AI and quantum computing raise new identity and cryptography risks

At a glance

What this is: This is a CyberArk analysis of how AI and quantum computing may reinforce each other, with the central finding that their convergence creates both performance gains and sharper security and trust challenges.

Why it matters: For IAM and NHI practitioners, the issue is not abstract future risk, but how faster computation, weaker cryptography, and more complex autonomous systems change identity assurance and control design.

👉 Read CyberArk’s analysis of AI and quantum computing risk for identity and cryptography

Context

AI and quantum computing are usually discussed as separate capabilities, but the governance problem appears when they are combined. AI depends on large-scale compute and data access, while quantum computing threatens parts of today’s cryptographic trust model and could also accelerate AI workloads. That combination matters for NHI governance because machine identities, keys, and tokens are the access layer these systems depend on.

The article frames this as a future-facing risk rather than a present-day incident response issue. That is typical for strategic analysis, but the underlying identity question is immediate: if autonomous systems become faster and harder to explain, organisations need stronger controls over secrets, cryptographic dependencies, and decision authority before the technology matures further.

Key questions

Q: Why do AI and quantum computing matter to IAM teams?

A: They matter because both technologies can destabilise the trust assumptions behind identity systems. AI increases automation and decision speed, while quantum computing threatens some of the cryptography that protects authentication and signing. IAM teams should focus on key inventory, certificate lifecycle, and migration planning rather than treating either technology as a distant research issue.

Q: How should security teams prepare for quantum risk in identity systems?

A: Security teams should inventory all cryptographic dependencies, prioritise systems that protect high-value or long-lived data, and begin testing quantum-resistant migration options. The goal is to reduce exposure before adversaries can exploit store-now, decrypt-later scenarios. This is especially important where machine identities, certificates, and signing workflows create durable trust.

Q: What is the difference between AI risk and quantum risk in identity governance?

A: AI risk usually affects how systems decide, explain, and automate. Quantum risk primarily affects whether the cryptography behind those systems still holds. In identity governance, AI changes behaviour and oversight, while quantum changes the mathematical trust layer that protects secrets, tokens, certificates, and authentication channels.

Q: When should organisations start planning for post-quantum identity controls?

A: Organisations should start now if their systems depend on long-lived credentials, regulated data, or trust relationships that must remain valid for years. Post-quantum planning is not only about future technology adoption. It is also about protecting archived data, signed artifacts, and machine identity workflows that may outlive current algorithms.

Technical breakdown

How quantum computing changes cryptographic assumptions

Quantum computing challenges the public-key systems that much of enterprise identity depends on, especially RSA and ECDSA. Those schemes protect authentication, signing, and key exchange in current IAM and NHI ecosystems. If quantum systems can eventually solve the math behind those primitives faster than classical computers, then the security of stored credentials, signed artifacts, and long-lived trust chains becomes time-sensitive. The risk is not only direct decryption. It also includes store-now, decrypt-later attacks, where intercepted encrypted material is retained until quantum capability catches up.

Practical implication: Practitioners should inventory where RSA and ECDSA still anchor identity trust and begin planning migration paths to quantum-resistant alternatives.

How AI could accelerate quantum operations

The article suggests AI may improve quantum computing by optimizing analysis, error correction, and decision-making across quantum operations. That matters because quantum systems are fragile, expensive, and difficult to control at scale. AI can help model system behaviour, tune parameters, and reduce operational noise, which could move quantum tools closer to practical deployment. From a security perspective, that does not just improve legitimate research. It may also lower the barrier for adversaries experimenting with quantum-assisted attack workflows.

Practical implication: Security teams should treat AI-assisted quantum advancement as a capability multiplier and reassess long-term threat assumptions accordingly.

Why explainability becomes harder in AI and quantum systems

The article points to a core governance problem: when AI and quantum systems are layered together, transparency and explainability degrade further. AI already struggles with opaque decision paths, and quantum computation adds another layer of non-intuitive behaviour. For NHI and IAM programs, that means control evidence becomes harder to interpret, especially when autonomous systems make access-adjacent decisions or help generate cryptographic material. Bias can also be amplified if the underlying data or model logic is already skewed.

Practical implication: Practitioners should require stronger validation, logging, and human review around any AI system influencing identity, access, or cryptographic workflows.

Threat narrative

Attacker objective: The attacker aims to recover trusted credentials and protected data by breaking cryptographic assumptions that current identity systems still rely on.

