I keep hearing about post-quantum cryptography. It comes up in industry reports, vendor announcements, and security news with increasing frequency. My sense is that most security professionals are in the same place I am: aware that something is happening, not entirely sure what it means for them, and uncertain whether this is a 2026 problem or a 2032 problem.
It’s a 2026 problem. Here’s why.
Google Just Said the Quiet Part Out Loud
In early February, Google’s Kent Walker and Hartmut Neven issued a direct call to action, urging governments and industry to accelerate the adoption of post-quantum cryptography. This wasn’t a research paper or a product announcement. It was a warning. They stated plainly that the encryption currently protecting bank transfers, private communications, and classified data could be broken by a large-scale quantum computer in the coming years. More importantly, they pointed out that adversaries aren’t waiting around for quantum computers to mature. They’re already collecting encrypted data today, storing it, and planning to decrypt it later.
Google also confirmed that it has already migrated its own systems to use quantum-resistant encryption by default. When a company that runs one of the largest infrastructures on the planet tells you they’ve already made the switch and you should too, that’s worth paying attention to.
What PQC Actually Is (Without the Physics Lecture)
To understand post-quantum cryptography, it helps to understand what it’s replacing and why.
Most of the encryption protecting data on the internet today relies on a simple concept: mathematical problems that are really, really hard to solve. When you connect to your bank’s website, send an encrypted email, or establish a VPN tunnel, security depends on algorithms such as RSA and Elliptic Curve Cryptography (ECC). These work because they’re based on math problems that would take a traditional computer thousands of years to crack. The math isn’t secret; it’s just so computationally expensive that brute-forcing the answer is impractical.
Quantum computers change that equation. Unlike traditional computers that process information as ones and zeros, quantum computers can evaluate many possibilities simultaneously. A quantum computer running what’s called Shor’s algorithm could solve the specific math problems behind RSA and ECC exponentially faster than any traditional computer. Problems that would take thousands of years become problems that take hours. When that happens, the encryption protecting your VPN connections, your web traffic, your digital certificates, and your signed software updates all become breakable.
Post-quantum cryptography, or PQC, is the replacement. These are new encryption algorithms built on entirely different math problems, ones that are hard for both traditional and quantum computers to solve. Think of it this way: if current encryption is a lock that quantum computers have a master key for, PQC is a fundamentally different type of lock that the master key doesn’t fit.
NIST (the National Institute of Standards and Technology, which sets cryptographic standards for the U.S. government and heavily influences global practices) finalized the first three PQC standards in August 2024 after an eight-year evaluation process. These aren’t experimental. They’re production-ready, with approved algorithms for the two core jobs encryption does. The first job is key exchange, which is how two systems agree on a shared secret to communicate securely. The approved algorithm for that is called ML-KEM (FIPS 203). The second job is digital signatures, which are how systems prove their identity and verify that data hasn’t been tampered with. The approved algorithms for that are ML-DSA (FIPS 204) and SLH-DSA (FIPS 205).
The standards exist. The algorithms are defined. The question is no longer whether to migrate but when and how.
The Harvest Now, Decrypt Later Problem
This is the piece that makes PQC urgent rather than aspirational.
Nation-state actors and sophisticated adversaries are conducting what the security community calls “harvest now, decrypt later” (HNDL) attacks. The concept is straightforward: they intercept and store encrypted data today, even though they can’t read it yet, banking on the expectation that quantum computers capable of breaking the encryption will arrive within the next five to ten years. It’s like someone stealing a locked safe and putting it in storage because they know a locksmith capable of opening it is coming. The Federal Reserve published a paper in 2025 examining HNDL as a present and active risk, not a theoretical one.
Think about the data your organization handles that needs to remain confidential for a decade or more. Healthcare records, financial transactions, intellectual property, legal communications, government contracts. If that data is encrypted with today’s algorithms and an adversary captures it in transit, the encryption has an expiration date. The conservative planning assumption in the industry right now is that a cryptographically relevant quantum computer (one powerful enough to break current encryption) will exist by 2030 to 2035. Given that a full PQC migration takes two to five years for most organizations, the math is pretty simple. If you start planning now, you’re on the outer edge of a responsible timeline. If you wait, you’re betting that your data won’t matter by the time someone can read it.
Why This Connects to Zero Trust (and It’s Not a Stretch)
If you’ve been building a Zero Trust architecture, PQC isn’t a separate workstream. It’s a foundational layer that your Zero Trust strategy already depends on, whether you’ve thought about it explicitly or not.
