Artificial intelligence is that shiniest of objects, capturing the attention and imaginations not only of investors, governments and business leaders, but also of academicians, social scientists and even some technologists wary of its power to overwhelm regulatory and governance guardrails.
Quantum computing, on a similar exponential track with perceived existential implications, and even seeing breakthroughs by the likes of Google and IBM, isn’t yet generating that level of urgency and alarm. That is going to change if voices like Mauritz Kop are heeded.
“The most immediate risk is not a science fiction Q-Day,” says Kop, the founding director of the Stanford Center for Responsible Quantum Technology (RQT), referring to the anticipated moment when quantum systems are capable of breaking the encryption codes that safeguard modern-day communications and commerce.
“I worry about long-lived assets – financial records, identity data, health and government archives” – which could fall victim to “a lack of crypto-agility and weak vendor oversight,” adds Kop, who also created the Stanford Quantum Incubator and is a senior fellow at Canada’s Centre for International Governance Innovation.
To be sure, security, as critical and challenging as it is, will not be the only item on the quantum governance and oversight agenda.
Q-Day remains a matter of conjecture, not unlike artificial intelligence’s point-of-no-return “singularity”. But the year 2030 looms heavily over the worlds of quantum R&D and post-quantum cryptography (PQC).
“2030 is just around the corner, and it’s gearing up to be the new Y2K, but with far more severe consequences,” cyber risk quantification vendor SAFE warned a blog post.
Justin Thaler: “Encryption needs to transition today.”
By contrast, Justin Thaler, Andreessen Horowitz (a16z) research partner and associate professor in Georgetown University’s Computer Science Department, wrote this month that “timelines to a cryptographically relevant quantum computer are frequently overstated,” and “publicly known progress” does not support its likelihood “before 2030 or well before 2035.”
“Even 10 years remains ambitious,” according to Thaler, though he does not discount the need to be prepared in advance for “harvest now, decrypt later” (HNDL) attacks, in which adversaries gather and archive encrypted information now for decoding when quantum makes it feasible.
“That’s why encryption needs to transition today – at least for anyone with 10 to 50+ year confidentiality needs,” Thaler advised.
The threat was flagged in the recently released annual report of the U.S. Financial Stability Oversight Council, the committee of key regulators chaired by Treasury Secretary Scott Bessent: “The council encourages public and financial services sector partners to consider the risks to cryptography posed by quantum computers and to take the appropriate steps to facilitate the migration to quantum-resistant cryptography and transition towards greater cryptographic agility.”
The FSOC endorsed scenario-driven tabletop exercises “as an important tool” for building cyber readiness and resilience.
In Depository Trust & Clearing Corp.’s annual Systemic Risk Barometer Survey, cyber ranked second only to “geopolitical risks and trade tensions” in the forecast for 2026. But on a first-time question about quantum computing, “only 29% of respondents confirmed that their firm was currently actively planning for the cybersecurity risks associated with the technology,” DTCC revealed on December 10. “25% said their firm acknowledges quantum computing as a risk but did not have any current plans to address it.”
Although “the timeline for migrating to new cryptographic algorithms could be years,” as SAFE put it, “this massive impending digital transformation is a stark reminder that acting early is critical. Preparing for Q-Day is an enterprise-wide project and will require enterprise-wide effort.”
What’s more, “The relationship between quantum computing and artificial intelligence is a profound and symbiotic one, with each field poised to accelerate the other. Quantum computers can dramatically speed up complex AI and machine learning tasks.
“But this is not merely a faster version of classical computing,” SAFE went on. “It’s a paradigm shift. Quantum computers, using principles like superposition and entanglement, can solve certain optimization problems and analyze vast datasets in ways that are impossible for even the most powerful supercomputers today.”
Mauritz Kop: A “governed experimentation” phase.
Kop, who studied intellectual-property law at Stanford Law School, and whose published work includes Establishing a Legal-Ethical Framework for Quantum Technology (2021) and A Call for Responsible Quantum Technology (2024), has characterized quantum as “AI on steroids.” He said in 2023 that Stanford’s multidisciplinary RQT center took a “pro-innovation stance” in light of indications that the technology held the promise of such goods as personalized drug development, earthquake prediction and potentially unbreakable information security.
“But just as quantum technology could result in a more secure internet,” said Stanford Law’s statement at the time, “so too could it result in a world in which all the information on the internet is able to be compromised by a single bad actor, among many other potentials for misuse and unintended consequences.”
Kop works at the intersection of quantum, AI, national security, geopolitics, ethics and law, and he regards nation-state HNDL as a present danger.
“Today we are primarily in the ‘governed experimentation’ phase, co-designing pilots in quantum-safe cryptography, optimization, and sensing with partners, and using quantum-inspired methods on classical hardware while the devices mature,” he explains. “Over the next five to 10 years, I expect a gradual shift from proofs of concept to embedded capabilities in risk, trading, logistics and cybersecurity workflows, paired with much more formal governance, certification and benchmarking to keep those deployments trustworthy.”
