01 โ Executive Summary
The security threat landscape has bifurcated. Classical defenses address a threat that is being rapidly superseded.
The organizations responsible for protecting financial infrastructure, energy grids, healthcare systems, and government operations are defending against two simultaneous and interacting threat developments that require fundamentally different responses. The first is the maturation of AI-enabled offensive capabilities, which has dramatically lowered the skill threshold required to conduct sophisticated cyberattacks, increased the speed at which attack campaigns can be developed and deployed, and enabled adversaries to operate at a scale and persistence that human-operated offensive capabilities cannot match. The second is the development of cryptographically relevant quantum computing, which threatens to render the public key cryptography underpinning current digital security infrastructure obsolete on a timeline that is measured in years, not decades.
These two developments interact in ways that amplify the urgency of each. AI-enabled adversaries operating today are harvesting encrypted data that will become decryptable when quantum hardware reaches sufficient capability. The organizations that do not complete post-quantum cryptographic migration before that threshold is crossed will find that their historical communications, transaction records, and sensitive data are exposed retroactively, with no technical remediation available after the fact. This paper examines both developments in depth, with specific attention to their implications for financial infrastructure and other critical systems.
The organizations that will maintain secure operations through the quantum transition are not the ones with the most sophisticated current-generation security tools. They are the ones that have treated post-quantum cryptographic migration as a present-tense infrastructure program and AI-native threat detection as a design requirement rather than a product procurement.
02 โ Threat Landscape
How AI-enabled offensive capabilities have permanently changed the economics of cyberattack.
The economics of cyberattack have changed structurally with the availability of large language models and AI-enabled offensive tooling. Operations that previously required teams of skilled adversaries with specific expertise in target reconnaissance, vulnerability research, exploit development, and operational security can now be conducted by significantly smaller teams with significantly lower average skill levels, because AI systems can perform the research, drafting, and technical assistance functions that previously required human expertise at each stage of an attack campaign.
The practical consequences are observable across the threat landscape. Phishing and social engineering campaigns have become dramatically more convincing as AI systems enable the generation of contextually accurate, grammatically correct, and psychologically sophisticated lure content at scale, personalized to the target using publicly available information. Vulnerability research and exploit development are being accelerated by AI code analysis tools that can identify security flaws in target software faster than human researchers. And the operational security of adversary infrastructure is being maintained more effectively as AI systems automate the rotation of command and control infrastructure and the evasion of network-based detection.
For financial infrastructure specifically, the combination of AI-enabled social engineering and AI-enabled vulnerability research is producing a threat environment where the attack surface is expanding faster than classical defense mechanisms can cover it. The authentication systems, access controls, and anomaly detection systems that were designed around the assumption of human-paced offensive operations are being bypassed by adversaries operating at machine pace.
3,000%
increase in AI-enabled phishing and social engineering attempts targeting financial institutions documented between 2022 and 2024, per FS-ISAC threat intelligence reports
03 โ Quantum Cryptography
Why post-quantum cryptographic migration is the most urgent infrastructure program that most organizations have not yet begun.
The public key cryptography that secures virtually all digital communications and transactions, RSA, elliptic curve cryptography, and Diffie-Hellman key exchange, derives its security from the computational difficulty of specific mathematical problems: integer factorization for RSA, and the discrete logarithm problem for elliptic curve and Diffie-Hellman systems. These problems are computationally hard for classical computers, which is why current encryption is secure against classical attacks. They are not computationally hard for quantum computers running Shor's algorithm, which can solve both problems in polynomial time on a sufficiently powerful quantum processor.
The question of when a quantum computer capable of running Shor's algorithm at cryptographically relevant scale will be available is genuinely uncertain. Credible estimates from the academic and government research community place this threshold at between five and fifteen years from the current date. The uncertainty in this estimate does not reduce the urgency of migration. It increases it, because the harvest-now-decrypt-later attack strategy means that the risk crystallizes not at the moment quantum computers can break current encryption, but at the moment adversaries begin collecting encrypted data with the intention of decrypting it later.
