, the mobile platform operators, and the enterprise public key infrastructure vendors are all building on this foundation. Physical access control is not building on it. No major North American PACS credential vendor has announced a post-quantum-native product, no major controller vendor has published a post-quantum firmware signing roadmap, the OSDP has not published a version 2.3 timeline, and the installed base of readers, controllers, and credentials will still be in service when the deprecation window closes and through whatever period the CRQC question follows. The cyber side is on it. The physical side is not. The security leader reading this analysis has four years to align with the answer. Not to complete the migration, because that is a longer horizon and the supplier channel will determine when the products that the migration requires actually become available, but to know which vendors are on the roadmap and which will be replaced, which controllers are network-accessible pivot points that should be in scope for cybersecurity oversight, which credential decisions are reversible and which are not, and which environments in the portfolio matter most. Those are the four-year questions. The two-year question is whether the organization is asking them at all. The deadline is not coming on the nominal timeline. It is coming on the compressed one, and the day that the first major customer of a major PACS vendor asks for a written post-quantum roadmap and does not get one is the day the market begins to correct.CybersecurityPhysical Securityhttps://chrischerry.me/writing/2026-02-27-preemption-without-doctrine/https://chrischerry.me/writing/2026-02-27-preemption-without-doctrine/The multi-theater pattern of U.S. preemptive force employment reveals constraint erosion rather than doctrinal evolution. Venezuela and Iran share an operational pattern, not a strategic framework, and the probability distribution for Iran's resolution slightly favors a peace narrative over military action because the constraints that still bind are physical and electoral, not legal or institutional.Fri, 27 Feb 2026 00:00:00 GMTIn January, U.S. special forces extracted Venezuelan President Nicolás Maduro from a compound in Caracas during Operation Absolute Resolve, a 150-aircraft operation executed without Congressional authorization, allied participation, or international legal mandate. In February, the U.S. assembled its largest Middle East force since 2003 around Iran while conducting nuclear talks in Geneva and issuing a 10-day ultimatum from a forum the administration titled the "Board of Peace." My [June 2025 analysis](/writing/2025-06-13-israel-iran-escalation-logic/) identified the structural shift from deterrence to preemption, while my [Midnight Hammer assessment](/writing/2025-06-24-us-iran-strikes-preemption/) confirmed it as operational. The conventional reading connects these events as expressions of a deliberate grand strategy where preemption has replaced deterrence across theaters. That reading accounts for the outcomes, but it does not account for the decision architecture producing them. Venezuela and Iran serve fundamentally different strategic objectives, invoke different legal justifications, and target different categories of adversary. What they share is not a strategic framework, it is an operational pattern produced by constraint erosion, where the structural checks that traditionally governed U.S. force employment are being treated as discretionary inputs rather than binding conditions. ## Four Structural Constraints Are Eroding Simultaneously The traditional decision architecture for U.S. force employment operated under four structural constraints: international legal frameworks, Congressional authorization, allied consensus, and diplomatic exhaustion before military action. All four are eroding at the same time. A classified Office of Legal Counsel (OLC) opinion produced after Operation Absolute Resolve argues that the president's Article II authority as commander-in-chief permits force deployment without Congressional authorization and that international law does not constrain the executive when carrying out law enforcement operations overseas. The opinion explicitly treats the United Nations Charter's restrictions on the use of force as non-binding on presidential decision-making. Congressional war powers resolutions have been defeated three times in three months, twice on Venezuela and once on Iran. A fourth, co-sponsored by Representatives Khanna and Massie, is expected to fail next week despite bipartisan sponsorship. Congress has functionally exited the decision architecture, not by authorizing action but by refusing to prohibit it. Allied consensus has shifted from prerequisite to irrelevant. Saudi Arabia, the UAE, Qatar, Kuwait, Bahrain, Jordan, Turkey, and the United Kingdom have all refused airspace or basing for potential Iran strikes. The response was not to adjust the military timeline but to redeploy through Israel, positioning 12 F-22 Raptors at Ovda Airbase in southern Israel for the first time in anticipation of combat operations. Allied refusal changed the operational geography, but it did not change the decision trajectory. Diplomatic exhaustion is no longer sequential with military preparation. In both June 2025 and February 2026, military timelines have run underneath diplomatic windows rather than after them. The 10-day ultimatum before the current Geneva round serves the same function as the two-week announcement before Midnight Hammer, strategic notice operating parallel to operational readiness rather than as a genuine precondition for action. ## The Remaining Decision Inputs Favor Action When structural constraints are treated as discretionary, the decision architecture simplifies. The remaining inputs are observable in the public record. The administration's framing of force employment decisions reveals variables weighted toward demonstrated resolve and dominance signaling. The question posed publicly about Iran was not whether diplomatic objectives could be achieved without force