What are ‘post-quantum Cryptography (PQC)’ Deadlines, and How Should AI-heavy Organizations Prepare for ‘harvest-now, Decrypt-later’ Risks When Training and Logging Data?

Skip to main content
< All Topics

What are Post-Quantum Cryptography (PQC) Deadlines, and How Should AI-Heavy Organizations Prepare for Harvest-Now, Decrypt-Later Risks When Training and Logging Data?

Post-quantum cryptography (PQC) refers to cryptographic algorithms designed to be secure against the anticipated decryption capabilities of future quantum computers. As quantum computing advances, current encryption standards such as RSA and ECC are expected to become vulnerable. In response, regulatory bodies and governments have established PQC deadlines, mandating that organizations transition to quantum-resistant algorithms within specific timeframes to protect sensitive information.

For organizations heavily invested in artificial intelligence, this transition is particularly urgent due to a threat known as “harvest-now, decrypt-later” (HNDL). AI development relies on massive, long-lived datasets, including proprietary training data, vector stores, and system logs. If malicious actors intercept and store this encrypted data today, they can decrypt it once quantum technology matures, leading to severe compliance violations and intellectual property theft in the future.

Understanding PQC Deadlines

Government agencies and international standards bodies have moved past theoretical discussions and established concrete timelines for PQC migration.

  • Standardization: In August 2024, the National Institute of Standards and Technology (NIST) released its principal PQC standards, formally specifying quantum-resistant key establishment and digital signature schemes. These standards provide the technical foundation organizations need to begin their transition.
  • Migration Mandates: A June 2026 Executive Order on PQC migration established firm deadlines for U.S. federal civilian agencies, requiring PQC-compliant key establishment by December 31, 2030, and PQC digital signatures by December 31, 2031. These deadlines accelerated the prior government-wide target, which had been set to 2035 under the 2022 National Security Memorandum 10.
  • Industry Adoption: Private sector enterprises, particularly in finance, healthcare, and technology, are adopting these timelines as industry best practices to avoid future regulatory penalties and secure their infrastructure. Organizations handling regulated or sensitive data, including government contractors, are expected to follow suit.

The Harvest-Now, Decrypt-Later (HNDL) Threat

The HNDL strategy involves cybercriminals or state-sponsored actors stealing highly sensitive, encrypted data today. Even though the attackers cannot read the data with current computing power, they store it in vast data centers.

The premise is straightforward: data with a long shelf life, such as medical records, financial histories, national security secrets, or corporate intellectual property, will still be valuable years from now. Once cryptographically relevant quantum computers (CRQCs) become available, attackers will use them to break the legacy encryption and access the stored information. While experts generally estimate CRQCs capable of breaking modern cryptography are unlikely to emerge before 2030, the uncertainty around that timeline is exactly what makes HNDL a present-day concern, not a future one.

Why AI Programs Intensify the Risk

AI-heavy organizations are prime targets for HNDL attacks because of the volume, nature, and lifespan of the data they process.

  • Training Datasets: Foundational models are trained on massive repositories of data, often containing proprietary code, internal communications, or personally identifiable information (PII).
  • Embeddings and Vector Stores: AI systems convert text and data into mathematical representations (embeddings) stored in vector databases. These stores hold the core knowledge base of an enterprise AI and are highly valuable to competitors or threat actors.
  • Long-Lived Logs: AI applications generate extensive interaction logs to monitor model performance, user prompts, and system behavior. These logs often inadvertently capture sensitive user inputs that retain their value for years.
  • Data Aggregation: AI pipelines centralize data from across an organization, creating a single, highly concentrated target for attackers looking to harvest encrypted traffic.

Preparation Strategies for AI Organizations

To mitigate HNDL risks and meet upcoming PQC deadlines, organizations managing AI pipelines must adopt proactive security measures.

  • Cryptographic Discovery: Organizations must audit their current AI infrastructure to identify where legacy encryption is used, mapping out all data flows involving training data, vector databases, and log storage.
  • Crypto-Agility: Systems should be designed to allow cryptographic algorithms to be swapped out easily without disrupting the underlying AI infrastructure. This ensures that as PQC standards evolve, updates can be applied without rebuilding systems from scratch.
  • Hybrid Encryption: During the transition period, organizations can use a hybrid approach, wrapping data in both traditional encryption and new PQC algorithms. This provides a safety net while the new standards are battle-tested in enterprise environments.
  • Data Minimization: AI pipelines should be configured to retain only the data strictly necessary for model training and operation. Reducing the lifespan and volume of stored logs limits the amount of data available for harvesting.

Summary

Post-quantum cryptography deadlines are forcing organizations to upgrade their encryption protocols before quantum computers can break current security standards. For AI-heavy enterprises, the threat is immediate due to the harvest-now, decrypt-later strategy, where attackers stockpile encrypted training data, embeddings, and logs for future decryption. U.S. federal agencies now face hard deadlines of 2030 and 2031 to complete that transition, and private sector organizations are expected to follow closely behind. By embracing crypto-agility, implementing hybrid encryption, and practicing strict data minimization, organizations can protect their AI investments and maintain long-term data confidentiality.

Was this article helpful?
0 out of 5 stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
5
Please Share Your Feedback
How Can We Improve This Article?