{"version":"1.0","type":"agent_native_article","locale":"en","slug":"cybersecurity-ai-quantum-computing-who-pays-transition-mqxfxfiz","title":"Cybersecurity in the Age of AI and Quantum Computing: Who Pays for the Transition","primary_category":"exponential","author":{"name":"Martín Soler","slug":"martin-soler"},"published_at":"2026-06-28T06:02:33.796Z","total_votes":86,"comment_count":0,"has_map":true,"urls":{"human":"https://sustainabl.net/en/articulo/cybersecurity-ai-quantum-computing-who-pays-transition-mqxfxfiz","agent":"https://sustainabl.net/agent-native/en/articulo/cybersecurity-ai-quantum-computing-who-pays-transition-mqxfxfiz"},"summary":{"one_line":"The convergence of AI and quantum computing is creating a two-layered cybersecurity debt that organizations must pay now or pay much more later, with SMEs and under-resourced teams bearing disproportionate costs.","core_question":"Who absorbs the financial and organizational costs of transitioning to AI-resilient and quantum-resistant cybersecurity, and what structural incentives determine the distribution of that burden?","main_thesis":"The AI and quantum computing convergence does not merely raise the technical bar for cybersecurity — it restructures who pays for the transition. Attackers benefit from falling marginal costs while defenders accumulate compounding technical debt. The market is structured to sell external products, not build internal capacity, which means organizations that delay action are not deferring a cost but multiplying it."},"content_markdown":"## Cybersecurity in the Age of AI and Quantum Computing: Who Pays for the Transition\n\nThere is a pattern that repeats itself every time a technology changes the rules of the game at sufficient speed: the first to absorb the cost are those with the least margin to do so. The convergence between artificial intelligence and quantum computing is following that pattern with uncomfortable precision. Attackers benefit from tools that reduce the time and cost of their operations. Defenders, on the other hand, accumulate technical and organizational debt that they now have to pay twice: once for the risks that AI introduces today, and again for the cryptographic migration that the quantum world will demand tomorrow.\n\nThe analysis by Michelle Drolet published in Forbes Technology Council is not a laboratory warning. It is a map of tensions that are already active in the budgets, boardrooms, and security teams of any company with relevant digital infrastructure. And the angle that is most interesting is not technological: it is distributive. Who absorbs the costs, who captures the value of the transition, and what structural incentives are pushing each actor in the system.\n\n## AI Compresses the Time Available to Those Who Defend, Not to Those Who Attack\n\nThe asymmetry that artificial intelligence introduces into cybersecurity is not new in conceptual terms, but it is in magnitude. Attackers use AI to discover vulnerabilities faster, generate malware variants at scale, personalize social engineering messages, and automate target reconnaissance. The marginal cost of launching a sophisticated attack has fallen steadily. The cost of defending, on the other hand, remains high, talent-intensive, and difficult to automate without introducing new risks.\n\nData from the World Economic Forum and Accenture document that perception: **94% of security leaders** consider AI will be the most significant change factor in cybersecurity over the next year, and **87%** identify AI-associated vulnerabilities as the fastest-growing risk. Those figures do not describe a future concern. They describe the architecture of a problem that is already inside organizations.\n\nOne of the least-discussed vectors in this analysis is what Drolet calls \"shadow AI\": the unauthorized use of artificial intelligence tools by employees who summarize meetings, process sensitive data, or generate code through platforms that the organization does not control, does not audit, and sometimes does not even know about. The problem is not solely one of perimeter security. It is a problem of internal governance where the individual incentive — the employee's immediate productivity — enters into direct collision with the collective interest of the organization. That conflict of incentives is not resolved with policies, but with design: access controls, data traceability, technical restrictions, and human oversight of the highest-impact actions.\n\nThe emergence of agentic AI systems, capable of acting autonomously on behalf of a user across multiple tools and workflows, elevates that problem to a different category. When an AI agent can make decisions, execute transactions, or share information without real-time human intervention, the risk perimeter no longer has clear edges. Errors, credential abuse, and data exfiltration can occur at a speed that no reactive audit process can contain. The cost of that risk is not absorbed by the tool's provider. It is absorbed by the organization that deployed it.\n\n## The Quantum Threat Does Not Wait for Teams to Be Ready\n\nQuantum computing operates on a different horizon than AI, but its logic of pressure on security systems is equally structural. The central mechanism is known as **\"harvest now, decrypt later\"**: adversaries capture encrypted data today and store it until quantum computers are capable of breaking the public-key cryptography that protects it. The attack does not occur today. The damage, however, is already being sown.\n\nThat turns the migration toward quantum-resistant cryptography into a present planning decision, not a future one. The **National Institute of Standards and Technology (NIST)** in the United States has already published the first post-quantum cryptography standards, replacing vulnerable schemes such as RSA and elliptic curve cryptography. But the adoption of those standards is not a software update. It is a deep intervention into the architecture of systems that, in many cases, have been built over decades on the very algorithms that now need to be replaced.