but why Tehran had not "capitulated," language that frames negotiation as submission rather than mutual adjustment. The forum for the ultimatum was titled the "Board of Peace," positioning military threat as an instrument of order rather than an alternative to it. The State of the Union framed the Iranian nuclear question not in strategic terms but as specific words Iran had failed to say. Venezuela provides the observable precedent for how this architecture produces outcomes. Operation Absolute Resolve served narco-terrorism prosecution, regime removal, and resource access objectives simultaneously, justified through a law enforcement framing the OLC memo used to circumvent both domestic and international legal constraints. Five months of intelligence preparation produced a three-hour kinetic phase. The ratio reveals a decision system optimized for decisive action with minimal deliberation once execution begins. The operation was a leadership decapitation. The target was not Venezuelan infrastructure, institutions, or military capability, it was a sitting head of state. This distinction carries directly to the Iran calculus because the operational emphasis since Midnight Hammer has shifted from infrastructure to leadership. Both remain viable target sets, but nuclear facilities can be dispersed and rebuilt, and Iran has been doing exactly that since June. Leadership continuity cannot be reconstituted with equivalent speed, and the personal exposure this creates operates on a different register than facility degradation for every senior figure in Tehran's command structure. Reporting on the Venezuela timeline indicates the operation accelerated from preparation to execution after Maduro's public displays of nonchalance, including dancing to an electronic remix of his own "No War, Yes Peace" speech days after the U.S. had already struck a Venezuelan dock, were interpreted within the administration as mockery. The perceived failure of deference appears to have functioned as a precipitating trigger, converting a prepared operation into an imminent one. This variable operates outside structural or doctrinal analysis entirely. The trigger was not an intelligence assessment of Maduro's private calculations, it was the administration's perceptual interpretation of observable public behavior as disrespect, and that interpretation compressed the timeline from readiness to action. The dynamic applies directly to any diplomatic process where the adversary's public posture can be read as dismissive rather than accommodating. The pattern across both theaters is consistent: compressed timelines between public statement and execution, unilateral action where multilateral options existed, and legal justification constructed to support decisions already taken rather than to inform whether those decisions should be made. This is not doctrine applied across contexts, it is the emergent behavior of a decision architecture where the constraints that would have produced different outcomes in different contexts have been removed. ## Physical and Electoral Constraints Still Bind Not all constraints erode. Some are physical, and some are electoral. Iran is not Venezuela. Ninety million people, a military that has hardened infrastructure since the June strikes, proxy networks spanning Lebanon, Yemen, Iraq, and the maritime domain, and demonstrated willingness to retaliate against U.S. assets, including missile strikes on Al Udeid Air Base after Midnight Hammer and a Shahed-139 drone intercepted approaching the USS Abraham Lincoln in February. Gulf states' airspace denial forces operations through Israel, adding refueling complexity and overflight complications that degrade operational efficiency regardless of decision-maker preference. The economic warfare dimension adds a layer the June 2025 cycle did not have. Treasury Secretary Bessent publicly described creating a dollar shortage in Iran as "economic statecraft, no shots fired." The rial lost over 40% of its value since the June strikes. Protests erupted in late December, were met with a crackdown that killed thousands, and reignited in February with university-led demonstrations. The economic pressure campaign has already achieved destabilization that military strikes alone did not produce in June, creating an argument within the decision architecture that the current trajectory is working without kinetic escalation. Domestically, the political mathematics create binding constraints that the decision architecture's treatment of legal and institutional checks does not extend to. Eighty percent of U.S. voters either oppose or are uncertain about military action against Iran, including 60% of Republicans. Presidential approval sits at 37% with independent voter net approval at -41, ahead of midterm elections where the opposition holds a substantial enthusiasm advantage. Pentagon officials have reported munitions limitations and carrier maintenance concerns. These constraints do not respond to executive framing. They define the boundaries within which any outcome must fit. ## The Peace Narrative Carries the Highest Probability The current trajectory resolves into one of three outcomes. A targeted kinetic operation remains operationally feasible, but the target set has shifted since June. Midnight Hammer struck enrichment facilities. Iran has dispersed and hardened remaining nuclear capabilities since, which means a second infrastructure round hits less valuable targets at higher logistical cost given allied airspace denial. Leadership targeting has moved to the primary position. The Venezuela precedent established both the capability and the willingness to target a head of state directly, and the decision architecture that produced Absolute Resolve applies with equal structural force to Iran's senior leadership. The operational constraints are more severe, Iran's command structure runs deeper than Venezuela's, and the retaliatory mechanisms are more capable, but the assets in theater support precision targeting profiles. The returns on infrastructure strikes are declining. The returns