Security teams are dealing with a real shift in how attacks are built and executed. AI is driving down the cost and time required to find vulnerabilities, chain exploits, and move from discovery to impact. At the same time, quantum computing, while not yet a practical cryptographic threat, is forcing organisations to think seriously about how long today’s encrypted data needs to remain secure.
These two forces operate on different timelines and at different layers of the security stack. What they share is their impact on one critical function: cryptography. Cryptography can no longer be treated as a static control, and instead must become actively managed, visible, and upgradeable. For most organisations, modernisation is already overdue.
Transforming the speed of attacks
AI is not breaking encryption algorithms. But it is changing how quickly attackers can find and exploit weaknesses. Modern enterprises have thousands of cryptographic endpoints: TLS, VPN gateways, APIs, IoT and OT devices, cloud workloads, SaaS integrations, mobile apps, and more.
Across these systems, cryptography evolves unevenly, legacy protocols persist, and deprecated cipher suites remain enabled for compatibility. Additionally, certificates expire, key lifetimes vary wildly, and misconfigurations accumulate.
Historically attackers needed time to map these vulnerabilities. Today, AI-tooling can automate that discovery. This drastically shrinks the exploitation timeline. Security teams no longer have the luxury of discovering cryptographic risk on an annual audit cycle.
Data is already under attack
Quantum computing presents a different class of risk. It’s a threat to yesterday’s data. A sufficiently powerful, fault-tolerant quantum computer will be able to break today’s public-key cryptography. This will compromise TLS key exchange, VPN tunnels, PKI trust chains, and authentication systems.
However, quantum computers do not threaten modern symmetric cryptography, AES, and SHA-256. So, the quantum threat is not “encryption collapse;” it’s traditional public-key obsolescence. The timeline remains uncertain. But there is a risk today of Store Now, Decrypt Later (SNDL) attacks.
In these attacks, adversaries harvest encrypted traffic today, particularly long-lived sensitive data, so that data can be decrypted retroactively once quantum capabilities mature. This makes cryptographic modernisation a data durability problem, not just a breach-prevention problem. If your data must remain confidential for 5 or 10 years or longer, then your cryptography has to be quantum-safe before those machines exist.
The intersection of AI and quantum risk
AI and quantum computing are not combining into a single technical attack today, but they do intersect operationally. AI accelerates the discovery of cryptographic weaknesses. Quantum computing will eventually make many of those weaknesses permanent failures. Together, they compress modernisation timelines.
AI-powered attackers will find legacy TLS stacks, RSA-only key exchange, long-lived certificates, hardcoded keys, and shadow encryption across cloud and SaaS environments at machine speed. And when quantum systems arrive, any unremediated exposure becomes irreversible. The real risk is not a futuristic super-weapon. It’s organisational inertia.
Cryptography is now an attack surface
In many enterprises, cryptography is still treated as background infrastructure, something that just works. That assumption no longer holds.
Cryptography is now a compliance boundary, and a supply-chain dependency. It is the target of nation-state intelligence agencies; all while being boosted as a long-term data protection mechanism. Cryptography is also one of the least visible components of most security architectures.
Many organisations cannot answer basic questions from which protocols are in use to whether deprecated ciphers are still enabled. Entities do not know how many certificate authorities are issuing certificates internally, nor which applications still depend on RSA or legacy key exchange. For example, where are keys generated, stored, rotated, and revoked, or which systems will break when PQC is introduced? Without that visibility, modernisation is impossible.
Cryptographic modernisation
Cryptographic modernisation is not a single technology upgrade. It is a program. It requires organisations to maintain a real-time map of protocols, cipher suites, certificate chains, key lifetimes, and trust anchors, including across all technological intersections. If you cannot see your cryptography, you cannot secure it.
Moreover, modern systems must be designed to change cryptographic algorithms without rewriting applications. Agility is what makes post-quantum migration feasible. This design approach is needed across crypto abstraction layers, configurable encryption policies, centralised key management, and automated certificate rotation. Static cryptography is no longer defensible.
Cryptographic lifecycle must be managed with intention and audited continuously. AI has changed the tempo of cyber risk. Quantum computing has changed the durability of data protection. Together, they have turned cryptography into something that must be continuously monitored, upgraded, and governed.
This is a new reality. The organisations that remain secure in the coming decade will be the ones that treat cryptography as core infrastructure with the same rigour applied to identity, networking, and cloud security.
Cryptographic modernisation is no longer a future project. It is a present necessity.