This moment has already passed. Intelligence community assessments and private sector threat intelligence reports consistently indicate that state-sponsored adversaries have been collecting encrypted data from high-value targets for several years in anticipation of future quantum decryption capability. Financial transaction records, government communications, intellectual property, and sensitive personal data collected under current encryption standards are already in adversary hands, awaiting the hardware that will make them readable.
The NIST post-quantum standards and what they require
The National Institute of Standards and Technology finalized its first set of post-quantum cryptographic standards in August 2024, following an eight-year standardization process. The standards specify four algorithms: CRYSTALS-Kyber for key encapsulation, and CRYSTALS-Dilithium, FALCON, and SPHINCS plus for digital signatures. These algorithms are based on mathematical problems that are believed to be hard for both classical and quantum computers, providing security against both current and anticipated future attacks.
Migration to these standards is not a software update. It is a multi-year infrastructure program that requires cryptographic asset inventory across every system that uses public key cryptography, dependency mapping to identify where cryptographic operations are embedded in applications and infrastructure, algorithm transition planning that sequences the migration to prioritize the highest-risk data and systems, implementation and testing of the new algorithms in all affected systems, and ongoing governance of the cryptographic posture as the standards themselves evolve and as the organization's systems change.
For large financial institutions and critical infrastructure operators, this program may involve hundreds of applications, thousands of cryptographic dependencies, and years of engineering work. Organizations that have not begun this inventory and planning work are not in a position to complete the migration before the threat materializes, regardless of the resources they allocate to it after the fact.
8 years
minimum estimated timeline for a large financial institution to complete post-quantum cryptographic migration from first inventory to full deployment, based on comparable infrastructure transformation programs
04 โ AI Threat Intelligence
How AI-native security architectures are closing the detection and response gap that classical security tools cannot close.
Classical security operations centers are built around a human-in-the-loop model: automated tools generate alerts, human analysts triage those alerts, and human decision-makers authorize response actions. This model was designed for a threat environment where attacks were conducted by human adversaries operating at human pace, where the volume of security events was manageable by human analysts, and where the time from initial compromise to detection was measured in days or weeks, leaving adequate time for human-paced investigation and response.
AI-enabled adversaries do not operate within these assumptions. Machine-paced attacks compress the time from initial access to lateral movement, privilege escalation, and data exfiltration to minutes or hours. The volume of security telemetry generated by modern enterprise infrastructure exceeds what human analysts can process, creating systematic blind spots that adversaries exploit. And the sophistication of AI-enabled evasion techniques is specifically designed to defeat signature-based and rule-based detection that relies on known attack patterns.
Behavioral AI for anomaly detection
AI security systems trained on normal behavioral baselines for users, endpoints, networks, and applications can identify deviations from those baselines that indicate compromise even when the specific attack technique is novel and has no known signature. This behavioral approach is not subject to the evasion techniques that defeat signature-based detection, because it is detecting the consequences of malicious activity on system behavior rather than the specific tools or techniques used to produce those consequences. For financial infrastructure specifically, where the adversary's ultimate objective is financial transaction manipulation or data exfiltration, behavioral AI can detect the anomalous transaction patterns, unusual data access, and abnormal network communications that indicate an active intrusion even when the initial access technique leaves no detectable signature.
Agentic threat response
The response latency of human-operated security operations centers is structurally insufficient for machine-paced attacks. By the time a human analyst has triaged an alert, escalated it to a decision-maker, obtained authorization for a response action, and executed that action, an AI-enabled adversary may have already completed the objectives of the attack. Agentic AI security systems that can autonomously execute containment and isolation actions within a defined permission scope, on timescales of seconds rather than minutes, can interrupt attack campaigns before they reach their objectives. The governance architecture for these systems, defining the permission scope within which autonomous response is authorized and the threshold at which human authorization is required, is the critical design decision that determines whether autonomous response capability is an effective security tool or an operational risk.
05 โ Financial Infrastructure
Why financial institutions face a uniquely acute version of the quantum security problem, and what the architecture of a quantum-secure financial institution looks like.
