Agent-native article available: Cybersecurity in the Age of AI and Quantum Computing: Who Pays for the TransitionAgent-native article JSON available: Cybersecurity in the Age of AI and Quantum Computing: Who Pays for the Transition
Cybersecurity in the Age of AI and Quantum Computing: Who Pays for the Transition

Cybersecurity in the Age of AI and Quantum Computing: Who Pays for the Transition

There is a pattern that repeats every time a technology changes the rules of the game fast enough: the first to absorb the cost are those with the least margin to do so. The convergence of artificial intelligence and quantum computing is following that pattern with uncomfortable precision. Attackers benefit from tools that reduce the time and cost of their operations.

Martín SolerMartín SolerJune 28, 20269 min
Share

Cybersecurity in the Age of AI and Quantum Computing: Who Pays for the Transition

There is a pattern that repeats itself every time a technology changes the rules of the game at sufficient speed: the first to absorb the cost are those with the least margin to do so. The convergence between artificial intelligence and quantum computing is following that pattern with uncomfortable precision. Attackers benefit from tools that reduce the time and cost of their operations. Defenders, on the other hand, accumulate technical and organizational debt that they now have to pay twice: once for the risks that AI introduces today, and again for the cryptographic migration that the quantum world will demand tomorrow.

The analysis by Michelle Drolet published in Forbes Technology Council is not a laboratory warning. It is a map of tensions that are already active in the budgets, boardrooms, and security teams of any company with relevant digital infrastructure. And the angle that is most interesting is not technological: it is distributive. Who absorbs the costs, who captures the value of the transition, and what structural incentives are pushing each actor in the system.

AI Compresses the Time Available to Those Who Defend, Not to Those Who Attack

The asymmetry that artificial intelligence introduces into cybersecurity is not new in conceptual terms, but it is in magnitude. Attackers use AI to discover vulnerabilities faster, generate malware variants at scale, personalize social engineering messages, and automate target reconnaissance. The marginal cost of launching a sophisticated attack has fallen steadily. The cost of defending, on the other hand, remains high, talent-intensive, and difficult to automate without introducing new risks.

Data from the World Economic Forum and Accenture document that perception: 94% of security leaders consider AI will be the most significant change factor in cybersecurity over the next year, and 87% identify AI-associated vulnerabilities as the fastest-growing risk. Those figures do not describe a future concern. They describe the architecture of a problem that is already inside organizations.

One of the least-discussed vectors in this analysis is what Drolet calls "shadow AI": the unauthorized use of artificial intelligence tools by employees who summarize meetings, process sensitive data, or generate code through platforms that the organization does not control, does not audit, and sometimes does not even know about. The problem is not solely one of perimeter security. It is a problem of internal governance where the individual incentive — the employee's immediate productivity — enters into direct collision with the collective interest of the organization. That conflict of incentives is not resolved with policies, but with design: access controls, data traceability, technical restrictions, and human oversight of the highest-impact actions.

The emergence of agentic AI systems, capable of acting autonomously on behalf of a user across multiple tools and workflows, elevates that problem to a different category. When an AI agent can make decisions, execute transactions, or share information without real-time human intervention, the risk perimeter no longer has clear edges. Errors, credential abuse, and data exfiltration can occur at a speed that no reactive audit process can contain. The cost of that risk is not absorbed by the tool's provider. It is absorbed by the organization that deployed it.

The Quantum Threat Does Not Wait for Teams to Be Ready

Quantum computing operates on a different horizon than AI, but its logic of pressure on security systems is equally structural. The central mechanism is known as "harvest now, decrypt later": adversaries capture encrypted data today and store it until quantum computers are capable of breaking the public-key cryptography that protects it. The attack does not occur today. The damage, however, is already being sown.

That turns the migration toward quantum-resistant cryptography into a present planning decision, not a future one. The National Institute of Standards and Technology (NIST) in the United States has already published the first post-quantum cryptography standards, replacing vulnerable schemes such as RSA and elliptic curve cryptography. But the adoption of those standards is not a software update. It is a deep intervention into the architecture of systems that, in many cases, have been built over decades on the very algorithms that now need to be replaced.

