We have not yet entered the post-quantum era, but we are approaching it rapidly. Once quantum computers reach practical maturity, they will have the capability to break the cryptographic systems underpinning nearly every digital interaction we rely on today. Online payments, secure email, VPNs, blockchain systems — even the HTTPS padlock in a browser will become vulnerable.
This is the nature of the post-quantum world, and it will not unfold gradually, but arrive like a disruptive jolt. One day, classical cryptography will be considered trustworthy, the next, it may be obsolete.
And while the challenges ahead are substantial, with a focused and strategic response, we can build systems that are not only post-quantum secure, but resilient enough to handle what comes next — machine-speed threats driven by artificial general intelligence (AGI).
More complex, more sophisticated, and new methods of attack and even new math are all what we should expect when AGI and post-quantum world intersect.
A converging risk landscape
Quantum computing represents a direct threat to modern encryption. AGI, meanwhile, could introduce a broader and more dynamic challenge to how we and the machines defending our digital world know what is good or bad. In combination, they create a perfect storm where identity becomes the most critical security control.
AGI will not exploit systems using the same methods as traditional attackers. It will impersonate, adapt, and accelerate. Consider the impact of phishing content generated by an AGI with real-time knowledge of a target’s behavior and language patterns. Or malware that continuously rewrites and optimizes its own code based on live threat response feedback.
And there is the real risk that quantum computing already presents a risk today that will be exploited even more to the future: Harvest now, decrypt later. It is almost certain that nation states and others are collecting internet traffic and stored encrypted data.
This might be from data breaches or captured without notice. Future quantum computers will likely be able to decrypt and use this data to further aid attacks. Combined with AGI that’s omniscient, the threat level and opportunity for new attack methods only expands.
These are not theoretical constructs but instead are emerging realities. AGI is expected to operate at machine speed, meaning it could render traditional perimeter defenses, manual threat detection, and human-led incident response largely ineffective.
Defense strategies must operate at the same pace and be adaptive, autonomous, and anchored in the foundations of digital security through identity.
The new security perimeter
In a threat landscape shaped by quantum decryption and AGI-driven compromise, identity, particularly machine identity, has become the new perimeter. Machine-to-machine communication now drives a vast proportion of enterprise activity. This means machine identity will likely be the frontline.
APIs, containers, cloud workloads, microservices, and increasingly AI agents all depend on machine identity to not just to connect but do perform even the most basic of business functions.
When machine identities like certificates or API keys are mismanaged, compromised, or expired, they introduce opportunities for attackers to impersonate, escalate privileges, and exfiltrate data at scale.
Addressing this requires more than what we’ve thought today about secrets management, certificate management, or key management. In this context, machine identities must be:
- Cryptographically agile — able to adapt swiftly as encryption standards evolve.
- Machine-speed ready — provisioned, validated, and revoked in milliseconds, not minutes.
- Fully automated — capable of lifecycle operations at scale without human intervention.
This represents the next evolution in cybersecurity: A security layer capable of defending against high-velocity, machine-driven threats across cloud-native and AI-powered environments.
Building the post-quantum identity playbook
The good news is that action can be taken now. The pillars of post-quantum readiness are already emerging, beginning with visibility. Organizations must focus on gaining complete, real-time insight into all identities across their environments, especially machine identities.
This includes TLS certificates, SSH keys, API keys, service accounts, embedded secrets in CI/CD pipelines, code signing certificates, access tokens, and cloud provider identities — many of which remain undetected under current security practices.
Once visibility is achieved, intelligence becomes the next priority. Security teams must not only know that an identity exists but understand its context and behavior, asking questions such as: What services do they rely on? How frequently is it accessed – and from which locations or systems? Behavioral baselining and anomaly detection are essential to inform dynamic, risk-based policy enforcement.
Automation is the third and most critical pillar. Manual machine identity management does not scale in modern environments. Often times spreadsheets are still used. This definitely won’t work since Google, Microsoft, and Apple have all agreed that every public certificate must have a lifetime of 47 days, and every business and government globally have no choice in the matter.
The entire machine identity lifecycle, from discovery to rotation and revocation, must be automated to enable real-time response and eliminate the risk of human error.
Preparation must also encompass cryptographic agility, including testing and gradually integrating quantum-resistant algorithms. Agility here means being able to replace cryptographic libraries and primitives without re-architecting applications, something few enterprises are currently equipped to do.
Zero trust model
Finally, a zero-trust model must extend beyond users to machines. Every cloud service, container, API, or AI agent must be authenticated and continuously authorized. Trust should be contextual, enforced at runtime, and governed by least-privilege principles.
If, and when, AGI becomes a reality, not just cybersecurity, but our digital world will be at risk heightening the need for systems to verify that data is real, that machines are who they say they are, and that their actions are legitimate.
At the heart of it, these are identity problems.
The machine identities that secure the digital world can no longer be taken for granted. They must be constantly checked and enforced, and that’s exactly what machine identity security makes possible. In a world shaped by quantum computing and AGI, it will be the backbone of the digital economy and society itself.
Kevin Bocek is senior vice president of Innovation at CyberArk.
