This week, SEI’s Washington, D.C., office hosted an executive roundtable with The Cyber Guild titled “Post-Quantum Readiness in the Age of AI: Act Now or Explain Later.” The session brought leaders across financial services, technology, and government to address a growing reality: your greatest data control — encryption — may be irrelevant within the next three years.
The discussion began with welcome remarks from Michael Dreben, Senior Consultant at SEI, and brought together a distinguished group of voices, including:
- Facilitator: LaLisha Hurt, SVP of National IT, Federal Reserve System
- Activator: David Beabout, Counselor to the Global CISO, NTT
- Panelists:
- Sean Frazier, Federal CSO, Okta
- Brandon Karpf, Leader of International Public-Private Partnerships, NTT
- Dr. Matthew McFadden, VP of Cyber & Distinguished Technologist, GDIT
- Closing Remarks: Grace Llojaj, Senior Consultant, SEI
Together, the group moved beyond theory to focus on one key question: what should organizations be doing today to move from quantum-curious to quantum-ready?
“AI is delivering value today, but quantum is quietly reshaping the future of trust. We find that the word ‘quantum’ often feels too abstract to connect to real decisions, which is exactly why many organizations do nothing about it, but this is not something to be intimidated by. At its core, this is not about physics; this is about data privacy, security, and the reality that today’s encryption has an expiration date. You don’t need to start from scratch. The foundation of a quantum-ready organization already exists in your data and AI governance frameworks. This is about extending them to understand cryptographic risk, educating your product teams, holding vendors accountable, and making the issue real for your board. The organizations that lead don’t need to be the most technical, they’ll be the ones who start the conversation now, before they’re forced to explain why they didn’t.”
— Tim Gagnon, Managing Director, SEI Washington, D.C.
Why This Matters Now
The conversation highlighted two parallel forces reshaping cyber risk:
- AI is the sprint — delivering immediate ROI and introducing real-time risks.
- Quantum is the marathon — advancing quietly but with the power to break encryption.
These are not mutually exclusive — they reinforce each other. AI can accelerate quantum readiness, but it can also accelerate threats. Most organizations are managing these as separate conversations, but they’re not — the AI investments you’re making today will only be as trustworthy as the cryptographic infrastructure protecting them tomorrow.
A common misconception is that organizations can wait for “Q-Day.” Q-Day is the point at which a sufficiently powerful quantum computer breaks the public-key encryption that protects virtually all digital communication today — financial transactions, health records, government systems. In reality, the clock is already ticking. Some estimate that it could happen as soon as the next 3 years.
Adversaries are actively pursuing a strategy known as “harvest now, decrypt later” by collecting encrypted data today with the expectation that it can be decrypted in the future. Nation-state actors and sophisticated cybercriminals are already banking on this. They’re intercepting and storing encrypted data now, waiting for quantum capabilities to catch up. By the time it does, the exposure will already exist — most organizations just won’t know it yet. That means decisions made now will define exposure later.
What To Do Now: Practical Actions That Matter
Despite the complexity, the roundtable landed on a clear message: you don’t need perfect answers, you just need to start.
1. Put It on the Board Agenda
Awareness is the first step toward readiness. Quantum computing and AI-driven risks should become recurring topics in leadership and board-level discussions because risks that are not actively discussed are rarely managed. Establishing executive visibility today helps organizations prioritize investments, align stakeholders, and ensure emerging threats are incorporated into broader business and risk strategies.
2. Build a Cryptographic Inventory
You can’t secure what you don’t know is there. Organizations should begin by identifying where cryptography exists across the enterprise and establish a clear understanding of their exposure. AI-powered discovery tools can accelerate this effort, but the inventory should be treated as a living asset that evolves with the business.
Key areas to assess include:
- Systems, applications, and infrastructure
- Sensitive data and intellectual property
- Third-party vendors and technology providers
- Cryptographic dependencies that may not be well documented
3. Ask Better Questions — Starting with Vendors
One of the most immediate and impactful actions organizations can take is to engage their vendors. Start by asking a simple but critical question: When are you transitioning to quantum-secure cryptography?
These conversations should become a standard part of procurement processes, vendor reviews, and product roadmap discussions. As customer expectations and market pressures continue to build, organizations may find that industry demand moves faster than formal regulation.
4. Strengthen Identity and Access Fundamentals
Preparing for quantum-era security does not replace foundational cybersecurity practices — it reinforces their importance. While organizations plan for future threats, strengthening identity security remains one of the most effective ways to reduce risk today.
Priority actions include:
- Moving toward phishing-resistant authentication
- Exploring passwordless access models
- Strengthening access controls and governance
- Building a Zero Trust culture across the organization
Protecting identity remains the front line of defense.
5. Build Crypto-Agility
Cryptographic standards will continue to evolve, making adaptability a strategic advantage. With shorter key and certificate lifecycles becoming increasingly common, systems should be designed for flexibility rather than permanence. Building crypto-agility today enables organizations to respond more efficiently to emerging standards, evolving threats, and future technology shifts.
6. Use AI to Accelerate Readiness
AI can help organizations move faster and make more informed decisions as they prepare for quantum-related risks. By improving visibility and reducing manual effort, AI-driven tools can accelerate readiness efforts across the enterprise.
Organizations can leverage these capabilities to:
- Automate discovery of cryptographic dependencies
- Identify shadow AI and other unmanaged risks
- Improve decision-making through greater visibility and insights
- Prioritize remediation efforts more effectively
7. Invest in Governance and People
Ultimately, this is as much a governance challenge as it is a technology challenge. Success depends on an organization’s ability to translate complex technical risks into clear business impacts that leaders can understand and act upon. Investing in education, leadership fluency, and workforce training helps build organizational resilience while ensuring risk management strategies remain aligned with broader enterprise priorities and business objectives.
Four Truths Leaders Should Act On
The discussion ultimately reinforced four simple truths:
- Leadership matters more than technology
- Visibility matters more than perfection
- Market pressure will accelerate readiness
- Waiting is the riskiest strategy of all
None of these requires a perfect plan to act on. The organizations that lead through major security transitions aren’t the ones with the most complete answers at the start — they’re the ones that start.
A Shared Responsibility
The session emphasized the importance of community, bringing leaders together to demystify security, challenge assumptions, and most importantly, take action.
“What’s encouraging is that despite the complexity of quantum risk, the path forward is surprisingly practical; start before you have all the answers. At The Cyber Guild, we believe resilience is built when leaders come together to learn, challenge assumptions, and take action because in this environment, leadership and visibility matter far more than waiting for certainty.”
— Debbie Sallis, Founding Executive Director, The Cyber Guild
How to Start Now
You don’t need a transformation program to begin. Start with three steps:
- Put quantum risk on the leadership agenda
- Begin your cryptographic inventory
- Ask your vendors about their quantum roadmap
Because in a post-quantum world, what you do now defines your exposure later. The organizations that act today won’t be the ones explaining themselves tomorrow.
Ready to Move From Quantum-Curious to Quantum-Ready?
SEI’s Security, Risk, & Compliance consultants work with organizations across financial services, government, healthcare, and technology to turn complex security challenges into clear, executable plans. We start with your business — what you’re protecting, who you’re trusting, and what’s at risk — and build a roadmap that moves you forward before the window closes. If this is a conversation your leadership team needs to have, we’re ready to help guide it.
