The emergence of large-scale quantum computing threatens widely deployed public-key cryptographic systems, creating an urgent need for enterprise-level methods to assess post-quantum (PQ) readiness. While PQ standards are under development, organizations lack scalable and quantitative frameworks for measuring cryptographic exposure and prioritizing migration across complex infrastructures. This paper presents a knowledge graph based framework that models enterprise cryptographic assets, dependencies, and vulnerabilities to compute a unified PQ readiness score. Infrastructure components, cryptographic primitives, certificates, and services are represented as a heterogeneous graph, enabling explicit modeling of dependency-driven risk propagation. PQ exposure is quantified using graph-theoretic risk functionals and attributed across cryptographic domains via Shapley value decomposition. To support scalability and data quality, the framework integrates large language models with human-in-the-loop validation for asset classification and risk attribution. The resulting approach produces explainable, normalized readiness metrics that support continuous monitoring, comparative analysis, and remediation prioritization.

翻译：大规模量子计算的出现对广泛部署的公钥密码系统构成威胁，亟需企业级方法来评估后量子（PQ）就绪状态。尽管PQ标准正在制定中，但各组织仍缺乏可扩展的定量框架来度量密码学暴露风险，并在复杂基础设施中确定迁移优先级。本文提出一种基于知识图谱的框架，通过对企业密码资产、依赖关系和漏洞进行建模，计算统一的PQ就绪度评分。基础设施组件、密码原语、证书和服务被表示为异质图，从而实现对依赖驱动风险传播的显式建模。PQ暴露风险通过图论风险泛函进行量化，并借助沙普利值分解跨密码学领域进行归因。为支持可扩展性与数据质量，该框架集成大语言模型与人在回路的验证机制，用于资产分类与风险归因。最终方法生成可解释的标准化就绪度指标，支持持续监控、对比分析和修复优先级排序。