Financial institutions face a uniquely acute version of the quantum security problem for three reasons that do not apply with the same force to other sectors. First, financial data is among the highest-value targets for long-term data collection, because the information contained in financial transaction records, customer profiles, and proprietary trading strategies retains its value for years and in some cases decades after it is collected. A state-sponsored adversary collecting encrypted financial data today is investing in an intelligence asset whose value will persist long after the encryption protecting it is broken.
Second, financial institutions operate under regulatory frameworks that create specific obligations around data security that extend backward in time. The Bank Secrecy Act's record retention requirements, which mandate retention of certain transaction records for five years, mean that financial institutions are legally required to maintain records that, if collected by an adversary under current encryption and decrypted in the future, would represent a significant privacy and security breach of data that the institution was legally required to retain. The intersection of retention requirements and harvest-now-decrypt-later creates a compliance risk that does not have a precedent in the regulatory framework.
Third, financial infrastructure is a target for disruptive attacks, not just intelligence collection. The SWIFT financial messaging network, CHIPS and Fedwire large-value payment systems, and the securities clearing and settlement infrastructure are targets whose compromise would have systemic consequences extending well beyond the directly affected institutions. The security architecture of these systems must account for the possibility of quantum-enabled attacks against the cryptographic protocols that protect the integrity and authenticity of financial messages and transactions.
The architecture of a quantum-secure financial institution
A quantum-secure financial institution has completed four architectural transitions. First, all external-facing cryptographic protocols used in customer-facing applications, correspondent banking communications, and regulatory reporting have been migrated to NIST-standardized post-quantum algorithms. Second, internal network communications and data-at-rest encryption for high-sensitivity data have been migrated to post-quantum algorithms or protected with hybrid classical plus post-quantum encryption that provides security against both current and future attacks. Third, the cryptographic agility of all systems has been established, meaning the ability to update cryptographic algorithms without replacing the systems that use them, so that future algorithm transitions can be executed efficiently as the threat landscape evolves. Fourth, a continuous cryptographic inventory and governance process is in place that ensures new systems are deployed with post-quantum-compliant cryptography from the outset.
$1.4T
estimated value of financial transaction data exposed to harvest-now-decrypt-later risk in the global financial system, based on annual SWIFT message volume and average transaction data sensitivity
06 โ Critical Infrastructure
How the quantum security threat extends beyond financial systems to energy, water, and transportation infrastructure.
The quantum security threat to critical infrastructure extends well beyond financial systems to the operational technology that controls energy grids, water treatment systems, transportation networks, and telecommunications infrastructure. The industrial control systems and supervisory control and data acquisition systems that manage this infrastructure were not designed with cryptographic agility in mind, and many of the communications protocols they use, including legacy versions of protocols used in energy and water systems, provide limited or no cryptographic protection at all. The quantum transition creates both an urgency and an opportunity: an urgency to address the cryptographic vulnerabilities in critical infrastructure communications before quantum decryption capability enables adversaries to exploit them, and an opportunity to redesign the security architecture of critical infrastructure with modern cryptographic standards as the baseline.
The governance of AI systems in critical infrastructure security contexts carries requirements from multiple regulatory frameworks. In the United States, the Cybersecurity and Infrastructure Security Agency's guidance on AI in critical infrastructure, the Department of Energy's AI for critical infrastructure security initiatives, and sector-specific requirements from NERC CIP for the electricity sector and from the Transportation Security Administration for pipeline and surface transportation systems all establish expectations for the governance of AI systems that affect critical infrastructure security. Organizations deploying AI security systems in critical infrastructure contexts must design their governance architecture to satisfy these overlapping requirements from the outset.
07 โ Governance Architecture
The specific governance structures required for AI security systems in financial and critical infrastructure contexts.
The governance architecture for AI security systems in financial and critical infrastructure contexts is more complex than for AI systems in most other sectors because the consequences of AI security system errors include both false positives, blocking legitimate transactions or operations, and false negatives, failing to detect active attacks, each of which carries significant operational and regulatory consequences. The governance architecture must be designed to manage both error types with explicit thresholds and escalation paths that are aligned with the regulatory requirements and operational risk tolerance of the specific institution.
