- Where Most Organizations Actually Stand
- Reality 1: Readiness Matters More Than Hardware
- Reality 2: No Single Use Case Wins
- Reality 3: Quantum and AI Can Amplify Each Other
- Reality 4: Talent Gets Harder, Not Easier
- Reality 5: Governance Must Be Built In from Day One
- What This Means for Security Teams
- How Encryption Consulting Can Help
- Conclusion
Quantum computing has been treated as a future problem for a long time. Something to revisit once the hardware improves. That thinking is changing in 2026, and the shift is real.
Organizations that use this time to build skills, gain experience, and develop internal knowledge are creating advantages that will be hard to close later.
Regulators have come to the same conclusion. NIST published three post-quantum cryptography (PQC) standards in August 2024: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA). In March 2025, NIST selected HQC, a code-based backup key-encapsulation mechanism, for standardization as a mathematically diverse alternative to ML-KEM, with finalization expected in 2027. FIPS 206 (FN-DSA, based on FALCON) is also expected in late 2026 or early 2027. NSA’s CNSA 2.0 requires all new National Security System acquisitions to support CNSA 2.0 algorithms starting January 1, 2027.
The EU NIS Cooperation Group released a coordinated PQC roadmap in June 2025, asking all Member States to have national PQC plans and cryptographic inventories in place by the end of 2026, with critical infrastructure transitioning its high-risk use cases by the end of 2030 and medium-risk use cases by the end of 2035. On both the opportunity and risk sides of quantum, what organizations decide in the next two to three years will shape where they stand for the decade after.
This blog looks at five realities that separate organizations making real quantum progress from those still treating it as tomorrow’s problem.
Where Most Organizations Actually Stand
Before getting into the five realities, it helps to be honest about the current situation. The gap between knowing about quantum and actually doing something about it is large, and that gap is itself a risk.
Most organizations are running pilots and spending more money, but they have not built the systems, processes, or governance needed to move from testing to production. The five realities below explain what it actually takes to close that gap.
| Reality | What It Means | Common Mistake |
|---|---|---|
| 1. Organizational readiness | You need people, process, and governance, not just hardware | Waiting for hardware to improve before doing anything |
| 2. Portfolio use cases | Quantum advantage varies by industry and workload type | Treating all systems as equal migration priorities |
| 3. Quantum and AI together | The two technologies are converging in both attack and defense | Planning for quantum and AI separately |
| 4. Talent | PQC expertise is scarce and demand is rising fast | Assuming internal teams can absorb the work without specialist support |
| 5. Responsible governance | Cryptographic governance is a current regulatory obligation | Treating quantum risk as a future item on the risk register |
Here is what each one means in practice.
Reality 1: Readiness Matters More Than Hardware
The most common reason organizations give for waiting is that the hardware is not ready. It sounds reasonable. It is also the position most likely to leave them behind.
Why Waiting Backfires
A quantum advantage does not come from hardware alone. It needs capable hardware, mature software, applications built for specific problems, and workflows that connect quantum tools to real business operations. None of those things can be built overnight. They take years. Organizations that wait for hardware to improve before doing anything else are already behind.
What Organizations That Are Ahead Actually Do
- They work with hardware providers, research groups, and industry partners to follow development closely without locking into one platform.
- They build plans that run quantum strategy, technical capability, and operational readiness at the same time, not one after the other.
- They protect early research, including the IP, data, and models, with access controls and encryption, so the advantage they build cannot be leaked or replicated before it reaches production.
Better hardware opens the door. Organizational readiness decides how fast you can walk through it. That same thinking shapes how leading organizations approach which problems to pursue first.
Reality 2: No Single Use Case Wins
Early quantum strategy often involved finding the one area where quantum would obviously win, so the business case would write itself. That approach has not held up.
Where the Real Activity Is
Looking across independent analyses of the quantum market in 2025 and 2026, the most realistic near-term opportunities are spread across multiple industries:
| Industry | Primary Focus | Why Quantum Matters |
|---|---|---|
| Energy and Materials | Simulation | Battery chemistry, catalyst design, molecular modeling |
| Financial Services | Optimization | Portfolio construction, derivatives pricing, risk modeling |
| Healthcare and Pharma | Simulation | Drug discovery, protein binding, mRNA structure |
| Logistics | Optimization | Routing, scheduling, supply chain efficiency |
| Government and Defense | Security and Optimization | Post-quantum cryptography, secure communications |
What a Good Investment Looks Like
The organizations making the most consistent progress are spreading their bets across several areas rather than picking one winner. They also keep investing through the hard integration phase, instead of cutting budgets exactly when proven use cases need funding to reach production.
