Have you built a digital business on a foundation with an expiry date?

You’ve spent the last decade making your organisation digital. You’re now using AI to make it intelligent. Both rest on the same technology foundation – encryption. And that foundation has a known expiry date – which is likely to be before 2030.

Let’s be clear up front. This is not a cyber security problem. It’s a question about the durability of your digital and AI strategy.

Most organisations haven't addressed it. The ones that have begun to are usually trying to solve it in the wrong part of the organisation.

Digital transformation concentrated your risk

Digital transformation didn’t just change how your organisation operates. It concentrated your legal, operational and reputational risk into a single layer of maths.

Ten years ago, trust in your organisation was distributed. Wet signatures. In-person verification. Physical controls. Paper evidence. Every digital and AI initiative since has replaced those with cryptographic equivalents: digital signatures, identity tokens, encrypted transactions, automated approvals, machine-to-machine authentication.

Every process you’ve digitised is a process that now depends on cryptography. Every AI decision you automate adds another dependency. The organisations that have moved furthest and fastest have built the largest exposure. Success is the risk.

Your AI strategy compounds this. Agentic AI, automated decisioning, digital identity, machine-to-machine transactions. All of it depends on cryptographically proving what a system did, when, and with whose authority. Without that, you can’t defend an automated decision to a regulator, a court, or a customer.

You’re planning for the wrong decade

The cryptographic standards that secure almost every digital transaction your business makes, that prove who signed what, verify identities, and protect data in transit, will be broken by sufficiently scaled quantum computers. That is not speculation. Governments, standards bodies and cryptographers agree on the mathematics. The only debate is timing, and the timing is moving fast.

Until recently, the consensus was mid-2030s. That has shifted. Google’s internal security team is now targeting 2029. IBM’s roadmap projects a fault-tolerant quantum computer by the same year. NIST and the NSA are planning for 2030 as a critical migration deadline. Recent breakthroughs have cut the quantum resources needed to break today’s cryptography by an order of magnitude. The trend is accelerating.

Three years is not a strategic horizon. It’s a budget cycle. So the window to prepare for this seismic shift is beginning to close.

And the damage doesn’t start on Q-Day. It starts the moment your counterparties, regulators, customers and courts begin to question whether any cryptographically signed record can still be trusted. Contracts, approvals, audit trails, identity, provenance. The evidentiary basis of a modern digital business. All of it rests on the assumption that a signature, once made, cannot be forged. Quantum doesn’t just break confidentiality. It breaks the ability to prove anything.

The first sign quantum has arrived won’t be an announcement. It will be a consequence. A signed contract repudiated in court and the signature can’t be proven. A payment authorised by someone who wasn’t really them. A regulator asking for an audit trail that no longer stands up. An identity token accepted by your systems that was never issued by you.

Why the CISO can’t fix this

Here is where most coverage of quantum gets the governance wrong. It treats this as a cryptography migration programme that the CISO needs to run. That framing guarantees failure – and it’s unfair to the people being asked to own it.

This is because cryptographic migration touches procurement, vendor contracts, product roadmaps, M&A due diligence, long-term capital allocation, and supplier relationships stretching years into the future. CISOs have influence over some of these – they have authority over none of them. We’ve handed them accountability for a problem they structurally cannot solve, then built a governance model that will blame them when it isn’t solved in time.

The fix isn’t a better CISO. It’s putting the problem in the right part of the organisation. The CEO owns it as a strategic risk. The CFO treats it as a balance sheet question. The CIO and CDO own the technical execution. The CISO advises. The board holds all of them to account.

That’s not how most large organisations are set up today.

If you’re on the executive team of a large organisation, there are three calls to make now. None of them are technical.

Reclassify the risk. Quantum doesn’t belong on the cyber risk register. It belongs on the strategic risk register, in the same bracket as geopolitics, climate risk and AI regulation. If it’s logged as a technology issue, it will be managed as one, and under-resourced.

Stress-test your investment thesis. Every digital and AI business case approved in the last three years was built on cryptographic assumptions that nobody tested. Go back and test them. Treat quantum exposure as a question about the durability of the capital you’ve already deployed, not a future IT project.

Change what you buy today. Stop buying quantum debt. Your technology estate in 2030 is being decided in procurement cycles right now. Every platform, contract and supplier signed today without a post-quantum requirement adds to the bill you’ll pay later, under pressure, on someone else’s timeline. Nothing new gets signed without it. The action is cheap. Not doing it is the expensive choice.

The organisations that get this right will be the ones gripping it now

The organisations that get ahead of this won’t be the ones with the best cryptographers or CISOs. They’ll be the ones whose executive teams recognised early that this was about the durability of their digital and AI strategy, not about security controls.

You don’t need to understand the maths. You need to understand that a decade of investment, and the next decade of ambition, depends on something with a countdown on it. And that nobody in your organisation currently has the authority to fix it.

That’s the conversation and it’s already overdue.