The permission scope for an autonomous AI security response system must specify with precision the categories of action the system can take without human authorization. In a financial institution context, this typically includes network isolation of compromised endpoints, blocking of anomalous outbound connections, and suspension of compromised user credentials, while requiring human authorization for actions that could disrupt customer-facing services or affect the integrity of financial transactions. The permission scope must be reviewed and approved by both the security function and the business operations function, because the operational consequences of autonomous security actions affect business continuity in ways that the security function alone cannot fully assess.
The audit trail architecture for AI security systems must satisfy multiple simultaneous requirements: the forensic requirements of incident investigation, which require the ability to reconstruct the full sequence of events leading to and following a security incident; the regulatory requirements of the applicable frameworks, which specify the information that must be retained and the retention periods; and the operational requirements of the security operations center, which require real-time visibility into AI system decisions and the ability to override those decisions when necessary.
08 โ Joemah Approach
How Joemah structures cybersecurity engagements for financial and critical infrastructure organizations navigating the quantum transition.
Joemah's cybersecurity practice is organized around the three capability areas where the intersection of quantum computing and AI creates the most significant security implications: post-quantum cryptographic migration, AI-native threat detection and response, and quantum-secure architecture design for critical infrastructure.
Post-quantum cryptographic migration
The cryptographic migration engagement begins with a comprehensive cryptographic asset inventory that maps every system, application, and data store that uses public key cryptography, classifies the data protected by each cryptographic dependency by sensitivity and retention requirement, and produces a risk-ranked migration sequence that prioritizes the highest-risk assets. The migration sequence is designed to satisfy the timeline requirements of applicable regulatory frameworks, including the Office of Management and Budget's memorandum on migration to post-quantum cryptography for federal agencies and the emerging guidance from financial regulators on quantum security preparedness.
AI-native security architecture
The AI security architecture engagement designs the behavioral baseline models, anomaly detection systems, and agentic response capabilities required for the client's specific threat environment, governed from the outset by the permission scope and audit trail requirements that the regulatory and operational context demands. The architecture is designed to integrate with the client's existing security information and event management infrastructure and to provide the human-readable explanations of AI decisions required for both operational use and regulatory examination.
Quantum-secure critical infrastructure design
The critical infrastructure engagement assesses the cryptographic posture of operational technology systems, designs the migration path to post-quantum-compliant communications protocols, and produces the governance framework for ongoing cryptographic posture management. It is designed to satisfy the specific regulatory requirements of the applicable critical infrastructure sector, including NERC CIP for electricity, Transportation Security Administration requirements for pipeline and transportation, and the emerging CISA guidance on AI and quantum security for critical infrastructure broadly.
09 โ Conclusion
The quantum security transition will separate organizations that prepared from organizations that responded. The window for preparation is narrowing.
The convergence of AI-enabled offensive capabilities and quantum cryptographic threats is creating a security environment that is qualitatively more challenging than the one that current security architectures were designed to address. The organizations that maintain secure operations through this transition will not be the ones with the most sophisticated current-generation security tools. They will be the ones that treated post-quantum cryptographic migration as a present-tense infrastructure program when it was still optional, rather than an emergency retrofit when it became mandatory.
The compound risk of inaction is specific and calculable. Every day that data is transmitted or stored under current public key encryption is a day of additional harvest-now-decrypt-later exposure. Every day that security operations rely on human-paced detection and response is a day of structural disadvantage against AI-enabled adversaries operating at machine pace. Every day that cryptographic migration is deferred is a day that reduces the time available to complete the migration before regulatory requirements or operational incidents force it.
Joemah works with financial institutions and critical infrastructure operators that are ready to address both threats with the architectural precision and governance rigor that the stakes require. The engagement begins with the cryptographic asset inventory and AI security architecture assessment that establishes where the organization sits in the threat landscape, and ends when the migration is complete and the AI security architecture is in production and performing against defined security outcome metrics.
01 โ Executive Summary
The security threat landscape has bifurcated. Classical defenses address a threat that is being rapidly superseded.