Nobody knows which quantum application will deliver business value first. Working across several at once is not unfocused. It is the right response to real uncertainty. And how organizations handle this alongside their AI work turns out to matter just as much.
Reality 3: Quantum and AI Can Amplify Each Other
One of the most consequential decisions in quantum strategy is whether to treat quantum and AI as competitors for budget, or as tools that researchers are actively exploring as complements. Organizations that frame them as rivals tend to underinvest in quantum; those that treat them as parallel capabilities tend to build more durable programs.
Why They Are Being Explored Together
Quantum and AI address different types of computational problems. Researchers are investigating whether quantum approaches can help with certain AI workloads, including sampling from complex probability distributions and simulating physical systems that classical computers struggle to model accurately. In the other direction, AI tools are already being used to guide algorithm selection, manage hybrid system resources, and help identify where quantum methods might be most useful.
The Cost of Treating Them As Rivals
Organizations that maintain separate quantum and AI teams with separate budgets tend to reinforce a perception of competition that the underlying technology does not support. For security teams specifically, the most practical version of this today is using AI-assisted tools to speed up cryptographic inventory and post-quantum migration work, where AI-driven discovery compresses timelines that manual approaches cannot match.
Reality 4: Talent Gets Harder, Not Easier
Most technology transitions follow a familiar pattern: talent is scarce at first, then the market catches up. Quantum computing is not following that pattern.
Why the Gap Grows
Early quantum programs can be run by small, specialist teams doing controlled experiments. As programs move toward production, the skills needed expand in several directions at once:
- Quantum algorithm design
- Hybrid classical-quantum engineering
- Integration with legacy and cloud systems
- Application development for specific business domains
- Governance and compliance
Most of these roles require people who combine quantum expertise with deep knowledge of a specific industry. That combination is rare and takes time to develop.
What Making Progress Looks Like
- Map what quantum skills existing business roles will need, and build development paths for domain experts in finance, healthcare, and logistics, rather than only hiring quantum specialists.
- Partner with universities to extend the talent pipeline beyond what internal development can provide.
- Build rotation programs that spread quantum experience across the organization rather than keeping it concentrated in one team.
Talent cannot be built quickly when you need it. The investment has to start well before the pressure arrives.
Reality 5: Governance Must Be Built In from Day One
Quantum computing is different from most enterprise technologies in one important way. Its capabilities in specific areas may develop faster than the governance frameworks designed to manage them. That means governance cannot be added after the fact. It has to be part of the design from the beginning.
The Gap Between Awareness and Action
Most organizations know the risks. Very few have done much about them. Most acknowledge that quantum will create new security vulnerabilities, new questions about who gets access to powerful computing, and new accountability challenges for decisions made with quantum-enhanced systems. Very few have turned that awareness into actual governance structures, procurement requirements, or board-level oversight.
The Cryptographic Obligation
The most immediate and concrete governance requirement for most enterprises is cryptographic security. The same quantum capabilities being built for computing advantage will eventually be able to break the public-key cryptography that underlies most enterprise security: TLS key exchange, VPN tunnels, PKI, code signing, and identity systems.
NIST IR 8547 (Initial Public Draft, November 2024) sets out the planned transition timeline: RSA-2048 and ECC P-256 are designated for deprecation by 2030, meaning they should not be used in new deployments after that point, and all quantum-vulnerable public-key algorithms are expected to be fully disallowed in NIST standards by 2035. Note that IR 8547 remains in draft form, and these timelines, while widely used as planning targets, are not yet finalized regulatory requirements.
For organizations in federal supply chains or operating National Security Systems, planning for this transition is already a compliance requirement under CNSA 2.0 and NSM-10.
Note: Federal buyers should also note the FIPS 140-3 transition: FIPS 140-2 module certificates move to Historical status on September 21, 2026, after which new federal deployments require FIPS 140-3 validated cryptography.