on leadership targeting, measured in regime destabilization and negotiating leverage, have not diminished in the same way. Probability: 35-40%, concentrated in scenarios where diplomatic talks collapse or where the negotiating posture is perceived as dismissive or noncommittal. An expansive regime change campaign applying the Venezuela template at full Iranian scale exceeds current force posture. No ground component in theater, no allied basing, munitions and maintenance limitations reported by Pentagon officials, and an adversary whose size, military capability, and proxy retaliation capacity through Hezbollah, the Houthis, and maritime assets create escalation pathways that Venezuela's three-hour extraction did not face. The structural constraints the decision architecture has eroded are legal and institutional. The constraints that make this option nonviable are physical, electoral, and strategic. The observable pattern of economic destabilization, protest cultivation, and calibrated pressure reveals managed instability as the operational objective, not regime collapse. A full power vacuum in a 90-million-person state with proxy networks across four countries and partially intact nuclear infrastructure would produce uncontrollable spillover with visible U.S. attribution, the precise outcome the current approach appears designed to avoid. Probability: 10-15%. A pivot to a peace narrative, where the unprecedented military buildup is reframed as the leverage that produced diplomatic movement, carries the strongest structural support. Iran's Foreign Minister has publicly stated a deal is "within reach." Technical teams are scheduled for Vienna. The administration's own framing positions military threat as an instrument of peace, providing the rhetorical architecture for claiming that pressure produced results without firing a shot. The economic statecraft narrative already established by Treasury gives the administration a second track for claiming strategic success. And the domestic political math, where 37% approval, midterm exposure, and overwhelming opposition to war converge, creates gravitational pull toward an outcome characterized as strength producing agreement. The structural challenge is that Iran's nuclear program is intrinsically tied to regime survival. Zero enrichment is not a negotiating position Tehran can accept because it equates to existential vulnerability, which means any viable deal requires the administration to accept terms fundamentally short of stated demands and frame the distance as victory. The framing is available because the military buildup becomes evidence that pressure works and the same decision architecture that compresses execution timelines can compress a pivot to declared success, but the gap between stated demands and achievable outcomes is wider than the diplomatic track currently acknowledges. The diplomatic track also carries a risk the probability model must weight. The Venezuela precedent, where public displays of nonchalance were interpreted as mockery and accelerated the timeline from preparation to execution, applies directly to the Iranian negotiations. If Tehran's negotiating posture reads as dismissive rather than accommodating, the process designed to produce a deal could produce the order to strike. The two highest-probability outcomes are connected through this shared mechanism, and the variable that determines which materializes is perceptual. Probability: 40-45%. Organizations modeling risk exposure in the Gulf should weight the peace narrative as base case while maintaining contingency architectures for limited strikes on compressed timelines. The window between the conclusion of diplomacy and the initiation of kinetic action, if it comes, will be measured in days based on the established pattern. Contingency planning that requires confirmation of escalation before activation will not survive the timeline. The pattern from Venezuela to Iran is not grand strategy, it is what force employment looks like when the structural constraints that used to shape it have eroded and the remaining inputs favor action. Whether that produces a strike or a deal depends on which constraints still bind. The ones that still bind are not legal or institutional, they are physical and electoral.Geopoliticshttps://chrischerry.me/writing/2025-07-15-home-network-weakest-perimeter/https://chrischerry.me/writing/2025-07-15-home-network-weakest-perimeter/Security programs extend to executive residences for physical protection but not for information security, producing a defensive discontinuity that organizational silos, executive resistance, lack of awareness, and flawed remediation models all sustain. For the majority of executives, cyber risk now exceeds physical risk, which means network security should be the foundation of residential protection rather than an afterthought to it.Tue, 15 Jul 2025 00:00:00 GMTThe Ponemon Institute's 2025 Digital Executive Protection study found that 51% of organizations experienced a cyberattack targeting a senior executive or executive family member in the preceding two years, up from 43% in 2023. In one-third of those cases, the attack reached the executive through an insecure home-office network. 