The scale of the effort is reflected in market projections: investments in post-quantum cryptography will grow from $1.2 billion in 2026 to $13.3 billion in 2035, according to Juniper Research. That growth is not the reflection of a positive technological trend. It is the measure of the accumulated deficit that organizations will have to finance — across certificates, keys, software, hardware, vendors, and processes — in order not to be left exposed at a moment when the window of reaction will already have closed.

The distribution of that cost is where the analysis becomes most interesting. Large organizations, with specialized teams and significant security budgets, can initiate structured migration programs, designate internal owners, inventory cryptographic dependencies, and negotiate with vendors from a position of strength. Medium-sized and small organizations — SMEs — that depend on the same platform and cloud service providers, are left at the mercy of the pace at which those providers implement the transition. If the vendor prioritizes its largest enterprise clients first, the weakest link in the chain takes longer to be protected, and the weakest link is, frequently, the one that connects the entire system to its most exploitable vulnerabilities.

The Value of Preparedness Is Not Where the Market Is Currently Measuring It

There is a structural mismatch in how the market is valuing the response to these risks. Security platform vendors — from network infrastructure manufacturers to secure access providers and zero-trust architecture vendors — are integrating AI-based detection capabilities and quantum-resistant encryption as product features. That makes competitive sense: whoever first offers integrated protection captures contracts and builds technical dependency.

But the value of those capabilities depends on something no platform can directly sell: the organizational capacity of the company adopting them to operate with them in a coherent manner. An AI-based anomalous behavior detection tool does not replace the need to have visibility over assets, controls over access, and response processes that function when the alert is triggered. A post-quantum cryptography standard does not automatically migrate the legacy systems that have gone years without being updated.

Drolet's article describes a preparation process that has seven steps. What it does not describe — though it is implicit in every one of them — is how much of that process requires sustained investment in internal capabilities that the security solutions market cannot substitute. The risk assessment must be done by someone who knows the real architecture of the organization. The inventory of cryptographic dependencies must be built by someone with access to the systems. The governance over AI agents must be designed by someone who understands how teams work. No external vendor has that baseline information.

The underlying distributive problem is this: the transition toward a security posture that can be sustained in an environment of widespread AI and growing quantum pressure requires that a significant portion of the value be generated internally, in the form of capabilities, processes, and governance. But the cybersecurity market is structured to sell external products and services, not to build internal capacity. That does not mean external vendors are irrelevant. It means that the logic of total delegation — the model in which a company outsources its security and assumes the problem is solved — no longer has room to function when risks move faster than service contracts.

The Migration That Cannot Be Postponed Without the Cost Multiplying

Preparedness in the face of these risks has a financial characteristic that boardrooms are still not internalizing with sufficient clarity: the cost of acting late is not linear. Every month that passes without beginning the cryptographic inventory, without establishing controls over internal AI, and without designating a responsible party for the quantum migration program, is a month in which legacy systems accumulate more technical debt, vendors advance without coordination with the organization, and attackers capture more data with long-term value.

The migration toward post-quantum cryptography is the most illustrative case. Systems that cannot be updated quickly are not a minority. In industries such as finance, healthcare, or critical infrastructure, there are components with life cycles spanning decades that were designed on cryptographic assumptions that quantum computing invalidates. Replacing them requires time, money, and coordination with supply chains that also need to update their own systems. The later that process begins, the more compressed the available time becomes and the more expensive it is to complete before the risk materializes.

The pattern that Drolet identifies — and that incentive analysis confirms — is that organizations that begin that process now are paying a cost distributed over time, manageable within ordinary technology and security budgets. Those that postpone it are accumulating a debt that they will have to pay all at once, under regulatory, contractual, or competitive pressure, at a moment when they will have less negotiating capacity and less time to do it well.

Cybersecurity did not change its foundations with AI, nor will it change them with quantum computing. What changes is the cost of ignoring those foundations, and that cost no longer admits gradual amortization. Organizations that treat preparedness against these risks as a present investment are buying time and optionality. Those that treat it as a deferrable expense are accumulating an exposure whose price will be set, eventually, by someone who has no incentive to be generous.

Share

You might also like