The organizations responsible for protecting financial infrastructure, energy grids, healthcare systems, and government operations are defending against two simultaneous and interacting threat developments that require fundamentally different responses. The first is the maturation of AI-enabled offensive capabilities, which has dramatically lowered the skill threshold required to conduct sophisticated cyberattacks, increased the speed at which attack campaigns can be developed and deployed, and enabled adversaries to operate at a scale and persistence that human-operated offensive capabilities cannot match. The second is the development of cryptographically relevant quantum computing, which threatens to render the public key cryptography underpinning current digital security infrastructure obsolete on a timeline that is measured in years, not decades.
These two developments interact in ways that amplify the urgency of each. AI-enabled adversaries operating today are harvesting encrypted data that will become decryptable when quantum hardware reaches sufficient capability. The organizations that do not complete post-quantum cryptographic migration before that threshold is crossed will find that their historical communications, transaction records, and sensitive data are exposed retroactively, with no technical remediation available after the fact. This paper examines both developments in depth, with specific attention to their implications for financial infrastructure and other critical systems.
The organizations that will maintain secure operations through the quantum transition are not the ones with the most sophisticated current-generation security tools. They are the ones that have treated post-quantum cryptographic migration as a present-tense infrastructure program and AI-native threat detection as a design requirement rather than a product procurement.
02 โ Threat Landscape
How AI-enabled offensive capabilities have permanently changed the economics of cyberattack.
The economics of cyberattack have changed structurally with the availability of large language models and AI-enabled offensive tooling. Operations that previously required teams of skilled adversaries with specific expertise in target reconnaissance, vulnerability research, exploit development, and operational security can now be conducted by significantly smaller teams with significantly lower average skill levels, because AI systems can perform the research, drafting, and technical assistance functions that previously required human expertise at each stage of an attack campaign.
The practical consequences are observable across the threat landscape. Phishing and social engineering campaigns have become dramatically more convincing as AI systems enable the generation of contextually accurate, grammatically correct, and psychologically sophisticated lure content at scale, personalized to the target using publicly available information. Vulnerability research and exploit development are being accelerated by AI code analysis tools that can identify security flaws in target software faster than human researchers. And the operational security of adversary infrastructure is being maintained more effectively as AI systems automate the rotation of command and control infrastructure and the evasion of network-based detection.
For financial infrastructure specifically, the combination of AI-enabled social engineering and AI-enabled vulnerability research is producing a threat environment where the attack surface is expanding faster than classical defense mechanisms can cover it. The authentication systems, access controls, and anomaly detection systems that were designed around the assumption of human-paced offensive operations are being bypassed by adversaries operating at machine pace.
3,000%
increase in AI-enabled phishing and social engineering attempts targeting financial institutions documented between 2022 and 2024, per FS-ISAC threat intelligence reports
03 โ Quantum Cryptography
Why post-quantum cryptographic migration is the most urgent infrastructure program that most organizations have not yet begun.
The public key cryptography that secures virtually all digital communications and transactions, RSA, elliptic curve cryptography, and Diffie-Hellman key exchange, derives its security from the computational difficulty of specific mathematical problems: integer factorization for RSA, and the discrete logarithm problem for elliptic curve and Diffie-Hellman systems. These problems are computationally hard for classical computers, which is why current encryption is secure against classical attacks. They are not computationally hard for quantum computers running Shor's algorithm, which can solve both problems in polynomial time on a sufficiently powerful quantum processor.
The question of when a quantum computer capable of running Shor's algorithm at cryptographically relevant scale will be available is genuinely uncertain. Credible estimates from the academic and government research community place this threshold at between five and fifteen years from the current date. The uncertainty in this estimate does not reduce the urgency of migration. It increases it, because the harvest-now-decrypt-later attack strategy means that the risk crystallizes not at the moment quantum computers can break current encryption, but at the moment adversaries begin collecting encrypted data with the intention of decrypting it later.