\n\nThe scale of the effort is reflected in market projections: investments in post-quantum cryptography will grow from **$1.2 billion in 2026 to $13.3 billion in 2035**, according to Juniper Research. That growth is not the reflection of a positive technological trend. It is the measure of the accumulated deficit that organizations will have to finance — across certificates, keys, software, hardware, vendors, and processes — in order not to be left exposed at a moment when the window of reaction will already have closed.\n\nThe distribution of that cost is where the analysis becomes most interesting. Large organizations, with specialized teams and significant security budgets, can initiate structured migration programs, designate internal owners, inventory cryptographic dependencies, and negotiate with vendors from a position of strength. Medium-sized and small organizations — SMEs — that depend on the same platform and cloud service providers, are left at the mercy of the pace at which those providers implement the transition. If the vendor prioritizes its largest enterprise clients first, the weakest link in the chain takes longer to be protected, and the weakest link is, frequently, the one that connects the entire system to its most exploitable vulnerabilities.\n\n## The Value of Preparedness Is Not Where the Market Is Currently Measuring It\n\nThere is a structural mismatch in how the market is valuing the response to these risks. Security platform vendors — from network infrastructure manufacturers to secure access providers and zero-trust architecture vendors — are integrating AI-based detection capabilities and quantum-resistant encryption as product features. That makes competitive sense: whoever first offers integrated protection captures contracts and builds technical dependency.\n\nBut the value of those capabilities depends on something no platform can directly sell: the organizational capacity of the company adopting them to operate with them in a coherent manner. An AI-based anomalous behavior detection tool does not replace the need to have visibility over assets, controls over access, and response processes that function when the alert is triggered. A post-quantum cryptography standard does not automatically migrate the legacy systems that have gone years without being updated.\n\nDrolet's article describes a preparation process that has seven steps. What it does not describe — though it is implicit in every one of them — is how much of that process requires sustained investment in internal capabilities that the security solutions market cannot substitute. The risk assessment must be done by someone who knows the real architecture of the organization. The inventory of cryptographic dependencies must be built by someone with access to the systems. The governance over AI agents must be designed by someone who understands how teams work. No external vendor has that baseline information.\n\nThe underlying distributive problem is this: the transition toward a security posture that can be sustained in an environment of widespread AI and growing quantum pressure requires that a significant portion of the value be generated internally, in the form of capabilities, processes, and governance. But the cybersecurity market is structured to sell external products and services, not to build internal capacity. That does not mean external vendors are irrelevant. It means that the logic of total delegation — the model in which a company outsources its security and assumes the problem is solved — no longer has room to function when risks move faster than service contracts.\n\n## The Migration That Cannot Be Postponed Without the Cost Multiplying\n\nPreparedness in the face of these risks has a financial characteristic that boardrooms are still not internalizing with sufficient clarity: the cost of acting late is not linear. Every month that passes without beginning the cryptographic inventory, without establishing controls over internal AI, and without designating a responsible party for the quantum migration program, is a month in which legacy systems accumulate more technical debt, vendors advance without coordination with the organization, and attackers capture more data with long-term value.\n\nThe migration toward post-quantum cryptography is the most illustrative case. Systems that cannot be updated quickly are not a minority. In industries such as finance, healthcare, or critical infrastructure, there are components with life cycles spanning decades that were designed on cryptographic assumptions that quantum computing invalidates. Replacing them requires time, money, and coordination with supply chains that also need to update their own systems. The later that process begins, the more compressed the available time becomes and the more expensive it is to complete before the risk materializes.\n\nThe pattern that Drolet identifies — and that incentive analysis confirms — is that organizations that begin that process now are paying a cost distributed over time, manageable within ordinary technology and security budgets. Those that postpone it are accumulating a debt that they will have to pay all at once, under regulatory, contractual, or competitive pressure, at a moment when they will have less negotiating capacity and less time to do it well.