RSAC 2026: The real takeaway isn’t AI – it’s post-quantum readiness | perspective | SC Media - SC Media

While walking the RSA Conference (RSAC) floor last week it was impossible to miss the momentum around AI agents. Every booth, demo, and conversation pointed to how quickly autonomous AI systems are reshaping the security landscape. Can we truly trust, govern, and secure autonomous systems? Will proliferation and autonomy of AI agents outpace security maturity? There was no shortage of bold claims and noise. But just beneath that energy, a quieter and more consequential theme emerged: post-quantum cryptography (PQC). [SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.] At The Cryptographer’s Panel last Tuesday, which featured five independent researchers hailing from some of the most prestigious institutions in the world, the message was clear: the fragility of today’s cryptographic foundations represents a real, present, and increasingly urgent challenge. The more I listened, the clearer it became. Post-quantum threats are no longer theoretical. They are an immediate operational challenge most organizations are not prepared to address. We’ve solved the math, but we haven’t solved the enterprise With standards from the National Institute of Standards and Technology (NIST) and migration timelines already defined, the industry has made meaningful progress on the what. Standards exist, algorithms have been selected, and deadlines are set. However, the how remains unresolved. How do organizations inventory cryptographic usage across complex, hybrid environments? How do they determine which devices, applications, and systems are already post-quantum safe, which rely on vulnerable algorithms, and which cannot get upgraded at all? How do they strategically execute mitigation, rather than haphazardly, as time runs out? Before organizations can even begin remediation, they must answer a fundamental question: Where does the cryptography actually get used? In practice, that question extends far beyond traditional IT systems. Cryptography gets embedded across managed and unmanaged devices, IoT and OT environments, cloud workloads, and external third-party integrations where we can’t control the ciphers and algorithms. The need to inventory cryptography does not exist in a reliable or continuous way. As Chaitanya Challa put it during her RSAC session titled “Quantum, AI & 50 Billion Machine Identities: What Could Possibly Go Right?” Without scalable, always-on discovery, organizations make trust assumptions about systems they don’t fully understand. When it comes to mapping non-quantum-safe encryption in an environment, we cannot rely on assumptions. Because encryption gets negotiated during the TLS handshake, even a remediated system remains susceptible to a PQC downgrade attack at connection time to use a non‑quantum‑safe cipher. Not everything vulnerable needs immediate remediation Post-quantum risk isn’t defined by the vulnerability alone, but by where it exists, what it protects, and how attackers can reach it. PQC introduces the need for context-driven prioritization, or exposure: understanding what the asset does, where it sits, how it communicates, and what the business or operational impact would be if it were compromised. Without this context, prioritization becomes inconsistent, remediation stalls, and progress slows. Even with strong visibility, a complete transition to PQC will take time. Some systems like medical devices, industrial control systems, or legacy OT environments may never support new algorithms, and companies cannot simply take these systems offline. Many exist outside direct organizational control. This makes one reality clear: organizations must manage risk during the transition, and post-transition. Segmentation becomes a critical strategy in this phase. It monitors and limits unnecessary communication paths, reduces lateral movement, and isolates high-risk or hard-to-upgrade assets. In many environments, particularly those involving OT or legacy systems, segmentation becomes part of the long-term operating model rather than a temporary stopgap. AI compresses the timeline We have a very short timeline for these post-quantum risks to emerge. Google recently announced it's accelerating its own post-quantum cryptography transition, setting a 2029 deadline for full readiness – years earlier than most government and industry targets. The takeaway here: the timelines many organizations are planning against are already outdated. The pace of threat evolution has accelerated. AI has lowered the cost and effort required to discover vulnerabilities, reverse engineer protocols, and generate exploits. Activities that once required significant time and expertise can now happen far more quickly. Techniques such as “harvest now, decrypt later” become more viable as AI pinpoints which systems and servers to target, optimizing the path from discovery to exploitation. Meanwhile, remediation timelines lag. Most environments are still waiting for a safe PQC stack, and when available, the patch rollout and upgrade cycles can take months if not years. This widening gap between time-to-exploit and time-to-remediate is where risk accumulates—and PQC remediation faces that reality. AI usage by threat actors makes delays in post-quantum readiness more and more dangerous. It's important to distinguish between hype and obligation. AI agents dominated RSAC headlines and exhibit halls, but there’s no federal mandate requiring organizations to deploy autonomous AI systems, now or in the foreseeable future. Adoption remains optional. On the other hand, government directives, standards, and compliance expectations around PQC readiness already exist, and more are coming. It’s not a speculative technology shift: it’s a requirement organizations must meet. “Crypto agility” has been positioned as the goal, but achieving it requires a level of operational maturity most organizations don’t have. In practice, most environments are not structured to support it. Cryptography gets deeply embedded in devices and applications and it’s managed inconsistently across teams and often difficult to modify without introducing risk. Achieving true agility requires continuous discovery of cryptographic usage, clear context around those uses, and the ability to apply changes in a controlled and scalable manner. We cannot achieve this through manual processes or static tracking: it’s a platform problem. Post-quantum readiness does not resemble a traditional security upgrade: it’s fundamentally a visibility, context, and control challenge at scale. In other words, it’s a platform-level problem. PQC fits squarely into that definition. It’s not just a security initiative. It’s a cross-functional transformation that touches infrastructure, applications, and business operations. Organizations that approach PQC in this way will position themselves for post-quantum cryptography, as well as for the broader shifts reshaping the security business. While we don’t need to worry that quantum capabilities will arrive too quickly, we do need to worry about the type of attacks and subsequent lateral movement that can happen if organizations are not ready when they do. Paul Kao, chief product officer, Forescout SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.