This moment has already passed. Intelligence community assessments and private sector threat intelligence reports consistently indicate that state-sponsored adversaries have been collecting encrypted data from high-value targets for several years in anticipation of future quantum decryption capability. Financial transaction records, government communications, intellectual property, and sensitive personal data collected under current encryption standards are already in adversary hands, awaiting the hardware that will make them readable.
The NIST post-quantum standards and what they require
The National Institute of Standards and Technology finalized its first set of post-quantum cryptographic standards in August 2024, following an eight-year standardization process. The standards specify four algorithms: CRYSTALS-Kyber for key encapsulation, and CRYSTALS-Dilithium, FALCON, and SPHINCS plus for digital signatures. These algorithms are based on mathematical problems that are believed to be hard for both classical and quantum computers, providing security against both current and anticipated future attacks.
Migration to these standards is not a software update. It is a multi-year infrastructure program that requires cryptographic asset inventory across every system that uses public key cryptography, dependency mapping to identify where cryptographic operations are embedded in applications and infrastructure, algorithm transition planning that sequences the migration to prioritize the highest-risk data and systems, implementation and testing of the new algorithms in all affected systems, and ongoing governance of the cryptographic posture as the standards themselves evolve and as the organization's systems change.
For large financial institutions and critical infrastructure operators, this program may involve hundreds of applications, thousands of cryptographic dependencies, and years of engineering work. Organizations that have not begun this inventory and planning work are not in a position to complete the migration before the threat materializes, regardless of the resources they allocate to it after the fact.
8 years
minimum estimated timeline for a large financial institution to complete post-quantum cryptographic migration from first inventory to full deployment, based on comparable infrastructure transformation programs
04 โ AI Threat Intelligence
How AI-native security architectures are closing the detection and response gap that classical security tools cannot close.
Classical security operations centers are built around a human-in-the-loop model: automated tools generate alerts, human analysts triage those alerts, and human decision-makers authorize response actions. This model was designed for a threat environment where attacks were conducted by human adversaries operating at human pace, where the volume of security events was manageable by human analysts, and where the time from initial compromise to detection was measured in days or weeks, leaving adequate time for human-paced investigation and response.
AI-enabled adversaries do not operate within these assumptions. Machine-paced attacks compress the time from initial access to lateral movement, privilege escalation, and data exfiltration to minutes or hours. The volume of security telemetry generated by modern enterprise infrastructure exceeds what human analysts can process, creating systematic blind spots that adversaries exploit. And the sophistication of AI-enabled evasion techniques is specifically designed to defeat signature-based and rule-based detection that relies on known attack patterns.
Behavioral AI for anomaly detection
AI security systems trained on normal behavioral baselines for users, endpoints, networks, and applications can identify deviations from those baselines that indicate compromise even when the specific attack technique is novel and has no known signature. This behavioral approach is not subject to the evasion techniques that defeat signature-based detection, because it is detecting the consequences of malicious activity on system behavior rather than the specific tools or techniques used to produce those consequences. For financial infrastructure specifically, where the adversary's ultimate objective is financial transaction manipulation or data exfiltration, behavioral AI can detect the anomalous transaction patterns, unusual data access, and abnormal network communications that indicate an active intrusion even when the initial access technique leaves no detectable signature.
Agentic threat response
The response latency of human-operated security operations centers is structurally insufficient for machine-paced attacks. By the time a human analyst has triaged an alert, escalated it to a decision-maker, obtained authorization for a response action, and executed that action, an AI-enabled adversary may have already completed the objectives of the attack. Agentic AI security systems that can autonomously execute containment and isolation actions within a defined permission scope, on timescales of seconds rather than minutes, can interrupt attack campaigns before they reach their objectives. The governance architecture for these systems, defining the permission scope within which autonomous response is authorized and the threshold at which human authorization is required, is the critical design decision that determines whether autonomous response capability is an effective security tool or an operational risk.
05 โ Financial Infrastructure
Why financial institutions face a uniquely acute version of the quantum security problem, and what the architecture of a quantum-secure financial institution looks like.
