The quantum-AI collision: What CISOs must do now to stay ahead
Technology is moving at the speed of light, and two forces—quantum computing and AI agents—are poised to shake up cybersecurity. We’re not talking about some far-off future; this is happening now.
The message for CISOs and security leaders is simple: If you’re not preparing now, you’re already behind. As we say in Brazil, “Melhor prevenir do que remediar” or “better to prevent than remediate.”
Quantum computing and AI agents: Two forces reshaping cybersecurity
Quantum computing and AI agents will undoubtedly advance the cybersecurity discipline—and virtually every industry—by helping practitioners solve problems that once seemed impossible. With its insane computing power, quantum will unleash breakthroughs in everything from logistics to drug discovery and beyond. Meanwhile, AI agents will automate tasks like never before. They’re fast, getting smarter by the minute, and can operate 24/7.
But like every major technological breakthrough, quantum computing and AI agents also introduce some very real risks and can become powerfully dangerous tools in the wrong hands. Quantum computing has the potential to break current encryption methods, threatening the security of much of the world’s digital infrastructure. AI agents can be hijacked and act maliciously without oversight. Scary? Yes. But manageable—if we start now.
Quantum computing and the encryption crisis: Is your data already at risk?
Data encryption is a crucial component of cybersecurity. At the highest level, it involves encoding data into an unreadable format without the proper decryption key, protecting sensitive information from unauthorized access and misuse. By transforming readable data (plaintext) into an unreadable format (ciphertext), encryption ensures that even if data is intercepted, it remains confidential and unusable by malicious actors.
But quantum computing threatens to make encryption as we know it obsolete. Quantum machines could crack encryption systems that take traditional computers decades to break in mere minutes. This isn’t sci-fi: various industry experts predict that quantum will start breaking public-key cryptography by 2029.
However, recent research suggests that the timeline for such threats could be much shorter. Last year, a team of Chinese researchers unveiled a method using a quantum annealing system to crack classic RSA encryption. And just recently, Google researchers estimated that it could be 20 times easier for quantum computers to break current encryption.
Threat actors aren’t waiting around for fully functioning quantum machines. Instead, they’re embracing a “harvest now, decrypt later” approach. So, suppose your company’s data governance policies require sensitive information—such as financial records, medical records, and intellectual property (IP)—to remain confidential for more than five years. In that case, you’ve got a challenge on your hands.
AI agents in cybersecurity: Powerful defenders or dangerous threats?
In the race to adopt AI, organizations are also inadvertently creating a surge of unmanaged and unsecured machine identities that overburdened teams don’t have the visibility to manage. AI agents are like super-powered bots—they learn, decide, and increasingly act independently.
This will transform operations across industries, including cybercrime. AI agents can be weaponized to bypass security controls, adapt to defenses, and operate at scale.
Think of them as automated, self-aware attackers who can hide their tracks and act stealthily against your organization. Making matters worse, many AI agents “inherit” their human users’ privileges … but not their ethics, common sense, or fear of breaking the rules. It’s no wonder they are the primary roadblocks to AI agent adoption today.
Cybersecurity action plan: Preparing for quantum and AI agent risks
Plan your post-quantum transition
Here are five practical steps your organization can take today to begin shifting to quantum-resistant crypto:
- Run a cryptographic discovery. You can’t secure it unless you know it exists. Prioritize a discovery exercise to pinpoint precisely where and how you use public key encryption across your enterprise.
- Explore and adopt PQC standards. In July 2024, the National Institute of Standards and Technology (NIST) released the first three encryption standards designed to withstand decryption efforts from a quantum computer. Explore what’s best for your organization and begin transitioning. NIST suggests that all vulnerable systems be deprecated within five years.
- Segment your data and encrypt in layers. This is part of a smart defense-in-depth strategy. If one layer cracks, another layer will be in place to keep things secure. Of course, this also means more keys will need to be managed.
- Plan for crypto-agility. Since threats are ever-evolving, your infrastructure must be architected for change. Future-proof your systems to rapidly adapt cryptographic mechanisms, such as algorithms and key management practices, without disrupting the broader infrastructure.
- Rotate your encryption keys—and shorten certificate lifespans. Frequent key and certificate rotation reduces the window of exposure if a key is compromised and forces organizations to automate certificate management. This not only strengthens your current security posture but also builds the agility needed to adopt post-quantum cryptographic (PQC) algorithms, which demand more frequent and flexible updates.
Don’t let your AI bots and agents go rogue
Take these five steps to secure your AI bots and agents:
- Give AI agents unique identities. Machines that behave like humans require both human and machine security controls. Each agent must be uniquely identified, authenticated, and governed, just like a human user—but with the added rigor required for machine-scale operations.
- Use dynamic credentials. No more hardcoded keys—the security risks are far too great. Instead, utilize dynamic credentials (aka dynamic secrets) that are generated and used for a specific purpose and time and then automatically expire. Centrally manage and rotate all secrets to reduce complexity and simplify operations.
- Implement access control models such as ABAC/PBAC. While not yet widely deployed, experts predict that by 2028, AI agents will make at least 15% of day-to-day work decisions. Deploying such access control models will be critical as more agents make decisions.
- Deploy runtime defenses. This will allow you to identify issues such as anomalous behavior, prompt injections, and privilege escalations faster and more accurately.
- Test your AI agents like attackers would. Run red team exercises regularly. And don’t stop there: Use AI agents to stress-test your AI agents (yes, it’s a thing).
Prepare your security strategy for what’s next
Quantum computing and AI agents represent the very near future. Security leaders who prepare today can confidently embrace these innovations, for better and worse.
Now is the time to educate your teams, pilot use cases, forge strategic partnerships with vendors to help you on your journey, and share lessons with your peers. In this battle, you’re not a foot soldier—you’re the general commanding the digital defense. And the sooner you act, the stronger your position will be.
Claudio Neiva is CyberArk’s Security Strategic Advisor, Director (LATAM).