Zero Trust’s core principle is “never trust, always verify.” In practice, that verification happens through cryptography at almost every step. When a user proves their identity, that proof is secured by cryptographic signatures. When two systems establish a secure connection, they use a cryptographic key exchange to set it up. When network segments are isolated from each other, the tunnels between them are encrypted. All of these mechanisms rely on the same algorithms that quantum computers will eventually break. If the cryptography underneath your Zero Trust architecture becomes vulnerable, the verification you’ve built on top of it becomes unreliable.
Transitioning to PQC creates a natural audit point for your entire security posture. If you’re upgrading your encryption to withstand quantum threats, you also need to verify that the systems responsible for identity and access management are equally resilient. It’s not enough to swap out the lock if you haven’t checked who holds the keys.
I wrote previously about how Zero Trust and SASE relate to each other, with SASE serving as the enforcement plane for identity, inspection, and policy. That relationship becomes even more relevant here. A cloud-native SASE architecture can push cryptographic updates across an entire global deployment as a software update rather than requiring hardware replacement at every location. For organizations running distributed environments with remote workers, branch offices, and cloud workloads, that’s the difference between a manageable migration and a multi-year hardware refresh cycle.
And for those of us thinking about AI security within Zero Trust frameworks, PQC adds another dimension. AI models handling sensitive enterprise data, training pipelines processing proprietary information, and automated agent-to-agent communications all need encryption that will hold up over the data’s lifecycle. If you’re building AI systems today with current encryption, you’re building on a foundation with a known expiration date.
The Compliance Clock Is Already Ticking
The regulatory landscape is moving faster than many security teams realize. The NSA’s CNSA 2.0 mandates that all new National Security Systems acquisitions be compliant with post-quantum algorithms by January 1, 2027. That’s less than a year away. By 2030, legacy networking equipment that can’t be upgraded to PQC must be phased out. Full enforcement across all national security systems is targeted for 2033 to 2035.
If your organization does business with the federal government or operates in a regulated industry, these timelines have a cascading effect. Federal contractors and vendors supplying technology for government systems need PQC-capable products now, not in five years. And the definition of “reasonable security” under frameworks like HIPAA, PCI DSS, and SOX will shift as post-quantum standards become widely available. What counts as adequate encryption today won’t count forever.
ISACA published a practical 12-month playbook for PQC readiness earlier this year, and the consensus across industry groups is clear: 2026 is the execution year. The time for watching this from a distance is over.
What to Do About It Right Now
Research cited by Google found that only about 9 percent of organizations have a post-quantum migration roadmap. That gap between awareness and action is where most enterprise security teams are sitting today. Here’s what I’d focus on if I were starting this process.
First, build a cryptographic inventory. You need to know where encryption lives across your environment: web traffic, VPN connections, email, software signing, device firmware, APIs, third-party integrations, and long-lived data archives. You can’t migrate what you can’t see.
Second, identify your long-secrecy data. Which datasets need to remain confidential for 10 to 20 years or more? Financial records, healthcare data, intellectual property, anything with regulatory retention requirements. Those are your highest-priority targets for early protection against HNDL.
Third, start piloting hybrid deployments. Rather than ripping out current encryption and replacing it wholesale, the industry is moving toward hybrid models that run both classical and PQC algorithms simultaneously during the transition. If one layer has a problem, the other still provides protection. Think of it as wearing a seatbelt and having an airbag. You don’t remove one because you have the other.
Fourth, demand crypto agility from your vendors. Crypto agility is the ability to swap out encryption algorithms across your systems without rewriting applications or replacing hardware. When evaluating or renewing security platforms, SASE solutions, VPN providers, and cloud services, ask specifically about their PQC roadmaps and whether their architecture supports algorithm changes without major disruption. This is what separates a manageable transition from an emergency.
This Is a Long Game, But It Starts Now
I don’t want to overstate the urgency in a way that sounds like vendor fear-mongering. A cryptographically relevant quantum computer doesn’t exist today, and reasonable people disagree about exactly when one will. But the combination of finalized standards, hard compliance deadlines, active HNDL threats, and major companies like Google completing their own migrations makes the direction unmistakable. The organizations that treat PQC as a strategic infrastructure priority today will migrate smoothly. The ones that wait will face compressed timelines, higher costs, and the uncomfortable realization that some of their data may have already been harvested.
For security leaders already invested in Zero Trust and SASE, the good news is that you’re better positioned for this than you might think. The architectural principles you’ve been building toward, continuous verification, identity-centric access, and cloud-native enforcement, are exactly what a PQC migration requires. The foundation is there. Now it’s about extending it to account for a threat that’s closer than before.