Some experts worry that the cryptographic underpinnings of cryptocurrencies and blockchains, largely unbreached to date, will be targets of HNDL exploits. A study by app security company ImmuniWeb found millions of user records already to be circulating on the dark web – a “quantum blind spot [that] only magnifies today’s failures. In addition to the 7.8 million user records, 5,700 leaked employee accounts are fueling phishing and fraud, while 45% of [crypto] exchanges lack basic defenses against AI-driven attacks,” the report stated.
Ilia Kolochenko: Many are unprepared.
“Many large organizations around the globe still seriously underestimate the risks of quantum attacks,” says Ilia Kolochenko, CEO and chief architect of ImmuniWeb, which offers a PQC testing tool. He sees HNDL attacks “already being deployed by both organized cybercrime and nation-state hackers . . . Although powerful quantum computers will quite unlikely become readily available to cyber-threat actors upon their creation, many vendors and organizations are totally unprepared for a rapid migration to post-quantum cryptography. Worse, some devices and business-critical systems simply do not support PQC and shall be physically replaced.”
Thaler of a16z, whose recommendations included “prioritize implementation security – not quantum threat mitigation – in the near term,” said of bitcoin that the quantum threat “is real, but the timeline pressure comes from bitcoin’s own constraints, not from imminent quantum computers.
“Other blockchains face their own challenges with quantum-vulnerable funds, but bitcoin is uniquely exposed: Its earliest transactions used pay-to-public-key (P2PK) outputs that place public keys directly on-chain, leaving an especially significant fraction of BTC vulnerable to cryptographically relevant quantum computers. This technical difference – combined with bitcoin’s age, value concentration, low throughput and governance rigidity – makes the problem especially severe.”
Konstantinos Karagiannis: One use case to start.
In Konstantinos Karagiannis’ view, a quantum governance strategy should start by addressing the cybersecurity threat and planning for PQC migration. Near term, says Karagiannis, director of quantum computing services for Protiviti, that involves taking a cryptographic inventory to understand what needs to be migrated, identifying “crown jewels” that might require upgrading, and addressing third-party relationships and their post-quantum readiness.
Not to be ignored are innovation opportunities: “If you’re a hedge fund, wouldn’t you want to be the first to offer a quantum-generated ETF, both for buzz and to provide better returns?”
“Companies should start with one critical use case they are already solving with classical means and prepare a [proof of concept] to explore and extrapolate how quantum could transform this process,” the Protiviti consultant continues. While consultants can assist in the early stages, “there will need to be a plan for acquiring talent as the use cases become staples in-house. This is similar to corporate AI use-case roadmaps in some ways.”
Source: Blockchain Council
Another governance guideline, from BforeAI chief technology officer Sebastian Cesario, is to accurately assess cryptographic dependencies and the lifespan of an organization’s stored data.
“From there, organizations need mechanisms for cryptographic agility, meaning the ability to pivot quickly as standards evolve, paired with a clear map of where long-lived data could be exposed by ‘harvest now, decrypt later’ campaigns,” Cesario says.
“Build an inventory of sensitive, long-lived data and critical processes; map their cryptographic dependencies; and develop a phased PQC migration plan that is coordinated with your peers, regulators and vendors,” Kop suggests. “In the U.S., that means treating PQC migration as critical-infrastructure modernization and aiming to have core PQC migration substantially completed before 2030, especially for long-lived data and critical financial and national security systems.”
Kop believes quantum should be approached as an extension of cybersecurity, data protection, and model risk management, not as a mysterious outlier.
Mohit Pandey, a machine learning scientist at Boston University, is mindful of the transitional path from classical computing and algorithms to quantum, with hybrid steps along the way. He cites the National Institute of Standards and Technology and its PQC program as a helpful resource.
Technology progresses faster than organizations adapt, and this must be taken into account. Arjun Kudinoor, quantum security advisor at Protegrity, points out that the average chief information security officer (CISO) tenure is less than three years, shorter than the time required for “a full post-quantum migration for a large enterprise spanning identity systems, network infrastructure, suppliers and embedded devices.”
Thus quantum readiness projects may have to be sustained through leadership changes, budgeting cycles and shifting organizational priorities. And misjudging the Q-Day tipping point could be costly.
Quantum Technology Governance: A Standards-First Approach, an article co-written by Kop, stresses the importance of standardization in helping to navigate quantum’s formative stages and to “lay a solid foundation for innovation, foster trust, and provide a basis for future regulatory frameworks as quantum technologies mature.”
“Quantum will challenge the trust foundations of cybersecurity long before most organizations expect it,” Cesario cautions. “Planning must reflect that reality.”
Jeffrey Kutler of GARP contributed reporting for this article.