58% of security leaders say executive threat prevention is not covered in their cyber, IT, or physical security budgets. Security programs increasingly extend to executive residences for physical protection. Alarm systems, surveillance cameras, residential security teams, and executive protection details are standard budget items for senior leaders at large organizations. Few question whether the executive's home is in scope for physical security, particularly in light of recent high-profile physical attacks on executives. The same organizations frequently do not extend information security to the same residence, and the gap between what physical security covers and what information security covers is where executives are being compromised. This is a defensive discontinuity, not a coverage gap, and the distinction matters because a coverage gap implies a resource problem while a discontinuity reveals a structural condition that additional spending alone will not close. The discontinuity persists because multiple forces converge to sustain it. Physical security and information security typically report through different chains, CSO-led and CISO-led programs that rarely share budgets or operational mandates, and the turf boundaries between them are frequently the primary gate preventing coverage extension. Executive resistance to institutional controls in personal environments, a simple lack of awareness that the home constitutes an extension of the corporate attack surface, and flawed remediation models all compound the structural divide. Pandemic-driven hybrid and remote work accelerated the risk by moving executive work into home environments without a corresponding extension of defensive capability. ## The Home Network Runs on Nation-State Infrastructure The executive home network operates on hardware that nation-state actors have already weaponized at scale. In January 2024, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency, and the FBI disclosed that Chinese state-sponsored actor Volt Typhoon had been exploiting home office routers to build the KV Botnet, maintaining persistent access to some victim environments for at least five years. The FBI disrupted the botnet through a court-authorized remote operation but acknowledged that reinfection was likely upon router restart because the underlying vulnerabilities remain unpatched. CISA and the FBI responded with a Secure by Design Alert calling out home router manufacturers for shipping devices that lack automatic update capabilities and include exploitable defects in web management interfaces. The hardware arrives vulnerable and stays vulnerable. The supply chain compounds the infrastructure problem. The FBI confirmed in March 2025 that approximately one million consumer devices shipped with factory-installed Triada malware embedded on read-only partitions that users cannot remove, including off-brand tablets, streaming boxes, and digital picture frames. Tuya, a Hangzhou-based platform powering over 100 million smart devices across more than 5,000 brands, transmits data to Chinese servers and is legally compelled to comply with government data-sharing requests under China's National Intelligence Law. These are not exotic threats requiring exotic defenses. They are the default products populating executive homes because no one in the purchasing chain is applying supply chain discipline to consumer electronics. ## The Remediation Model Is Wrong Before It Starts Most executives who recognize the exposure respond by outsourcing the problem, and the dominant remediation models are all structurally flawed. General contractors routinely subcontract home network and AV infrastructure to specialty vendors during remodels and new construction, selecting those vendors on cost, schedule, and trade relationships rather than security competence. The result is a professionally installed network built to residential convenience standards with no meaningful defensive architecture. The luxury home technology market compounds this by selling the assumption that expensive equals secure. High-end AV and networking firms charge premium prices for capabilities that are rudimentary from a security standpoint, producing deep false confidence and predictable buyer's remorse when the architecture is tested by a competent adversary. Industry data from CE Pro found that 73% of integration companies offer no cybersecurity solutions to their client base at all. The gap between price and protection is where the false sense of security lives, and it is wide. The third common model asks the executive's residential security provider to manage the full threat surface. Physical security practitioners are deeply competent at perimeter hardening and access control in the physical domain, but they are largely not versed in network security, east-west traffic controls, or the cyber-physical convergence that makes a compromised network a physical entry vector. All three models fail because they apply a provider's existing competency to a problem that requires a different discipline. And even where capable providers are engaged, implementation determines outcomes more than capability does. The parallel to cryptography is exact, the algorithm is rarely at fault, the implementation is. The Verizon 2024 Data Breach Investigations Report found that 68% of confirmed breaches involved a human element including social engineering, errors, and credential misuse. Human factors remain the persistent residual vector regardless of how much is spent on infrastructure because the architectures were designed to stop technical exploitation, not to account for the behavior of the people operating within them. ## A Compromised Network Is a Physical Entry Vector For most executives, cyber risk now exceeds physical risk. The Ponemon data shows 51% of organizations reporting executive cyber targeting, a frequency and breadth that physical threat incidents, though surging in severity, do not match at the population level. But the highest-probability vectors in that cyber risk profile, including credential theft, phishing, and social engineering, do not depend on the home network. An executive whose credentials are harvested through a phishing campaign is compromised regardless of what network carried the attack. Identity and credential controls are the broader foundation of executive cyber defense, and the Ponemon finding that one-third of attacks reached executives through home networks appears to conflate the network as location with the network as vector. The residential environment presents a convergence condition that identity controls do not address. Smart locks, cameras, and garage door controllers all depend on network integrity to function as designed. When physical access control shares an unmanaged network with devices that have documented remote-exploitation vulnerabilities, the distinction between cyber compromise and physical intrusion collapses. Securing