1. Entry could occur through long-retained encrypted data, since store-now, decrypt-later tactics preserve captured material until quantum capability matures.
2. Escalation would come from the ability to break legacy cryptography, exposing keys, signed artifacts, and trusted communications that underpin access decisions.
3. Impact would be compromise of identity trust at scale, including the potential to impersonate systems, decrypt protected data, or undermine authentication controls.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Internet Archive breach — unsecured GitLab authentication tokens exposed 31M Internet Archive accounts.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI and quantum convergence creates a cryptographic trust problem before it becomes a compute problem. The article is right to focus on the interaction between speed, precision, and broken assumptions. For NHI governance, the immediate issue is not quantum replacing every classical system, but whether identity controls still depend on algorithms that will not age safely. Practitioners should treat cryptographic inventory as a core identity task, not a background hygiene exercise.

Ephemeral capability does not remove the need for durable control boundaries. Faster AI systems and more capable quantum tooling can make access decisions and analysis move faster than human review cycles. That does not reduce the need for privilege boundaries, it increases the cost of weak ones. The more autonomous the system becomes, the more important it is to separate identity issuance, key custody, and execution authority.

Bias and opacity become governance issues when the system can reshape its own operating environment. The article notes that combined AI and quantum systems may magnify existing bias and reduce explainability. In identity terms, that means policy decisions, anomaly detection, and cryptographic workflows may become harder to audit when they are generated by layered machine logic. Practitioners should insist on reviewable control points before these systems touch sensitive trust paths.

Identity-first security remains the only practical control plane for emerging compute models. CyberArk’s conclusion aligns with what the market keeps rediscovering: new compute power does not eliminate identity risk. It changes where the risk concentrates, usually around keys, certificates, machine accounts, and trusted execution paths. Organisations should respond by hardening the identity layer first, because that is where quantum and AI pressure will land earliest.

From our research:

• The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
• That breach pressure makes the case for deeper identity visibility, which is explored in Ultimate Guide to NHIs , Key Challenges and Risks.

What this signals

Ephemeral computational advantage does not fix identity debt. As AI and quantum systems evolve, the practical risk sits in the trust layer, not the compute layer. If machine identities, certificates, and secrets remain poorly inventoried, emerging cryptography will only move the problem rather than remove it. Teams should prepare for a governance model that treats cryptographic agility as part of identity resilience, not a separate programme.

Quantum readiness will expose which identity programmes already have weak lifecycle discipline. The organisations most likely to struggle are the ones that cannot tell where certificates live, who owns service accounts, or which systems depend on legacy algorithms. That is a lifecycle visibility issue before it is a cryptography issue, and it is exactly where control failures tend to compound.

The likely near-term operating model is hybrid, where classical and quantum-era protections coexist for years. Teams should watch for pressure to adopt stronger cryptographic inventory, better machine identity ownership, and more formal review of trust paths that AI systems influence. The practical signal is clear: the earlier the inventory is complete, the less disruptive the transition will be.

For practitioners

• Inventory cryptographic dependencies Map every identity, workload, and application flow that still relies on RSA, ECDSA, or other legacy public-key assumptions. Include certificates, signing pipelines, secrets, and machine-to-machine authentication paths.
• Prioritise quantum-resistant migration planning Build a phased migration plan for identity and trust infrastructure so the highest-value systems move first. Focus on externally exposed services, long-lived certificates, and records that must remain confidential for years.
• Tighten control over machine identity issuance Separate issuance, storage, and rotation responsibilities for service accounts, API keys, and certificates so no single workflow can silently create or extend trust.

Key takeaways

• AI and quantum convergence increases pressure on the identity layer because it can weaken both decision transparency and cryptographic trust.
• The most immediate security issue is not quantum replacing all current systems, but long-lived dependencies on RSA, ECDSA, and similar trust mechanisms.
• Identity teams should start post-quantum planning now by inventorying machine identities, certificates, and secrets that will outlive current algorithms.

Key terms

• Store now, decrypt later: An attacker captures encrypted data today with the expectation that future cryptographic advances will make it readable later. This is especially relevant where identity traffic, secrets, or certificates protect information that must remain confidential for years.
• Quantum-resistant cryptography: Cryptographic methods designed to remain secure against attacks from sufficiently capable quantum computers. In practice, this is about replacing or supplementing legacy algorithms before they become unreliable for signing, authentication, and key exchange.
• Machine identity: A non-human identity used by software, services, workloads, or agents to authenticate and interact with other systems. It includes certificates, tokens, API keys, and service accounts, all of which require lifecycle governance and tight access control.
• Cryptographic agility: The ability to swap or upgrade cryptographic algorithms and trust components without major disruption. For identity programs, agility matters because long-lived systems often depend on keys, certificates, and signing methods that must eventually be replaced.

Deepen your knowledge

AI and quantum risk for identity and cryptography is covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for machine identities and trust paths that may outlive current algorithms, it is worth exploring.

This post draws on content published by CyberArk: Exploring the Fusion of AI and Quantum Computing. Read the original.