When posed with a question about quantum cryptography readiness, Ankit Gupta, ISSMP, CISSP, CCSP, realized he and the organization didn’t have an answer. He explains what he did, what worked and what he learned trying to make quantum security real before the threat becomes real.

Ankit Gupta, ISSMP, CISSP, CCSPDisclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.

In 2023, while leading a cloud security modernization initiative for a large enterprise, a question from our CTO stopped me: “Are we ready for quantum?”. At that time, we were deeply focused on zero trust, identity and access management (IAM) hardening and data protection – but the mention of quantum cryptography was like someone dropping a post-apocalyptic novel in the middle of a policy meeting.

That question set me off on a journey – part research, part architecture, part executive storytelling – into understanding how artificial intelligence (AI) could bridge the gap between quantum-resistant cryptography and our current cloud ecosystem.

Investigating AI-Driven Cryptography

In my role, I routinely evaluate cryptographic controls: Transport Layer Security (TLS) enforcement, key lifecycles, access to key vaults and API-based secrets management. During an internal assessment in late 2023, I realized something unsettling: most of our encryption protocols still relied on RSA and Elliptic Curve Cryptography (ECC). Great for today, dangerous for tomorrow.

The quantum threat wasn’t theoretical anymore. Between NIST’s post-quantum algorithm drafts and warnings from federal agencies, it became clear that we needed to plan beyond the typical 3–5 year security horizon.

So, I did what security people do best – and got curious. I started mapping out how AI could support post-quantum encryption schemes like lattice-based or hash-based cryptography. Could AI make quantum cryptography usable in production? Could it optimize it? The short answer is yes, but with caveats.

Experiments with AI-Augmented Cryptographic Monitoring

One of my first practical steps was to design a pilot for AI-enhanced key lifecycle management. We built a proof-of-concept where an AI model monitored cryptographic API usage: tracking access to keys, encryption behavior and anomalies in signing operations. The idea wasn’t to replace the cryptographic backend, but to make it smarter: if something behaved abnormally, such as sudden key usage spikes or deprecated algorithms, it would alert or auto-trigger rotation.

While this wasn't full quantum cryptography yet, it was a foundation. That’s because any future system, especially one using post-quantum cryptography (PQC) or quantum key distribution (QKD), will need AI to manage its complexity and dynamic nature.

Lessons I’ve learned (So Far)

Here’s what worked:

  • Behavioral AI for Cryptography Use: We used supervised learning to detect abnormal key usage patterns, especially when dealing with shared service accounts in automation-heavy environments.
  • Integration into DevSecOps Pipelines: We added cryptographic risk checks into our CI/CD process to flag the use of outdated ciphers or static keys.

And here’s what didn’t work:

  • Too Many False Positives Early On: Our first AI models were noisy. It took tuning and integrating business context to reduce false triggers that could lead to unnecessary revocation.
  • Vendor Readiness Was Mixed: Some CSPs offered basic PQC options, but none had AI-native cryptographic controls.

Use Cases I’ve Witnessed First-Hand

AI-assisted quantum preparedness had a direct business impact in one client environment I worked with. Their transaction systems relied on encrypted message brokers and key exchanges across microservices. When we modeled how quantum decryption could impact them, it wasn’t just about security; it became a financial continuity risk. We ran a hybrid test using AI to manage key rotation schedules based on access frequency and transaction risk scores. The result? A 30% reduction in stale key exposure and zero manual escalations from their incident response team for crypto misconfiguration over 60 days.

In another case, a healthcare provider wanted long-term data protection for genomic records. These files may need to remain confidential for decades past the RSA era. We piloted a layered model, combining hash-based PQC with federated AI models that could learn encryption behavior patterns across their multi-cloud deployments without centralizing sensitive data. This setup gave them peace of mind and met early compliance requirements from regulators.

Advice for Addressing Post-Quantum Cryptography

If you're wondering whether you need to prepare for post-quantum cryptography now, here’s a checklist of what I’d recommend, based on doing it:

  1. Start with Inventory: Know what encryption you use today and what it protects. Most organizations don’t have an updated map of crypto assets.
  2. Pilot AI for Cryptography Visibility: Even if you’re not using PQC yet, train AI models to understand normal cryptographic behavior in your environment.
  3. Avoid Technology Lock-In: The PQC ecosystem is evolving. When choosing tools or cloud services, focus on modularity and openness.
  4. Align with Compliance Timelines: Agencies like NIST, CISA, and NSA have already set the tone. If your organization handles federal data, the clock is ticking.
  5. Educate your Teams: Quantum sounds abstract. But if your developers and architects understand the threat model, they’ll make better choices today.

This isn’t a theoretical conversation anymore. Post-quantum cryptography is real, and AI integration is necessary. As security professionals, our job is to bridge that future with practical, scalable and intelligent systems, today.

Ankit Gupta, CISSP, CCSP, ISSMP, has over 15 years of experience spanning the legal and financial sectors. He has served in both technical and strategic roles with responsibility for enterprise cloud defense, secure identity architectures and regulatory compliance. His work contributes to advancing national cyber resilience through AI-aligned governance and data protection at scale.

  • ISC2 AI Workshops are designed for mid- and senior-level cybersecurity professionals with five or more years of experience and those in positions requiring a strategic understanding of AI. The next virtual workshop takes place July 22-23, 2025, led by facilitator Dennis Lee, CISSP. For more information, the full agenda and to register, click here.

Related Insights