the cameras before securing the network they run on protects nothing. This convergence is what makes the home network distinctively dangerous, not as the highest-probability attack surface in the executive's risk profile, but as the control plane that determines whether physical security hardware functions at all. Network security is the foundation of residential protection because just about everything the physical security program installed at the residence depends on it. Executives whose threat profiles are dominated by physical risk are the exception, not the base case, and even for those exceptions, the convergence means a compromised network can enable physical intrusion regardless of how the risk is categorized. The controls that establish network security in a residential environment are not expensive, not high-friction, and in most cases do not require ongoing engagement with outside firms. Network segmentation that isolates IoT devices from personal computers and physical security systems, DNS-level filtering that blocks known malicious domains, basic firewalling at the gateway, and automated firmware updates on all network infrastructure collectively close the majority of the residential convergence risk. Supply chain discipline that avoids devices from manufacturers with documented data-sharing obligations to adversarial governments eliminates an entire category of risk before it enters the network. The biggest constraint is not budget, it is prioritization. An executive who can allocate 90 minutes to an initial network architecture review and 15 minutes quarterly to update verification has addressed more exposure than most managed service engagements produce. Money cannot solve the full problem because some elements of the executive's security posture, including credential management and the handling of sensitive information, cannot and should not be delegated to anyone regardless of trust. The executive is the only person who can manage their own secrets. Air gapping, dedicated secure networks, and hardware-isolated communication systems are available for executives whose threat profiles warrant them, but they introduce friction that is disproportionate for the base case. ## Zero Trust Stops Where It Matters Most The enterprise side of this equation should already be arriving at the same conclusion through a different path. Zero trust architectures treat every network outside the enterprise as hostile by design, requiring managed devices, verified identities, and encrypted connections regardless of where the user sits. Gartner found that 63% of organizations have partially or fully adopted zero trust strategies, though mature implementations remain rare. The executive's home network is the highest-consequence application of this principle, and organizations that have adopted zero trust for their general workforce but carved out executive home environments as somehow separate have created precisely the defensive discontinuity that threat actors are exploiting. The exposure extends beyond the executive's home network to every personal device, every bring-your-own-device endpoint, and every unmanaged computer connecting over an untrusted network to corporate systems and SaaS environments. The erosion runs in both directions, personal devices connect to corporate systems and corporate devices are used as personal ones. Hybrid and remote employees install personal applications, add browser extensions, visit non-work sites, download media, and use personal AI assistants on enterprise-issued hardware, degrading the managed device assumption that zero trust depends on. Industry data shows that over 80% of employees use unapproved AI tools in their work, and corporate data input to AI tools increased nearly fivefold between 2023 and 2024. The managed device is no longer fully managed in practice, and the home network it sits on was never managed at all. Policy enforcement and device assurance controls can restore the managed posture, but they introduce cultural friction at organizations that actively promote productivity through extended availability, flexible work hours, and the deliberate blurring of work-life boundaries. The same institutional culture that benefits from executives working from home at 10 PM resists the controls that would make that work secure. The institutional perimeter is not a natural boundary, it is a policy artifact from an era when the threat surface was contained within corporate infrastructure. The threat surface moved, the perimeter did not.CybersecurityExecutive ProtectionPhysical Securityhttps://chrischerry.me/writing/2025-06-24-us-iran-strikes-preemption/https://chrischerry.me/writing/2025-06-24-us-iran-strikes-preemption/Operation Midnight Hammer was not a crisis response, it was the operational confirmation of a framework shift where preemption is replacing deterrence as the primary strategic logic of U.S. force employment. The timeline, targeting decisions, and deliberate operational visibility reveal shaping-through-action as the governing logic.Tue, 24 Jun 2025 00:00:00 GMTOn June 21, the U.S. struck Iranian nuclear infrastructure in Operation Midnight Hammer. B-2 bombers hit enrichment facilities at Natanz and Fordow, sites that Western intelligence had assessed as beyond reach without extended air campaigns or significant collateral risk, and the operation was executed within 48 hours of a public White House statement indicating a decision would come "within two weeks." The first-order reading is that the administration acted on accelerating Iranian nuclear progress. That reading accounts for the target selection but not the timeline, the operational visibility, or the signaling architecture that surrounded the strike. The operation was not a crisis response, it was the operational confirmation of a framework shift where preemption is replacing deterrence as the primary strategic logic of U.S. force employment. The pattern described [on June 13](/writing/2025-06-13-israel-iran-escalation-logic/) is now operational. Ambiguity is no longer functioning as a