What This Means for Security Teams
Each of the five realities carries a specific implication for security teams and anyone responsible for cryptographic infrastructure.
| Reality | Security Implication | Action Required Now |
|---|---|---|
| Organizational readiness | PQC migration takes years of sustained effort | Start the cryptographic inventory now |
| Portfolio use cases | Different systems migrate on different timelines | Prioritize by how long data needs to stay confidential |
| Quantum and AI together | AI tools can speed up migration discovery significantly | Use AI-assisted discovery in inventory programs |
| Talent | PQC skills are in short supply | Bring in specialist partners before demand peaks |
| Responsible governance | Cryptographic governance is a current planning obligation | Add quantum risk to the enterprise risk register |
The harvest now, decrypt later (HNDL) threat model makes the timeline shorter than most organizations expect. Adversaries may be collecting encrypted data today with the plan to decrypt it once capable quantum computers exist. Every month of delay on the cryptographic inventory is another month of exposure that cannot be recovered later. Use Cryptographic Bill of Materials (CBOM) to build and maintain a continuously updated inventory of algorithms, certificates, and keys across your environment, so that exposure to HNDL attacks is visible before it becomes unmanageable. If your organization is ready to move from awareness to action, this is where Encryption Consulting can help.
How Encryption Consulting Can Help
Whether your concern is the computing opportunity, the cryptographic risk, or both, Encryption Consulting supports organizations through every stage of the transition with practical expertise and a realistic view of where regulation and the threat environment are heading via our PQC Advisory Services.
Our Five-Stage Engagement Model
- Cryptographic Discovery and Inventory: Scanning your entire environment to find certificates, keys, algorithms, and protocols across endpoints, applications, APIs, and infrastructure. This is the foundation of every quantum readiness program and increasingly a prerequisite for regulatory audits.
- PQC Assessment: Evaluating your exposure to quantum threats, identifying RSA- and ECC-dependent systems at highest risk, and delivering a prioritized report with risk severity ratings.
- PQC Strategy and Roadmap: A phased migration plan built around your risk appetite, regulatory requirements, and long-term security goals, including crypto-agility design so systems can adapt as standards evolve.
- Vendor Evaluation and Pilot Testing: Helping you choose the right tools, run implementations in realistic environments, and validate interoperability before full rollout.
- Full Implementation: Deploying hybrid classical and quantum-safe models, extending PQC across your PKI and infrastructure, and setting up monitoring for long-term cryptographic health.
CBOM Secure
CBOM Secure gives security and infrastructure teams a single, continuously updated view of cryptographic usage across the entire organization. Instead of working through spreadsheets or scattered configuration files, CBOM Secure shows which algorithms are in use, which systems need to change for post-quantum readiness, and whether current configurations meet policy requirements, in a format that works for both technical teams and leadership. It automates crypto inventories, validates TLS configurations, checks algorithm compliance, and flags gaps before they become regulatory problems.
If your organization is ready to understand where it stands or to begin the migration, reach out. The earlier you start, the more manageable the work becomes.
Conclusion
Quantum computing is not arriving all at once. It is arriving in stages, changing what is computationally possible across different industries at different speeds. The organizations that will benefit most are building readiness now, while the technology is still developing, and there is still time to do it without pressure.
The five realities in this blog reflect what consistently separates organizations making real quantum progress from those still waiting:
- Organizational capability, not hardware, is the binding constraint on quantum advantage.
- Spreading bets across several use cases is the right response to genuine uncertainty.
- Quantum and AI belong in a shared strategy, not separate budget conversations.
- Talent challenges get harder as programs grow, and building that capability takes years.
- Governance needs to be part of the design from day one, not added under regulatory pressure.
For security and infrastructure leaders, all of this leads to one clear first step: start the cryptographic inventory. Understand what data needs long-term protection. Ask vendors about their post-quantum roadmaps. Build crypto-agility into new systems. Get executive buy-in before regulators force the conversation.
Quantum is coming. The organizations that will be ready are already working on it.
- Where Most Organizations Actually Stand
- Reality 1: Readiness Matters More Than Hardware
- Reality 2: No Single Use Case Wins
- Reality 3: Quantum and AI Can Amplify Each Other
- Reality 4: Talent Gets Harder, Not Easier
- Reality 5: Governance Must Be Built In from Day One
- What This Means for Security Teams
- How Encryption Consulting Can Help
