International 
Politics 
Local 
Finance 
Sports 
Entertainment 
Lifestyle 
Technology 
Literature 
Science 
Health 
1 month ago
11
Karim Eldefrawy is Co-founder & CTO of Confidencial. He has 25+ years of experience in cybersecurity and 100+ published scientific works.
getty
The post-quantum timeline just got harder to ignore—from two directions at once. On March 25, 2026, Google set an accelerated 2029 timeline for migrating to post-quantum cryptography (PQC). Google’s justification for such acceleration is that progress in quantum hardware and error correction now warrants this new urgency.
Days later, a team of reputable Caltech researchers published a paper theorizing that Shor’s (factoring) algorithm can be executed with roughly 10,000 physical qubits on a reconfigurable neutral-atom architecture. This new estimate of 10,000 physical qubits is a dramatic reduction from prior estimates requiring millions. Their analysis shows 256-bit elliptic curves could be broken in 10 days with 26,000 qubits, and factoring based RSA-2048 in one-two orders of magnitude longer. We’re now in a situation where over two decades, qubit requirements for cryptographically relevant factoring dropped by 10,000x.
The importance of these developments must not be overlooked. But I argue that many enterprises are still framing the transition too narrowly. Yes, harvest now, decrypt later (HNDL) is real; adversaries can steal encrypted data today and wait for quantum advances to unlock it. Google says exactly that, calling out “store-now-decrypt-later” as a present threat. And the new qubit estimates make that threat timeline feel considerably shorter. But beneath that conversation sits a more immediate and more dangerous reality: harvest now, read now.
Too much sensitive enterprise data is already exposed in usable plaintext at the layers where most work happens—inside applications, documents, SaaS platforms, databases, code bases, collaboration systems and emerging AI workflows. In those environments, attackers, insiders, compromised accounts and over-privileged software often do not need to wait for any cryptographic breakthrough. They can get value from the data now.
On March 20, 2026, The Guardian reported that an AI agent at Meta answered an internal engineering question with instructions that an employee implemented, exposing sensitive data to engineers internally for about two hours and triggering a major security alert. Even frontier AI labs selling AI-native security products suffered from (accidental) data and code leaks in early 2026.
The Quantum Threat Is Accelerating (But It Is Not The Only One)
The recent neutral-atom paper deserves attention because it changes the calculus. By leveraging high-rate quantum, low-density parity-check codes achieving roughly 30% encoding rates, the researchers encode over 1,000 logical qubits per block—a roughly 100x qubit reduction compared to surface-code architectures. Neutral-atom systems have already demonstrated coherent arrays exceeding 6,000 qubits and below-threshold error rates. The engineering gap between where these systems are today and where they need to be for cryptanalysis is narrowing faster than most enterprise risk models assume.
But even as the HNDL window compresses, organizations should not lose sight of the more immediate problem. When people hear “PQC,” they immediately think TLS, certificates, network handshakes and database encryption. All of that matters, but it is not enough. TLS secures the communication pipe; it does not secure the payload once it arrives, gets processed by an application, copied into a workflow, pasted into a chat, indexed by a service or consumed by an AI system. So when organizations say “our data is encrypted,” the question should be: encrypted where, to whom, with what schemes and secure until when?
Why This Connects To Zero Trust
This is the direct continuation of an argument I made in 2025 in “The Missing Piece In Zero Trust: Data-Centric Security,” where I argued that zero trust remains incomplete if protection is not bound to the data objects themselves. Identity, network and device controls matter, but they do not fully protect the asset if it becomes broadly readable once access is granted. In a cloud-first, AI-shaped enterprise, too much trust is still placed in the application boundary. Once a user, service or agent is inside the approved workflow, the data is often exposed in full, and governance becomes procedural—permissions, policies, logs and hope.
AI Is About To Magnify The Gap
In my January 2026 article, “The Cryptographic Imperative: Securing The AI-Powered Decades,” I argued that cryptography must be treated as a foundational control layer for the AI era, not a narrow infrastructure feature. Machine-speed systems require mathematically grounded controls because reactive governance alone will not scale. AI copilots, assistants and agents do not merely transport data—they ingest it, summarize it, transform it, correlate it and act on it across systems. If the data layer remains broadly visible in plaintext, AI amplifies not just productivity but exposure—more access paths, more machine identities, more derived outputs and more places where sensitive information can leak.
The Control Point Has To Move Up The Stack
So, what should enterprises do? First, absolutely continue PQC preparation. Google’s 2029 timeline and the new qubit estimates together should be read as converging signals that the cryptanalytic horizon is approaching faster than previously modeled. NIST has already published post-quantum standards (FIPS 203–205); the implementation runway is shortening.
Second, stop treating PQC as mostly a transport-migration story. PQC is an enterprise strategy across layers, and the content layer may be the most neglected one. If an organization upgrades transport cryptography while its most valuable data still sits in plaintext inside SaaS platforms, applications and AI workflows, it has improved one layer while leaving another, often more consequential one, exposed.
The control point has to move closer to the data itself—toward documents, records, chunks, embeddings and other business-level artifacts where meaning resides.
The Right Executive Question
The right executive question is not only, “How do we migrate to PQC?” It is also, “Where is our sensitive data readable today, and how do we reduce that exposure at the content layer itself?” That is the real issue hiding beneath the PQC conversation.
The quantum threat is accelerating. New research shows cryptanalysis may require far fewer qubits than we assumed, and timelines are compressing. But before adversaries can decrypt your data later, they may already be able to read it now. Unless enterprises confront that fact directly, they may discover the more urgent problem was never just harvest now, decrypt later. It was harvest now, read now.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
English (US)