stabilizer, force is being used to establish conditions rather than respond to them, and the timeline, operational security choices, and targeting decisions reveal shaping-through-action as the governing logic. ## The Timeline Confirms Pre-Planned Preemption, Not Compressed Decision-Making On Thursday, June 19, the White House publicly announced it would decide within two weeks whether to strike Iranian nuclear facilities. By Saturday evening, B-2 bombers were already airborne and the operation was underway within 48 hours. The timeline does not suggest a compressed decision cycle driven by intelligence of imminent Iranian action. The two-week window functioned as strategic notice, giving Tehran a final opportunity to alter course through public and backchannel channels while maintaining operational readiness to execute regardless of response. When no Iranian movement materialized, the operation launched on what appears to have been a predetermined schedule. Most of Washington, including portions of Congress and key allied governments, learned of the strike only after execution. The operational security approach was designed to ensure the strike landed as decisive action rather than becoming subject to pre-execution debate. The announcement created a diplomatic window. The military timeline ran underneath it. ## Operational Visibility Functioned as Final Notice Hours before impact, B-2 bombers and refueling aircraft were trackable through open-source flight monitoring platforms. B-2 operations are typically conducted with measures to avoid detection. The open visibility suggests it was either accepted or intended as signal. Whether deliberate or operationally unavoidable, the visibility gave Tehran hours to respond or reposition. It did neither. This differs from traditional operational security doctrine where surprise is maximized to reduce defensive preparation. Here, visibility served a signaling function directed not just at Iran but at regional actors and global audiences. The U.S. was moving from stated intent to action, and the transition was observable in real time. The message was not just military, it was procedural. ## Ambiguity Had Become a Strategic Liability Iran was advancing enrichment and weaponization research under conditions where Western restraint was being interpreted as accommodation and progress toward breakout capacity was being rewarded with continued ambiguity. Diplomatic engagement had not produced verifiable rollback, economic sanctions had not compelled capitulation, and the Joint Comprehensive Plan of Action had collapsed. The administration appears to have concluded that continued ambiguity around Iran's nuclear program had shifted from stabilizing to enabling. Iran was approaching breakout capacity while maintaining plausible deniability about weaponization intent, and the calculation appears to be that waiting for Iran to cross an irreversible threshold would leave the U.S. with worse options at higher cost. Striking before weaponization capability is achieved resets the program's timeline and establishes new negotiating conditions from a position where Iran's infrastructure has been degraded. This is force used as a shaping tool, not a response mechanism. The strike was not triggered by a specific Iranian provocation, it was executed to prevent Iran from reaching a position where military options become constrained. ## Iran's Ceasefire Offer Is Tactical Pause, Not De-Escalation Some analysts are interpreting Iran's ceasefire offer as restraint or willingness to de-escalate. This reads as tactical positioning by a regime that thinks in generational timelines and builds political legitimacy around resistance narratives. The decision to offer ceasefire terms does not indicate capitulation, it indicates recognition that immediate symmetrical response would invite further degradation of remaining infrastructure. Iran's asymmetric response will continue through distributed proxy networks operating with plausible deniability. Hezbollah, the Houthis, cyber actors, and maritime harassment capabilities maintain operational autonomy that does not require regime authorization for each action, and these networks can sustain pressure operations under nominal ceasefire conditions because their distributed command structures are designed to function independently of centralized direction. The objective will not be parity with U.S. conventional capability, it will be cost through complexity. Cyber operations targeting critical infrastructure, maritime friction in energy corridors, and proxy strikes calibrated to remain below direct attribution thresholds will stretch Western defensive systems and demonstrate that degrading infrastructure does not eliminate the capacity to impose friction, it redistributes it. ## U.S. Strategic Bandwidth Is the Variable Moscow and Beijing Are Pricing Neither Moscow nor Beijing has an interest in direct Middle East escalation. Both benefit from U.S. strategic bandwidth being consumed by simultaneous regional crisis management. Russia maintains an active testing ground in Ukraine, supported in part by Iranian munitions and drone technology. Regional instability that diverts U.S. attention and resources creates operational space for Russian positioning in Europe and Central Asia. Moscow does not need escalation in the Gulf, it needs the U.S. managing crises on multiple fronts simultaneously. China is expanding diplomatic presence in the Gulf while positioning itself as a stability broker, normalizing currency arrangements outside the dollar system with regional actors and advancing dual-use technology transfers that strengthen long-term strategic positioning. Beijing does not need kinetic conflict in the Middle East, it benefits from the perception that U.S. military intervention creates instability while Chinese economic engagement offers predictability. Both are positioning for advantage in what comes after U.S. attention shifts. The immediate crisis may be contained. The strategic repositioning happening during it will outlast it. ## The Preemption Threshold Has