AI infrastructure is no longer "just compute." Large AI clusters, often deployed in hyperscale data centers and tied to cloud control planes, are increasingly part of the coordination layer for
critical infrastructure.
In that context, migrating to
post-quantum cryptography (PQC) that can resist the decryption abilities of quantum computers is not a niche IT upgrade.
For AI data centers and Low Earth Orbit (LEO) ground segments — the worldwide network of antennae and data centers that track, control and communicate with near-orbit satellites — PQC migration is a Tier-1 resilience requirement tied to the same capital-refresh cycles and 2030-2035 planning horizon as critical infrastructure.
The window to secure the 2030s with PQC is open now, argues
a new white paper by Dr. David Mussington, a fellow at the Institute for Critical Infrastructure Technology (ICIT), a professor at the University of Maryland, and the former Executive Assistant Director for Infrastructure at the Cybersecurity and Infrastructure Agency (CISA).
If PQC is treated as a "bolt-on" after AI infrastructure is built, or as something that must wait on broader AI modernization efforts, the cost and complexity of remediation will be prohibitive, the white paper says. Organizations risk deploying systems that are operationally advanced but cryptographically brittle, hard to retrofit and easy to break
once quantum computers arrive.
Automated Cryptographic Discovery and Inventory (ACDI) of assets that use encryption vulnerable to quantum computing must begin now. This can be delivered by AI-enhanced ACDI toolsets, whose outputs can then be further consumed by
AI for analysis, correlation, and agentic use cases. By embedding quantum-resistant requirements into the current wave of AI and LEO build-outs, we can transform potential vulnerabilities into a defensible, quantum-resilient posture.
From "quantum someday" to harvest now, decrypt later
A common PQC story begins and ends with the arrival of a cryptographically relevant quantum computer (CRQC) that can crack asymmetric encryption algorithms. Dr. Mussington's framing is more operational: We already live in a "
harvest now, decrypt later" environment in which adversaries are archiving encrypted traffic today so that they can decrypt it when CRQCs become available.
What makes the post-quantum migration urgent for AI and LEO programs is concentration risk. AI clusters centralize long-lived confidentiality targets (model weights, proprietary training corpora, and telemetry lakes) and high-leverage integrity targets (cluster-control APIs, orchestration backbones, and firmware/software update and signing channels).
Partial PQC coverage is not enough, the white paper says. Front-ending services that use PQ-TLS or PQ-VPN network-encryption upgrades do not neutralize the threat from legacy signing infrastructures or classical-encryption-only supply-chain components.
If adversaries archive signed images and control-plane captures now, and those signature schemes later become breakable by quantum computing, the adversaries will be able to mint
legitimate-looking malicious updates or credentials for systems that otherwise appear hardened against quantum decryption.
The result may be a long-horizon path: harvest firmware, control-plane captures, and signing artifacts today, then repurpose that material later against systems that depend on those signing hierarchies for trust.
The converged attack surface: AI-LEO-OT coupling
A second theme of Dr. Mussington's paper is the integrated attack surface created by the convergence of AI clusters, LEO ground segments, and
operational technology (OT). AI clusters are increasingly co-located with or logically coupled to LEO ground systems and OT environments through shared facilities, fabrics and bridge points.
PQC gaps at AI nodes — classical inter-region links, non-PQC management channels and non–agile signing — can become indirect access paths into satellite control, GNSS analytics and OT control services even if downstream systems are partially hardened.
The implication is architectural:
Quantum readiness should be evaluated end–to–end across the entire data path, including ground terminals, backhaul, control planes, and IT–OT bridges, not just as a localized upgrade to the crypto layer.
If the AI control plane acts as a high-value bridge, the weakest cryptographic segment in that bridge can set the security ceiling for the integrated system.
How AI can help quantum migration
However, the same AI/cloud platforms that amplify risk can also accelerate PQC migration. Hyperscale AI environments already rely on observability, automated policy enforcement, telemetry pipelines, staged rollouts, and continuous measurement.
Those happen to be the operational prerequisites laid out in the
quantum-migration guidance issued by NIST's National Cybersecurity Center of Excellence (NCCoE); they are also the mechanisms needed to execute PQC change without outages or guesswork.
We need to treat cryptographic posture as a "graph problem," Dr. Mussington says. Instead of managing cryptography as invisible plumbing, organizations should extend existing asset and dependency graphs with cryptographic attributes: algorithms, protocol versions, libraries, hardware-security-module bindings, certificate-authority chains, rotation policies, and signing hierarchies.
These graphs can then generate a cryptographic bill of materials (CBOM) for each product or service — machine-readable, queryable, and mappable to risk frameworks.
With that foundation, teams can stage PQC migration the way mature AI estates stage other high-impact changes: encode requirements into declarative policy (including downgrade-resistance), run canaries and dark launches with PQ-enabled protocols alongside classical ones, measure overhead and failure modes, and "ratchet" coverage over time. The operational loop is discover → stage → measure → tighten.
Why PQC is also governance and sovereignty
PQC decisions for AI data centers and LEO infrastructure sit under multiple functional pressures:
critical infrastructure resilience, intelligence gain/loss, lawful access constraints, competition policy and digital sovereignty.
Adoption will also unfold amid geopolitical fragmentation. Systems spanning U.S., EU, and China-aligned jurisdictions may need parallel PQC stacks and key-governance models to satisfy diverging expectations around residency, regulator access, and lawful access.
Cryptography managers need to decide explicitly where encryption heterogeneity can be tolerable (for example, in per–region HSMs and PKIs) and where a single PQC posture must be enforced (for example, in cross–region AI control planes and shared backbones). Those choices should show up in contracts and integration patterns and not be left to vendor defaults.
Procurement levers: Where "quantum readiness" becomes real
Security is now an acquisition problem. AI data center and LEO ground programs are where capital is concentrated, which means they are where requirements can reshape vendor roadmaps. Three levers stand out:
- Align procurement with federal PQC guidance by embedding CBOM delivery, migration milestones, and cryptographic telemetry requirements directly into RFI/RFP language.
- Manage the hardware "valley of death" (2025 – 2028): because current accelerators and SmartNICs often lack native PQC support and require crypto–agile wrappers or software–hybrid modes so systems can migrate without waiting for next-generation silicon.
- Turn roadmaps into "hard edges" with contractual commitments: updated CBOMs on major releases, cryptographic SLAs (algorithm retirement dates and PQ requirements on defined flows), and structured telemetry that makes lag and downgrade paths visible.
One principle unifies these levers: attach PQC to existing capex cycles and lifecycle events. In converged AI-LEO-OT environments, skipping PQC at refresh points should be an exception requiring explicit justification.
Download the full white paper
The
full white paper expands Dr. Mussington's analysis with a detailed threat model for converged AI-LEO-OT systems; a CBOM and telemetry-driven migration approach; practical guidance for staged rollouts, performance testing, and downgrade monitoring at AI scale; and procurement and oversight levers that translate "quantum readiness" into enforceable requirements.