\n\nCybersecurity did not change its foundations with AI, nor will it change them with quantum computing. What changes is the cost of ignoring those foundations, and that cost no longer admits gradual amortization. Organizations that treat preparedness against these risks as a present investment are buying time and optionality. Those that treat it as a deferrable expense are accumulating an exposure whose price will be set, eventually, by someone who has no incentive to be generous.","article_map":{"title":"Cybersecurity in the Age of AI and Quantum Computing: Who Pays for the Transition","entities":[{"name":"Artificial Intelligence (AI)","type":"technology","role_in_article":"Primary driver of both offensive capability expansion and defensive complexity increase in cybersecurity"},{"name":"Quantum Computing","type":"technology","role_in_article":"Emerging threat to current public-key cryptography, enabling harvest-now-decrypt-later attacks"},{"name":"NIST","type":"institution","role_in_article":"Published first post-quantum cryptography standards replacing RSA and elliptic curve cryptography"},{"name":"Michelle Drolet","type":"person","role_in_article":"Author of the Forbes Technology Council analysis that serves as the article's primary source"},{"name":"World Economic Forum","type":"institution","role_in_article":"Source of data on AI's impact on cybersecurity leadership perception"},{"name":"Accenture","type":"institution","role_in_article":"Co-source of security leader survey data cited in the article"},{"name":"Juniper Research","type":"institution","role_in_article":"Source of post-quantum cryptography market growth projections"},{"name":"SMEs (Small and Medium Enterprises)","type":"market","role_in_article":"Identified as the most vulnerable and least resourced actors in the cybersecurity transition"},{"name":"Post-Quantum Cryptography","type":"technology","role_in_article":"The cryptographic standard migration that organizations must undertake to resist quantum computing attacks"},{"name":"Zero-Trust Architecture","type":"technology","role_in_article":"Mentioned as a security model being integrated with AI-based detection by platform vendors"}],"tradeoffs":["Acting early on post-quantum migration distributes cost over time but requires budget commitment before the threat is visible; delaying compresses cost and reduces negotiating leverage","Building internal security capacity is more expensive upfront than outsourcing but provides resilience that vendor contracts cannot replicate","Allowing employee AI tool use increases productivity but expands the attack surface and data exposure risk","Deploying agentic AI systems accelerates workflows but transfers risk liability entirely to the deploying organization","Prioritizing enterprise clients in vendor migration programs protects the largest customers first but leaves SMEs — often the weakest supply chain links — exposed longest"],"key_claims":[{"claim":"94% of security leaders consider AI will be the most significant change factor in cybersecurity over the next year.","confidence":"high","support_type":"reported_fact"},{"claim":"87% of security leaders identify AI-associated vulnerabilities as the fastest-growing risk.","confidence":"high","support_type":"reported_fact"},{"claim":"Investments in post-quantum cryptography will grow from $1.2 billion in 2026 to $13.3 billion in 2035.","confidence":"high","support_type":"reported_fact"},{"claim":"NIST has published the first post-quantum cryptography standards replacing RSA and elliptic curve cryptography.","confidence":"high","support_type":"reported_fact"},{"claim":"Shadow AI — unauthorized employee use of AI tools — represents an internal governance failure that perimeter security cannot address.","confidence":"medium","support_type":"inference"},{"claim":"The cost of agentic AI risk is absorbed by the deploying organization, not the tool provider.","confidence":"medium","support_type":"inference"},{"claim":"Organizations that begin post-quantum migration now pay a distributed cost; those that delay will pay a compressed, more expensive one under external pressure.","confidence":"medium","support_type":"editorial_judgment"},{"claim":"The cybersecurity market is structurally misaligned with what organizations actually need — internal capacity building rather than external product purchasing.","confidence":"interpretive","support_type":"editorial_judgment"}],"main_thesis":"The AI and quantum computing convergence does not merely raise the technical bar for cybersecurity — it restructures who pays for the transition. Attackers benefit from falling marginal costs while defenders accumulate compounding technical debt. The market is structured to sell external products, not build internal capacity, which means organizations that delay action are not deferring a cost but multiplying it.","core_question":"Who absorbs the financial and organizational costs of transitioning to AI-resilient and quantum-resistant cybersecurity, and what structural incentives determine the distribution of that burden?","core_tensions":["Individual employee productivity incentives vs. collective organizational security governance","External vendor market logic (sell products) vs. organizational need (build internal capacity)","Large enterprise migration capacity vs. SME dependency on vendor-paced transitions","Present budget pressure vs. non-linear future cost of delayed cryptographic migration","Speed of AI-enabled threats vs. speed of organizational governance and response processes"],"open_questions":["At what point will quantum computing reach the capability threshold to break current RSA and elliptic curve encryption at scale?","How should SMEs negotiate post-quantum migration timelines with platform vendors who prioritize enterprise clients?","What regulatory frameworks will emerge to mandate post-quantum cryptography adoption, and on what timeline?","How can organizations effectively govern agentic AI systems without slowing down the productivity gains that justify their deployment?","Is there a viable market model for building internal cybersecurity capacity rather than purchasing external products?","How do organizations inventory cryptographic dependencies in legacy systems built over decades without disrupting operations?"],"training_value":{"recommended_for":["CISOs and security leaders