Moved The operation sends signals beyond Iran. North Korea, non-state actors, and adversarial regimes are recalibrating based on several observable patterns. The U.S. executed preemptive strikes without full allied consensus or extended domestic political alignment, weakening the traditional constraint of multilateral support as a predictive variable for U.S. action. The administration positioned the operation as measured prevention rather than escalation, creating domestic political space for similar operations in other theaters. And the timeline from public statement to execution compressed to days while the administration maintained narrative control over how the action was characterized. The threshold for U.S. military action appears lower than previous assessments assumed, and the timeline from warning to execution shorter than traditional deterrence models predicted. Other actors will adjust accordingly. ## Risk Models Built on Gradual Escalation Are Failing Organizations with exposure to Gulf transit routes, Middle East and North Africa-based vendors, or cross-border payment systems tied to regional financial infrastructure should be modeling these scenarios now. The pattern across Israeli-Iranian strikes and U.S. operations confirms that the window between warning indicators and military action is compressing to days, not the weeks or months that traditional escalation models assume. Supply chain dependencies, financial system exposures, and operational footprints in contested regions all need reassessment against a framework where transition from ambiguity to kinetic action happens on compressed timelines. Organizations that wait for confirmation of escalation before activating contingency planning will find the window has already closed. The U.S. strike on Iranian nuclear infrastructure marks the operational confirmation of a framework shift. Preemption is no longer reserved for imminent threats, it is being used to prevent adversaries from reaching positions where Western options become constrained. The question for strategic planners is not whether this framework will be applied elsewhere, it is where.Geopoliticshttps://chrischerry.me/writing/2025-06-13-israel-iran-escalation-logic/https://chrischerry.me/writing/2025-06-13-israel-iran-escalation-logic/Israel's strike campaign against Iran demonstrated operational reach most analysts did not think was achievable. The assumption that deterrence would hold through mutual ambiguity is no longer viable, and that calculation carries forward across theaters.Fri, 13 Jun 2025 00:00:00 GMTIsrael's strike campaign against Iran's military and nuclear infrastructure demonstrated operational reach that most regional analysts did not think was achievable. Multiple coordinated waves penetrated defended airspace. Senior IRGC commanders were killed. Hardened facilities that Western intelligence had considered effectively off-limits were degraded in hours, not days. Iran's response (drone and missile salvos that were largely intercepted) revealed capability limits more than strategic restraint. Tehran launched what it could, quickly and visibly, without exposing the full extent of its vulnerability. The strikes themselves matter less than what they demonstrated: the assumption that deterrence would hold through mutual ambiguity is no longer viable. That calculation does not reset when this round of strikes ends. It carries forward. ## The Assumption That Failed Western policy toward Iran has operated for years on the belief that economic pressure and diplomatic engagement would eventually produce a negotiated rollback of the nuclear program. The logic was straightforward: offer access to the global economy in exchange for verifiable limits on enrichment and weaponization research. But this assumed Tehran viewed its nuclear program primarily as leverage, a bargaining chip to trade for sanctions relief and normalized relations. That assumption was flawed. Iran built its nuclear capacity as a survival mechanism. The program exists to preserve the regime, not to trade it away for economic integration. Israel has always understood this. The difference now is that the cost-benefit calculation around waiting has inverted. When ambiguity becomes the primary liability, preemption becomes the logical strategy. What happened over the last two weeks was not a breakdown in deterrence. It was the predictable outcome of two states operating from incompatible threat assessments. Israel sees a nuclear Iran as an existential risk. Iran sees external pressure as confirmation that only a credible deterrent (meaning a latent or actual nuclear capability) ensures regime survival. These positions do not converge through dialogue. They collide. ## Escalation Logic Is Changing Across Theaters The real significance here is not regional. It is structural. Escalation logic as it functioned for most of the post–Cold War period is eroding. Force was once treated as the option of last resort, something states turned to after exhausting diplomatic, economic, and coercive alternatives. Increasingly, force is being used early to shape the negotiation space, establish facts on the ground, and redefine what is considered acceptable before formal talks even begin. This pattern did not start in Tehran. Russia's invasion of Ukraine was predicated on the assumption that speed and fait accompli would preempt Western cohesion. China is rehearsing kinetic encirclement of Taiwan under the cover of routine exercises, normalizing operational patterns that could transition seamlessly into blockade or invasion. Now we are seeing it between Israel and Iran: two regional powers with no shared understanding of where the threshold actually sits. Deterrence is being recalibrated in real time, and the recalibration is happening faster than most strategic frameworks can process. Strategic ambiguity (once treated as a stabilizing mechanism) is increasingly seen as a vulnerability. Ambiguity invites misinterpretation. Misinterpretation creates windows for preemption. Preemption compresses decision timelines. The cycle