Key Takeaways:
- AI and quantum are the same problem. AI agents already run on the cryptographic trust models that quantum computing is expected to break. Treating them as separate initiatives creates a blind spot where the real risk lives.
- The identity model is broken for non-human actors. AI agents are autonomous, long-lived, and increasingly privileged, but their credentials, such as GitHub tokens, API keys, and embedded secrets, sit outside the identity governance frameworks enterprises built for humans. Most organizations can’t even inventory what’s out there.
- Cryptography isn’t just protecting data, it’s defining identity. When quantum weakens the cryptographic layer, the impact isn’t just that data gets exposed. It’s that organizations lose the ability to answer who is this agent, what is it allowed to do, and should it still be trusted.
- The breach may have already happened. “Harvest now, decrypt later” is an active practice today. If data needs to stay secure for years, the exposure window is already open, and most organizations don’t have enough visibility into their cryptographic footprint to know what’s at risk.
- The appropriate response to this threat requires a unified operating model, not just new algorithms. Organizations need to bring cryptographic identity and agent identity under the same governance framework. They need visibility into every certificate, key, token, and secret, with continuous control over how credentials are issued, rotated, revoked, and monitored.
The U.S. Intelligence Community recently put quantum computing on equal footing with artificial intelligence as a national security concern, placing both under a new top-level category in the 2026 Annual Threat Assessment of the U.S. Intelligence Community called Technological Challenges. The designation reflects how seriously the quantum threat is being taken. Most readers will interpret this as a shift in prioritization. It is more than that. It is a redefinition of the threat model.
These two technologies already intersect in ways most organizations have not confronted. Enterprises are deploying AI agents across development pipelines, infrastructure automation, and business workflows and every one of those agents authenticates into production systems, accesses sensitive data, and acts across environments over TLS connections, using OAuth tokens, API keys, and embedded secrets. The cryptographic layer that makes this work securely is the same layer that quantum computing is expected to break.
Yet most organizations still treat AI and quantum as separate problems. AI sits with the productivity and automation teams. Quantum sits with the cryptography and long-term risk teams. That separation no longer holds as AI systems are already running on trust models that may not survive the decade.
Identity has traditionally been defined in terms of users and applications, but that model is no longer sufficient. AI agents are long-lived, autonomous, and increasingly privileged. They operate across systems, chain actions together, and interact with services in ways that resemble human decision making. However, their identity model is fragmented. Many agents rely on credentials that exist outside centralized identity providers, including GitHub tokens, SaaS issued API keys, embedded secrets and integration layer credentials. In many environments, organizations do not have a complete inventory of where these credentials exist or how they are used. This lack of visibility already creates risk, and when combined with the potential weakening of underlying cryptographic trust, the implications become more serious.
Most discussions around quantum computing focus on encryption and data confidentiality, such as what data can be decrypted, when existing algorithms may fail, and which replacements are emerging. That perspective is incomplete. Cryptography is not only protecting data, but also defining identity. Certificates establish trust between systems, keys prove ownership, and tokens represent delegated access. These mechanisms are foundational to how modern systems authenticate and authorize interactions. If these mechanisms can no longer be relied upon, the impact extends beyond confidentiality and affects the ability to establish and maintain trust. Organizations may no longer be able to confidently answer fundamental questions such as who is this agent, what is it allowed to do, and should it still be trusted. At that point, the AI problem and the quantum problem become the same problem.
Another dimension that deserves attention is the ongoing practice of collecting encrypted data for future decryption. Although the Annual Threat Assessment does not emphasize it, the concept of harvesting encrypted data today with the expectation of decrypting it later has been acknowledged in multiple intelligence discussions. This creates a time-shifted breach model. By the time organizations recognize the impact, the data has already been collected. For enterprises, the implication is straightforward. If data needs to remain secure for years, exposure may already exist. At the same time, most organizations lack a clear understanding of their cryptographic footprint. Encryption is deeply embedded across cloud platforms, on-premises systems and third party integrations, and discovery alone can take years in large environments. The timeline required to respond is often longer than the timeline of the threat.
Framing this challenge purely as a cryptography problem misses the broader issue. What is really at stake is identity and control in an environment where non-human actors are making decisions at scale. AI agents are already operating across systems using credentials that are not fully governed, while the trust model behind those credentials is under pressure. Treating AI governance and post quantum cryptography as separate workstreams creates gaps in visibility and control. A more effective approach is to recognize that both challenges converge on the same underlying problem.
Addressing this shift requires more than adopting new cryptographic algorithms. It requires a different operating model. Organizations need a unified control plane that brings together cryptographic identity, agent identity and continuous governance. This starts with visibility into certificates, keys, tokens and secrets across the environment, including those that exist outside traditional identity providers. It then extends to control, including how credentials are issued, rotated and revoked, how access is governed across systems, how behavior is monitored over time and how compliance is enforced. This is where platforms that combine cryptographic discovery, identity governance and automation begin to play a critical role.
This shift is not theoretical. It requires immediate action. Organizations should establish visibility into their cryptographic footprint across cloud, on premises and third party systems, identify where AI agents and automated systems are operating and what credentials they rely on, especially those outside traditional identity providers, and begin building a control model that combines cryptographic trust with continuous governance of non-human identities. These steps take time, and most organizations are further behind than they expect.
The Intelligence Community has elevated quantum to the level of AI, and that should prompt urgency. The more important shift is already underway. AI agents are scaling across enterprises, operating on trust models that were never designed for a post-quantum world. The organizations that act now will not be the ones that simply adopt new algorithms, but those that understand their cryptographic exposure, govern their non-human identities and build systems that can adapt as trust itself evolves. The risk is not approaching. It is already embedded in how systems operate today.
For more information on readying your enterprise for a post-quantum, AI-enabled world, visit our Quantum Trust Hub.
Tags
About the Author
Ganesh Mallaya
Distinguished Architect & technical Evangelist
Enabling businesses to design, engineer and deploy automation and Digital trust management solutions.
