Key insight

AI systems run on the exact public-key cryptography quantum computers break — and AI’s longest-lived assets (training data, weights, embeddings, knowledge bases) are prime harvest-now-decrypt-later targets. Being quantum-safe about AI means four things: protect the long-lived data, protect the agent channels (TLS/PKI/tokens), sign the models (an MLBOM), and stay crypto-agile — which is just model-agility applied to algorithms.

In one sentence

The crypto quantum breaks is the crypto your agents, models, and pipelines depend on — so post-quantum readiness is AI security, not a separate topic.

Why a quantum guide ends in AI

Everything in this series — the two kinds of locks, what Shor breaks, the tower of RSA, ECC, PKI and TLS — describes the security substrate of modern software. AI systems are modern software. They just happen to concentrate an unusual amount of long-lived, high-value secret in one place, and to add a new layer of machine-to-machine trust (agents calling agents, tools, and model endpoints). Both of those make the quantum question sharper, not softer.

So this capstone is deliberately not new cryptography. It is the same field guide, pointed at the place your engineering already lives.

Harvest-now-decrypt-later meets AI

Harvest now, decrypt later (HNDL) is the attack where an adversary records your encrypted data today and waits for a quantum computer to unlock it. The data that matters most for HNDL is data whose value survives for years. AI is full of exactly that:

AI assetWhy it’s a long-lived secret
Training corporaProprietary or regulated data (customer records, source code, medical text) that stays sensitive for decades.
Model weightsThe distilled result of that data plus enormous compute — often the single most valuable artifact you own.
Embeddings & vector storesNumeric encodings of confidential documents; an emerging, actively-researched inversion risk means they can be recoverable enough to leak the underlying content, so treat them as sensitive by default.
RAG knowledge basesThe private corpus an agent retrieves from — frequently your most sensitive internal knowledge.
Conversation & tool logsPrompts and outputs that can contain secrets, PII, and business intent, retained for a long time.

If any of these move over today’s TLS using a classical key exchange, a patient attacker can capture the ciphertext now and read it after Q-day. Mosca’s inequality (X + Y > Z) applies directly: if your model or corpus must stay secret for X years, migration takes Y years, and a quantum computer arrives in Z years, then whenever X + Y exceeds Z you are already late.

The crypto under your agents

An agent system is a web of machine-to-machine trust: an orchestrator calls sub-agents, agents call tools and APIs, and everything talks to model endpoints — increasingly over the Model Context Protocol (MCP). Every one of those hops is secured by the public-key cryptography this series showed quantum breaks:

This is where quantum risk collides with an anti-pattern the wider guide already warns about: implicit agent-to-agent trust. If the cryptography that authenticates one agent to another can be broken, an attacker can impersonate a trusted agent or sit in the middle of a tool call — the confidentiality and authenticity damage described in the threat part, now aimed at your control plane. The same logic extends to poisoned knowledge bases and boundaryless data egress: broken transport crypto weakens the very boundaries those patterns depend on.

Where quantum touches an AI stack An AI stack in four layers — data at rest, data in transit, model artifacts, and agent-to-agent channels — each tagged with the cryptography quantum affects. Agent ↔ agent / tool / MCP TLS key exchange + certificates + signed tokens — broken by Shor Model artifacts Signatures proving weights aren’t tampered — migrate to ML-DSA / SLH-DSA Data in transit Training data, embeddings, prompts — harvest-now-decrypt-later target Data at rest Weights, corpora, vector stores — symmetric (AES), only mildly dented by Grover
Public-key layers (top three) are where quantum bites; the symmetric layer at rest is the easy part.

Signing models & the MLBOM

The assessment part introduced the cryptographic bill of materials (CBOM) — a living inventory of where cryptography lives. AI has a natural extension: the MLBOM (machine-learning bill of materials), which records the datasets, base models, and dependencies that went into a model, and pairs it with model signing so you can prove an artifact was not tampered with between training and deployment.

Those signatures use exactly the algorithms that must migrate: today’s RSA/ECC signing should move to the new ML-DSA and SLH-DSA standards. The same applies to signing AI-generated code before it ships — a control the wider guide leans on when it argues for disciplined, gated agent output. Provenance you can’t cryptographically trust is provenance in name only.

Crypto-agility is model-agility

The migration part’s central lesson was crypto-agility: don’t hard-code an algorithm; design so you can swap it quickly, this time and every time after. AI engineers already practise the same instinct under a different name — model-agility, the ability to change model or provider behind an abstraction without rewriting the application.

