Many leaders still think quantum security is just a quick software update with a bit of AI magic.
For most organisations, It isn’t.
That fantasy is a recipe for catastrophic risk.
Crypto obsolescence projects can quickly expand in scope and destroy your budgets.
Across boardrooms, government corridors, and SOC water coolers alike, there’s a growing tendency to treat Post-Quantum Cryptography (PQC) as a simple upgrade: tick a box, run an update, sleep soundly.
This belief is dangerously naive.
The myth of a “smooth transition” to quantum-safe systems is often sold by vendors with flashy “LQM +++ AI offering” often fixes nothing without the right people on the project.
When implementing PQC, AI can help guide, but it cannot replace meticulous human oversight, careful cross department policy work, and the harsh reality that much of today’s infrastructure must be torn out and rebuilt against an ever shrinking delivery timeline.
Tooling can do some of the work, but it cant rip an ATM out of the wall or replace your network architecture.
Crypto Paralysis is the reality.
If you’re in a large enterprise, you probably have legacy PKI, un-upgradeable HSMs and TPMs, and air-gapped systems with hard-coded root certificates.
Don’t take crypto agility as already built in to your existing cryptography, more than often it is not. Systems need to be upgraded, legacy vendors need to be resurrected into action.
Crypto “Agility” quickly becomes an unachievable and sometimes un-recoverable fairytale lost in the practicalities of facing a massive crypto obsolescence project full on, in the face.
Medical and sensitive data records add complexity.
Data often cannot be re-encrypted easily without full decryption and migration. All of a sudden a quick cryptography swop out becomes a complicated enterprise data project.
Projects expand rapidly in scope.
Outside of IT, embedded crypto modules in military equipment, satellites, cars, radios, and IoT devices can’t be upgraded without throwing them out and buying new hardware.
Crypto Paralysis is a Thing,
I have seen it with my own eyeballs, it happens when the CISO, CIO, Risk and C-level look like deer in headlights, they stare at each other blankly when the scope of work becomes apparent, often its accompanied by tutting and soft swear words.
Its normally the pre-curser to calling in consultants to “buy the risk” for short-term comfort.
However, the talent to do the work costs so much and is in such short supply that your budgets can easily skyrocket.
7 times out of 10 the consultants don’t fix the problem, not because they are not brilliant, but because teams quickly realise they’ve opened Pandora’s box.
They scramble to limit scope - as they discover cryptography is deeply entwined with systems engineering, supply chain contracts, regulation, and enterprise geopolitics.
Project planning turns into politics and huge upgrades.
For consultants it can become a cash-cow of a never ending and difficult to boundary project.
Ownership is often a opaque mess: often quantum security sits in a magical crypto Narnia between the C-suite, risk, innovation, and cyber - often with no fixed budget.
Quantum computers will break today’s defences — that’s math, not hype.
Algorithms like RSA and ECC are fallible once sufficiently powerful quantum processors arrive.
This is why NIST and ENISA are urging migration to PQC ASAP.
You can be of the its going to happen tomorrow AM mindset, or its ten years mindset, either-way its at least (at the very least) a 60 month project in a large critical infrastructure organisations - many of which arejust starting these projects now.
The naive response? Swap in post-quantum algorithms and carry on.
Reality check: Even the best PQC relies on mathematical problems that could be broken by future quantum or classical attacks.
So you must build and re-engineer systems with crypto agility from the start - but thinking you can retrofit agility into existing crypto is a root cause of severe Crypto Paralysis.
Deploying PQC across every chip, certificate, and protocol in global commerce is a Herculean logistical effort.
Industry estimates show that ~70–80% of PQC costs are services (audit, migration, governance) - not shiny tools.
Root keys, embedded chips, and forgotten servers make agility a myth.
Root keys and hardware modules (HSMs, TPMs, smart-cards) were not designed to be swapped every decade - let alone annually.
Critical systems, like air-gapped military gear and industrial controllers, contain crypto primitives burnt into firmware or hardware.
Replacing them is a physical operation, not a patch.
Changing them means recalling units, re-certifying tamper-proof hardware, and coordinating supply chains.
With the supply chain element being extra burdensome.
For aerospace, energy, or telecoms, downtime alone can cost billions - before buying new hardware.
Such projects routinely run the risk of extracting tens or low hundreds of millions from your companies bottom line.
Governance and consensus hurdles cripple rapid upgrades.
Take blockchains: their security depends on decentralised consensus.
Upgrading to quantum-resistant signatures requires agreement across developers, miners, validators, exchanges, and users.
Minor protocol tweaks have caused standoffs and forks in the past.
Expecting an orderly PQC transition during an active breach is wishful thinking.
AI will not auto-fix this - and can amplify bad assumptions.
AI can draft code, analyse patterns, and summarise papers.
But it doesn’t grasp the messy reality of hardware dependencies, supply chain contracts, or regulatory approval timelines and how they all impact a project.
Often AI and especially AI supply chain considerations are a huge problem themselves.
When you bring in the third party risk from supply chains, thats when further paralysis sets in - securing the supply chain is a herculean task carrying a veritable basket of herculean tasks to dump onto the project team.
An AI might recommend rolling out lattice-based signatures tomorrow - ignoring that your supply chain runs on legacy routers with hard-coded firmware from 2003 and that they underpin critical business services that can’t be taken offline.
Blind trust in AI turns plausible plans into a dangerous mirage.
The fix starts to morph into huge infrastructure upgrade.
What does realistic quantum defence look like?
Inventory and audit - know exactly where your crypto lives, including dusty servers nobody claims. Standards for inventory? None. Yet, but they are on the way.
Prioritised migration - fix root keys, long-term stores, high-value transactions first. Hire people who understand both quantum cybersecurity and business process re-engineering. $$$$$$
Hardware refresh plans - budget for replacing outdated HSMs and embedded chips.
This gets expensive fast.
Governance rehearsals - simulate upgrade rollouts under attack conditions.
Decide now how to force consensus if critical exploits emerge.
Continuous horizon scanning- today’s secure PQC may fail tomorrow.
Build agility into new architecture and contracts.
Above all: accept that perfect crypto agility does not exist.
Even the best-prepared organisations will carry residual risk.
Resilience means shrinking the blast radius and being harder to target - so the attackers move on.
Cautious optimism, constant vigilance.
Quantum computing is not science fiction, it’s engineering fact.
AI is not magic, it’s pattern recognition on steroids.
Both technologiesbring promise and unprecedented risk, and the supply chain complicates the hell out of it.
Bring in expertise to help, but thinking you can just hand this over to a third party is not practicable for all of the reasons listed above. It is often a much bigger project than estimated, and impacts core systems, business processes and existing data.
Security posture must reflect this reality: more human diligence, more boring tasks like crypto inventory and risk modelling.
AI and cryptographic models are tools. They don’t build your house.
In this new era, there are no shortcuts.
Any vendor who says otherwise is selling you a fairy tale. There are some great tooling vendors out there, the team at Quantum Security and Defence are well placed to advise you on which ones work best for your own environment. But tooling alone will not deliver a project.
- NIST PQC Migration Project: NIST PQC
- ENISA Reports on Cryptography Migration: ENISA PQC
