AI and Quantum Computing Reshape Risk Management: A 12-Month Action Plan

Attackers aren’t waiting for quantum computers to arrive. They’re already stealing encrypted data today; confident they’ll unlock it tomorrow. They are like thieves carting away safes, knowing the keys will eventually fall into their hands.  

At the same time, generative AI has industrialized social engineering. Deepfakes can impersonate a CFO on a video call. AI-written phishing emails land in inboxes by the thousands. The threat landscape is no longer human-scale; it’s machine-scale. These two phenomena – AI on the frontlines now, quantum looming just over the horizon – demand immediate action.  

Your encryption strategy, governance, workforce, vendors – all must be future-proofed. The window for preparation is closing fast.  

Deepfake Heists Move from Sci-Fi to Boardrooms 

In early 2024, a finance employee in Hong Kong transferred US $25.6 million after joining a video meeting in which every participant – the CFO, colleagues, even external partners – was a deepfake. Fraudsters used generative AI to mimic faces and voices with chilling accuracy, creating the illusion of legitimacy. By the time the deception was uncovered, the money was gone. 

Throughout 2024, similar scams emerged across industries, from manipulated videos of corporate leaders ordering payments to synthetic voices in urgent “CEO calls.” A survey by identity verification provider Regula revealed that nearly half of global businesses have already faced deepfake fraud attempts. The implication is stark: if your people trust only what they see and hear, they are already vulnerable. 

Web & Messaging Platforms Go Quantum-Secure 

In the face of this, consumer technology is racing ahead with quantum-safe defenses. Here are three examples: 

• Google Chrome began rolling out hybrid quantum-safe encryption in 2024, combining today’s algorithms with new quantum-resistant standards. The goal is simple: protect web sessions today from being cracked tomorrow. 

• The global messaging platform Signal integrated post-quantum encryption into its core protocol, ensuring that private conversations stolen today will remain unreadable even when quantum computers mature.  

• Tech leaders like Microsoft and IBM have launched dedicated quantum-safe programs, investing heavily in infrastructure and developer toolkits to accelerate adoption. 

If mass-market apps with billions of users are already upgrading, the IT enterprise cannot afford to sit on the sidelines. Waiting puts you at risk of attack. 

The Regulatory Storm: New “Building Codes” for Digital Systems 

Regulators are no longer treating cybersecurity as best practice; they are codifying it as mandatory. The following are three examples of how this is manifesting:  

• In Europe, the Cyber Resilience Act establishes hard rules for software supply chains, mandating secure development, vulnerability handling, and long-term maintenance. Think of it as building codes for digital infrastructure: if your systems don’t meet the standard, you may not be allowed in the market. 

• Standard bodies like the European Telecommunications Standards Institute (ETSI) and the National Institute for Standards and Technology (NIST) finalized quantum-safe encryption frameworks in 2024, urging firms to begin the migration now. 

• Meanwhile, governments worldwide are moving to restrict or ban use of unregulated deepfakes, holding organizations accountable not only for protecting data, but also for the integrity of the information they produce and distribute. 

The result: compliance is no longer optional. Security maturity is now tied directly to market access and reputational trust. 

The Takeaway: Delay Is Leverage for Attackers 

Every day without action makes your organization more attractive to adversaries. Attackers are already harvesting your encrypted data today; confident they can unlock it once quantum computing scales. At the same time, generative AI gives them an immediate arsenal of realistic fraud, deepfakes, and automated phishing at an industrial scale. The message is clear: if you’re waiting for the perfect moment to act, you’re already behind. The only way forward is to proactive readiness.  

Think of the risk as a two headed monster: one head (AI) is striking now; the other (quantum) is preparing to strike later. AI threatens identity and trust in the short term. Quantum threatens the foundations of security in the long term. Together, they reshape the way enterprises need to manage risk. 

Here are the AI augmented threats now: 

• Autonomous malware generation: AI can autonomously create or modify malware, increasing the frequency and sophistication of attacks, such as adapting behavior based on detection attempts and learning from previous breaches. 

• AI powered social engineering: Advanced language models generate highly convincing phishing emails and impersonations, enabling largescale personalized attacks using data from social media or leaked sources. 

• Deepfake and synthetic identity attacks: AI-generated deepfakes can impersonate voices or faces in real time, undermining biometric security systems. Entirely fabricated synthetic identities are increasingly used for fraud and misinformation. The business impact is an erosion of trust.  

Here are the quantum threats coming soon: 

• Post-quantum cryptography (PQC) urgency: RSA and ECC are vulnerable to advances in quantum computing, necessitating a transition to quantum resistant algorithms to secure sensitive data. 

• Harvest now, decrypt later: adversaries are already collecting encrypted data for future decryption. 

• Public key cryptography: Quantum algorithms such as Shor’s, developed in 1994 by Peter Shor, could break widely used public key schemes, threatening secure communications, digital signatures and even blockchain systems. 