Treat cryptography the way you already treat models: put it behind an interface, drive the choice from configuration, and keep the call sites ignorant of which primitive is in use. A team that can swap GPT for Claude without a rewrite can swap ECDH for ML-KEM the same way — if they designed for it. Crypto-agility and model-agility are one discipline.

What to actually do

When you run the readiness assessment on an AI system, add four AI-specific lines to the checklist:

Do thisBecause
Inventory long-lived AI data and its transport cryptoTraining data, weights, embeddings, RAG stores are HNDL targets — prioritise them in the risk register.
Map the crypto on every agent / tool / model channelTLS, certs, and tokens are what quantum breaks — and what agent-to-agent trust rests on.
Adopt model signing + an MLBOM, using PQC signaturesProvenance for weights and generated code must survive the migration to ML-DSA / SLH-DSA.
Make the algorithm swappable (crypto-agility)The same abstraction discipline you use for models — so the next change is routine, not a rebuild.
Where to start, concretely: the first move is a data-flow inventory of the AI system — list every place training data, model weights, embeddings/vector stores, and prompt/tool logs are stored and every channel they travel over, and record the crypto on each (this is just the CBOM pointed at your AI stack). The MLBOM isn’t a separate tool to invent: it reuses the same SBOM/CycloneDX approach, extended with the datasets and base models behind each artifact. And “hybrid” here means the same thing as everywhere in this guide — run a classical key exchange and ML-KEM together so one surviving is enough.

Run in hybrid where you can (classical + ML-KEM together) so you get protection today without betting everything on a young algorithm, and prefer platforms that already ship PQC — see Quantum-Safe on Microsoft Platforms.

HNDL (harvest now, decrypt later)
Recording encrypted data today to decrypt once a quantum computer exists; the core reason AI’s long-lived data is exposed now.
Embeddings
Numeric vector encodings of content; recoverable enough that leaked embeddings can leak the source text.
RAG
Retrieval-augmented generation — an agent fetching from a private knowledge base at query time.
MLBOM
Machine-learning bill of materials: an inventory of the datasets, base models, and dependencies behind a model — the AI analogue of the CBOM.
Model signing
Cryptographically signing model artifacts so tampering is detectable; must migrate to PQC signatures.
Model-agility
Designing so a model or provider can be swapped behind an abstraction — the same discipline as crypto-agility.
TLS / PKI / RSA / ECC / ECDH
The transport-security stack quantum breaks: TLS (Transport Layer Security), PKI (Public-Key Infrastructure), RSA (Rivest–Shamir–Adleman), ECC (Elliptic-Curve Cryptography) and ECDH (Elliptic-Curve Diffie–Hellman) key exchange.
MCP (Model Context Protocol)
The emerging protocol agents use to reach tools and model endpoints — another channel to secure with PQC.
ML-KEM / ML-DSA / SLH-DSA
The post-quantum standards to migrate to: ML-KEM for key exchange, ML-DSA and SLH-DSA for signatures.
CBOM (Cryptographic Bill of Materials)
The crypto inventory the MLBOM extends for AI systems.
PII (Personally Identifiable Information)
Personal data in prompts and logs that keeps its sensitivity for years — an HNDL target.
PQC (Post-Quantum Cryptography)
The quantum-resistant algorithms AI transport and signing must adopt.

What to carry forward

That completes the field guide — and brings it home. ← Back to the full series, or explore the AI Agent Engineering Guide the anti-patterns above come from.

Understand it in your own words

Paste into any AI assistant to check yourself:

I'm connecting post-quantum cryptography to AI systems. Quiz me one
question at a time, correcting me gently:

1. Which AI assets are the biggest harvest-now-decrypt-later targets, and why?
2. Which cryptography secures agent-to-agent, tool, and model channels, and
   what does quantum do to it?
3. What is an MLBOM, and how does it relate to the CBOM and model signing?
4. Why is crypto-agility "the same discipline" as model-agility?
5. What four AI-specific lines belong on a quantum-readiness checklist?

References & further reading

  1. NIST, FIPS 203/204/205 (ML-KEM, ML-DSA, SLH-DSA). csrc.nist.gov/publications/fips
  2. NIST, IR 8547: Transition to Post-Quantum Cryptography Standards. csrc.nist.gov/pubs/ir/8547
  3. CISA, NSA & NIST, Quantum-Readiness: Migration to PQC. cisa.gov/quantum
  4. OWASP, Machine Learning Security & AI/LLM supply-chain guidance (MLBOM concepts). owasp.org — ML Security Top 10
  5. Model Context Protocol, specification (agent/tool transport). modelcontextprotocol.io