building board-level investment cases","CFOs and COOs evaluating technology transition cost structures","Strategy teams assessing competitive implications of cybersecurity posture","SME executives evaluating vendor dependency risk in cloud and platform relationships","Business agents trained on technology transition economics and organizational risk"],"when_this_article_is_useful":["When advising on cybersecurity budget allocation and prioritization","When evaluating organizational readiness for AI deployment, especially agentic systems","When building the business case for post-quantum cryptography migration","When assessing supply chain security risk in vendor relationships","When designing governance frameworks for employee AI tool usage","When analyzing technology transition cost distribution across market segments"],"what_a_business_agent_can_learn":["How to frame cybersecurity investment as a present financial decision with non-linear cost consequences, not a future technical problem","How to identify the distributive dimension of technology transitions — who absorbs costs, who captures value","How to distinguish between market-available solutions and internally-required capabilities when assessing organizational readiness","How to recognize harvest-now-decrypt-later as a mechanism that makes future threats into present planning obligations","How to evaluate vendor dependency risk in critical infrastructure migrations","How to structure the argument for board-level cybersecurity investment using financial logic rather than technical language"]},"argument_outline":[{"label":"1. Asymmetric cost structure","point":"AI reduces the marginal cost of attacks while keeping the cost of defense high, talent-intensive, and difficult to automate safely.","why_it_matters":"This asymmetry is not temporary — it is structural, and it means defenders must invest more to maintain the same relative security posture."},{"label":"2. Shadow AI as internal governance failure","point":"Employees using unauthorized AI tools for productivity create data exposure risks that perimeter security cannot address.","why_it_matters":"The conflict between individual productivity incentives and collective organizational security cannot be resolved by policy alone — it requires technical design."},{"label":"3. Agentic AI elevates the risk perimeter","point":"AI agents acting autonomously across tools and workflows can exfiltrate data or abuse credentials faster than any reactive audit can catch.","why_it_matters":"The cost of agentic AI risk is absorbed by the deploying organization, not the tool provider — a critical liability allocation point."},{"label":"4. Harvest-now-decrypt-later makes quantum a present decision","point":"Adversaries are already capturing encrypted data to decrypt once quantum computers are capable of breaking current public-key cryptography.","why_it_matters":"The quantum threat is not future — the damage is being accumulated today, making post-quantum migration a current planning obligation."},{"label":"5. Distributive inequality in migration capacity","point":"Large organizations can run structured cryptographic migration programs; SMEs depend on the pace of their cloud and platform vendors.","why_it_matters":"The weakest link in the supply chain is often the last to be protected, which is also frequently the most exploitable entry point."},{"label":"6. Market structure mismatch","point":"The cybersecurity market sells external products and services but cannot substitute the internal capabilities, processes, and governance that effective security requires.","why_it_matters":"Total delegation to vendors no longer works when risks move faster than service contracts — organizations must build internal capacity."}],"one_line_summary":"The convergence of AI and quantum computing is creating a two-layered cybersecurity debt that organizations must pay now or pay much more later, with SMEs and under-resourced teams bearing disproportionate costs.","related_articles":[{"reason":"Directly relevant: examines how enterprises deploy AI without knowing what they have — mirrors the shadow AI and internal governance failure themes central to this article","article_id":14361},{"reason":"Relevant: the gap between AI project adoption and data readiness parallels the gap between security product purchasing and internal capacity to operate those products effectively","article_id":14241},{"reason":"Relevant: explores trust and reliability dynamics in enterprise AI, which connects to the governance and oversight challenges of agentic AI systems discussed in this article","article_id":14121}],"business_patterns":["Technology transitions consistently impose disproportionate costs on actors with the least margin to absorb them","Asymmetric cost structures in security (cheap to attack, expensive to defend) are a recurring pattern across technology generations","Market structures optimized for product sales systematically underserve the internal capability needs of buyers","Harvest-now-decrypt-later is a pattern where present inaction creates future liability that compounds silently","Non-linear cost escalation for delayed infrastructure migration is a documented pattern in regulated industries"],"business_decisions":["Begin cryptographic dependency inventory now rather than waiting for regulatory or competitive pressure","Establish internal ownership and accountability for quantum migration programs","Implement technical controls — not just policies — to govern employee use of AI tools","Design governance frameworks for agentic AI systems before deployment, not after incidents","Evaluate vendor post-quantum migration roadmaps and negotiate timelines as part of procurement","Allocate security budget to internal capability building, not only external product purchasing","Treat post-quantum migration as a multi-year capital planning item, not a one-time software update"]}}