• Quantum key distribution (QKD) is an advanced communication method that securely shares encryption keys and can protect against future quantum attacks, while not able to rapidly replace current networking technologies. 

The Readiness Framework: Four Levers Leaders Should Control 

1. Technology: Find tools that buy time and resilience. Combine AI tools that detect and prevent threats today with encryption methods strong enough to resist tomorrow’s quantum computers. For example, Google uses AI in Gmail to block over 100 million phishing emails daily; Chrome is testing postquantum encryption. Budget here buys immediate risk reduction (fewer successful attacks) and futureproofs critical channels, including transport layer security (TLS), virtual private networks (VPNs) and public key infrastructure (PKI). 

2. Talent: Build teams trained for tomorrow’s risks. Upskill cybersecurity and IT teams in AI operations and quantum safe technologies. For example, IBM offers free quantum computing and AI training; enterprises could leverage this to accelerate skill building across SecOps and architecture. Skills close the execution gap. Remember that controls are only effective if teams can deploy and maintain them. 

3. Infrastructure: Design systems that won’t collapse under new rules. Ensure hardware and platforms can support next-gen encryption and AI-driven security systems. For example, Intel and Microsoft Azure are building infrastructure that supports quantum resilient cryptography and AI assisted defense. Modernized infrastructure reduces migration friction and audit pain when regulators tighten controls. 

4. Governance: Make decisions that keep you compliant and trusted. Develop internal policies and align with external standards to ensure responsible AI use and secure the shift to quantum readiness. For example, NIST’s postquantum standards and Microsoft’s responsible AI guidelines are ready to adopt baselines. Sound governance avoids fines, accelerates certifications, and sustains customer trust. 

What Leaders Should Do Now: A 12-Month Action Plan 

The rise of generative AI and quantum computing isn’t a trend to watch; it’s a challenge to act on now. Leaders don’t need another abstract framework; they need a concrete, time-boxed plan. The following roadmap breaks down the next 12 months into three clear phases: stabilize in 90 days, harden in 180 days and scale in 365 days. 

0-90 Days: Stabilize and Build Situational Awareness 

Objective: Get clarity on your current exposure and run fast, low-cost drills to plug the most obvious gaps. 

• Inventory your cryptography. Map where Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC) are still used to secure your systems: VPNs, TLS endpoints, PKI, code-signing processes and Internet of Things (IoT) devices. Think of it as a locksmith’s audit; know which doors in your digital house still use outdated locks. 

• Run a “deepfake drill.” Simulate a video call scam or synthetic voice request with your finance and HR teams. Train employees to pause and verify before acting. 

• Deploy AI-assisted detection. Upgrade email gateways and web filters with AI-based phishing and anomaly detection. These tools already block billions of attacks daily in consumer apps; enterprises should expect the same resilience. 

• Set a crypto-agility baseline. Ensure your systems can swap encryption methods without full rewrites. This is your insurance policy against future algorithm shifts. 

Outcome: You understand your critical vulnerabilities and give your people practical exposure to today’s AI-powered scams.  

90-180 Days: Harden with Pilots and Policy 

Objective: Move from awareness to hands-on pilots and embed new security requirements into your governance. 

• Pilot hybrid encryption. Test quantum-safe algorithms, like module lattice key encapsulation mechanism (ML-KEM), alongside current standards on a low-risk channel, such as one API gateway or VPN. Measure handshake size, latency and interoperability issues early.  

• Start secure AI governance. Mandate bias testing, transparency checks, and audit logs for any AI models used internally. AI should act like a co-pilot, fast and sharp but always monitored. 

• Embedded supply chain requirements. Demand software bills of materials (SBOMs) from key vendors and align them with your secure development lifecycle. Make “show me your SBOM” a standard RFP question.

• Crosstrain teams. Upskill cybersecurity staff in both AI operations and post-quantum cryptography. Free programs from IBM and others can help shorten the learning curve. 

Outcome: Your organization has proof that quantum-safe encryption and AI governance are practical, not theoretical. Vendors and teams know the new baseline. 

180-365 Days: Scale and Lock in Resilience 

Objective: Roll out quantum-safe and AI-secure practices at scale, while making them permanent in contracts and governance. 

• Expand pilots into production. Roll out hybrid encryption across internet-facing services and begin phasing in quantum-safe signatures for code signing and certificates. 

• Negotiate vendor accountability. Require quantum-readiness roadmaps, SBOM transparency and 30-day critical vulnerability response to SLAs in all new contracts. If regulators treat this as a building code, your vendors must build to standard. 

• Automate compliance reporting. Integrate the Cyber Resilience Act (CRA), the Digital Operational Resilience Act (DORA) and sector-specific requirements into regular reporting dashboards, so you can show regulators (and boards) not just what’s planned, but what’s working. 

• Institutionalize training. Make AI awareness and quantum-readiness part of annual security training for technical and non-technical staff alike. Today’s “phishing awareness” needs to expand into “AI fraud awareness.”