accelerates. ## U.S. Strategic Bandwidth Is the Constraint The United States is managing simultaneous pressure from Iran, Ukraine, and Taiwan while attempting to project stability, defend economic credibility, and maintain alliance cohesion. Each theater operates on different escalation logic. Each demands different tools. None offer clean exits. Military capacity is not the limiting factor. Cognitive bandwidth is. U.S. decision-makers are being forced to interpret and respond to fundamentally different escalation models (some rational, some performative, all consequential) across overlapping timelines. The risk is not that any single theater overwhelms U.S. capability. The risk is that the need to process multiple simultaneous escalation trajectories degrades the quality of assessment and response across all of them. This creates exploitable opportunities for adversaries. If U.S. focus is split, competitors can test boundaries in one theater while Washington is absorbed in another. The interdependencies are not obvious until they cascade. ## Iran's Likely Response Trajectory Iran will accelerate its nuclear program. The demonstrated logic now is that restraint invites strikes and progress creates deterrence. Hardened facilities will move deeper. Development timelines will compress. Whether this produces a functional weapon or triggers another round of Israeli strikes depends on how ambiguous progress signals are interpreted, and whether Israel believes it still has a viable window to act. Proxy engagement will escalate, but not toward parity. Hezbollah, the Houthis, and affiliated cyber actors will aim for disruption, not direct confrontation. Their goals will be to stretch Israeli and Western defensive systems, fracture operational predictability, and introduce cost through complexity rather than scale. China and Russia will amplify their presence in the region, not through troop deployments, but through arms transfers, diplomatic positioning, and information operations. Both benefit when the U.S. is drawn deeper into Middle East crisis management while they position themselves as stabilizing alternatives in other theaters. Energy security, narrative control, and the perception of U.S. overextension are all multi-front opportunities. ## Second-Order Operational Impacts The first-order impacts are predictable: energy price volatility, insurance rate adjustments for Gulf transit routes, temporary airspace restrictions affecting commercial aviation. These show up in risk models relatively quickly. The second-order effects will surface in systems that assume consistent access to Middle East and North African logistics corridors. Payment verification latency. Customs processing delays that do not register as "geopolitical risk" in the traditional sense but create customer-facing friction anyway. Supply chain rerouting that adds cost and time without triggering formal breach-of-contract clauses. Vendor communication gaps that look like operational inefficiency rather than regional instability. Most executives will not connect a late delivery or failed payment to airspace volatility over the Persian Gulf. They will see a vendor performance issue. The reputational risk will not appear in quarterly risk reports. It will accrue in customer churn and eroded trust. Organizations with exposure to Gulf transit routes, MENA-based vendors, or cross-border payment systems tied to regional banks should be modeling these scenarios now. Not because direct conflict spread is likely, but because the operational assumptions that underpin consistency in these systems are changing faster than risk models typically update. ## Economic Tools Are Shifting to Preemptive Posture Economic friction will track this escalation, but in ways that are not immediately obvious. Trade policies that once operated on multilateral negotiation timelines are now being pulled into fast-cycle geopolitical response. Tariffs, sanctions, and regulatory barriers are shifting from consequence-based tools to preemptive posture mechanisms. Sanctions used to function primarily as punishment for actions already taken. Increasingly, they are being deployed to shape the operational environment before conflict begins: denying access to dual-use technology, restricting financial flows that could support military modernization, creating economic friction designed to slow adversary decision cycles. This is not just military doctrine adapting. Economic statecraft has adopted the same playbook. The challenge is that preemptive economic measures create spillover effects that are difficult to contain. Secondary sanctions affect third-party vendors. Export controls disrupt supply chains with no direct involvement in the targeted activity. Compliance costs rise across entire sectors, not just entities directly engaged in sanctioned behavior. For organizations operating globally, this means risk models built on historical sanction patterns are increasingly unreliable. The assumption that economic tools follow conflict rather than precede it no longer holds. Sanctions, export controls, and financial restrictions are now part of the escalation itself, not just the response to it. ## What Decision-Makers Should Be Tracking This is not a call to action. It is a recognition that the strategic environment is shifting in ways that most operational planning has not accounted for yet. The logic of preemption is replacing the logic of deterrence. Strategic ambiguity is no longer functioning as a stabilizer. It is introducing volatility. The risks once contained to statecraft are now embedded in infrastructure dependencies, payment systems, and logistics networks that were designed assuming geopolitical stability, not geopolitical flux. If your organization relies on Gulf transit routes, MENA vendors, European supply corridors with Middle East exposure, or cross-border payment systems tied to regional financial infrastructure, the operational assumptions that underpin reliability in these systems are under stress. The conflict may remain regional. The consequences are already global.Geopolitics