Este artigo está disponível apenas em inglês no momento.
Quantum Computing and AI Governance: What Enterprise Leaders Need to Know Now
Quantum computing creates two distinct governance challenges for enterprise: near-term cryptographic risk that is already a regulatory priority, and longer-term AI capability implications. The actionable briefing for executives and boards.
Key Takeaways
Quantum computing creates two governance challenges on different timelines: the cryptographic risk (relevant now) and the AI acceleration potential (relevant in 5-15 years). Most enterprise governance programmes need to address the first and monitor the second.
The 'harvest now, decrypt later' threat is real and current: adversaries are collecting encrypted data today to decrypt when quantum computers capable of breaking current encryption become available. Data with long-term sensitivity should be protected with quantum-resistant cryptography now.
NIST finalised its first post-quantum cryptography standards in August 2024. Regulators including APRA, the FCA, and the NSA have issued guidance on quantum-resistant cryptography migration. This is not a future compliance issue — it is a current one.
Quantum computing's potential to dramatically accelerate AI training — potentially enabling AI systems that would take decades to train with classical computing — is the longer-term governance implication that boards should begin scenario planning for.
The practical enterprise quantum governance programme: cryptographic inventory, migration timeline planning, vendor quantum roadmap assessment, and integration of quantum risk into enterprise risk management.
"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."
The two quantum governance problems — and why they have different timelines
Quantum computing creates governance challenges for enterprise organisations on two distinct timelines, and conflating them leads to both over-reaction to distant risks and under-reaction to present ones. The first challenge — cryptographic risk — is present and urgent. The second challenge — quantum-accelerated AI — is real but further out, requiring monitoring and scenario planning rather than immediate action.
Cryptographic risk arises because current public-key cryptography (RSA, ECC, and the algorithms that secure most internet communications, financial transactions, and data storage) can theoretically be broken by a sufficiently capable quantum computer using Shor's algorithm. Quantum computers capable of breaking current encryption at scale do not yet exist, but they are the active goal of major national and commercial quantum computing programmes. The governance implication is immediate because of a threat that does not require future quantum computers to materialise: adversaries can collect encrypted data today and decrypt it later when quantum capabilities arrive. For data that needs to remain confidential for more than five to ten years, this threat is real now.
The regulatory response: post-quantum cryptography migration
NIST published its first finalised post-quantum cryptography standards in August 2024: FIPS 203 (ML-KEM, for key encapsulation), FIPS 204 (ML-DSA, for digital signatures), and FIPS 205 (SLH-DSA, for stateless hash-based signatures). These standards provide the cryptographic foundations for quantum-resistant systems and are the basis for enterprise migration planning.
Regulatory guidance on quantum-resistant cryptography migration is already in force. The NSA's CNSA 2.0 guidance requires US national security systems to migrate to quantum-resistant algorithms on specific timelines. The FCA in the UK has included quantum risk in its operational resilience framework discussions. APRA in Australia has flagged quantum risk in its information security guidance. Financial services firms, in particular, should treat quantum-resistant cryptography migration as a current regulatory expectation, not a future one.
The migration challenge is substantial. Most enterprise systems use public-key cryptography in multiple layers — communications, storage, authentication, code signing, and supply chain verification. A complete cryptographic inventory — mapping every use of cryptography in the organisation's systems — is the necessary first step. For most large organisations, this inventory does not exist in a form adequate for migration planning.
Quantum and AI: the longer-term governance question
The potential interaction between quantum computing and AI capability is the second governance challenge — and the one that is genuinely speculative in its timeline and magnitude. Quantum machine learning algorithms theoretically offer exponential speedups for certain classes of problems relevant to AI training. Quantum computing could potentially enable training of AI models at scales that are computationally infeasible with classical hardware. If and when this becomes practically achievable, it would represent a qualitative change in the AI capability landscape — not merely faster training of current-style models, but potentially access to qualitatively different approaches to AI.
The honest governance assessment: this potential is real but distant. Current quantum hardware is far from the scale and error rates needed for practical quantum machine learning advantage. The enterprise governance response at this stage is scenario planning — understanding what a quantum-AI capability acceleration would mean for your competitive environment, your regulatory obligations, and your AI governance framework — rather than immediate operational response. The organisations that will be best positioned when this transition occurs are those that have been monitoring quantum progress, building quantum literacy in their technical leadership, and designing governance frameworks that can adapt to capability changes.
The practical enterprise quantum governance programme
Four actions are appropriate for most enterprise organisations in 2026. Cryptographic inventory: map every use of public-key cryptography in your systems, with particular attention to data with long retention requirements, financial transaction systems, and identity and authentication infrastructure. Migration timeline planning: using the NIST standards as the target state, develop a migration roadmap that addresses highest-risk systems first. Vendor quantum roadmap assessment: understand how your key technology vendors are approaching post-quantum migration and what their timelines are — your migration depends on vendor readiness. Enterprise risk management integration: add quantum risk as a named risk in enterprise risk management, with a named owner, monitoring indicators, and board reporting.