Financial institutions face a uniquely acute version of the quantum security problem for three reasons that do not apply with the same force to other sectors. First, financial data is among the highest-value targets for long-term data collection, because the information contained in financial transaction records, customer profiles, and proprietary trading strategies retains its value for years and in some cases decades after it is collected. A state-sponsored adversary collecting encrypted financial data today is investing in an intelligence asset whose value will persist long after the encryption protecting it is broken.
Second, financial institutions operate under regulatory frameworks that create specific obligations around data security that extend backward in time. The Bank Secrecy Act's record retention requirements, which mandate retention of certain transaction records for five years, mean that financial institutions are legally required to maintain records that, if collected by an adversary under current encryption and decrypted in the future, would represent a significant privacy and security breach of data that the institution was legally required to retain. The intersection of retention requirements and harvest-now-decrypt-later creates a compliance risk that does not have a precedent in the regulatory framework.
Third, financial infrastructure is a target for disruptive attacks, not just intelligence collection. The SWIFT financial messaging network, CHIPS and Fedwire large-value payment systems, and the securities clearing and settlement infrastructure are targets whose compromise would have systemic consequences extending well beyond the directly affected institutions. The security architecture of these systems must account for the possibility of quantum-enabled attacks against the cryptographic protocols that protect the integrity and authenticity of financial messages and transactions.
The architecture of a quantum-secure financial institution
A quantum-secure financial institution has completed four architectural transitions. First, all external-facing cryptographic protocols used in customer-facing applications, correspondent banking communications, and regulatory reporting have been migrated to NIST-standardized post-quantum algorithms. Second, internal network communications and data-at-rest encryption for high-sensitivity data have been migrated to post-quantum algorithms or protected with hybrid classical plus post-quantum encryption that provides security against both current and future attacks. Third, the cryptographic agility of all systems has been established, meaning the ability to update cryptographic algorithms without replacing the systems that use them, so that future algorithm transitions can be executed efficiently as the threat landscape evolves. Fourth, a continuous cryptographic inventory and governance process is in place that ensures new systems are deployed with post-quantum-compliant cryptography from the outset.
$1.4T
estimated value of financial transaction data exposed to harvest-now-decrypt-later risk in the global financial system, based on annual SWIFT message volume and average transaction data sensitivity
06 โ Critical Infrastructure
How the quantum security threat extends beyond financial systems to energy, water, and transportation infrastructure.
The quantum security threat to critical infrastructure extends well beyond financial systems to the operational technology that controls energy grids, water treatment systems, transportation networks, and telecommunications infrastructure. The industrial control systems and supervisory control and data acquisition systems that manage this infrastructure were not designed with cryptographic agility in mind, and many of the communications protocols they use, including legacy versions of protocols used in energy and water systems, provide limited or no cryptographic protection at all. The quantum transition creates both an urgency and an opportunity: an urgency to address the cryptographic vulnerabilities in critical infrastructure communications before quantum decryption capability enables adversaries to exploit them, and an opportunity to redesign the security architecture of critical infrastructure with modern cryptographic standards as the baseline.
The governance of AI systems in critical infrastructure security contexts carries requirements from multiple regulatory frameworks. In the United States, the Cybersecurity and Infrastructure Security Agency's guidance on AI in critical infrastructure, the Department of Energy's AI for critical infrastructure security initiatives, and sector-specific requirements from NERC CIP for the electricity sector and from the Transportation Security Administration for pipeline and surface transportation systems all establish expectations for the governance of AI systems that affect critical infrastructure security. Organizations deploying AI security systems in critical infrastructure contexts must design their governance architecture to satisfy these overlapping requirements from the outset.
07 โ Governance Architecture
The specific governance structures required for AI security systems in financial and critical infrastructure contexts.
The governance architecture for AI security systems in financial and critical infrastructure contexts is more complex than for AI systems in most other sectors because the consequences of AI security system errors include both false positives, blocking legitimate transactions or operations, and false negatives, failing to detect active attacks, each of which carries significant operational and regulatory consequences. The governance architecture must be designed to manage both error types with explicit thresholds and escalation paths that are aligned with the regulatory requirements and operational risk tolerance of the specific institution.
The permission scope for an autonomous AI security response system must specify with precision the categories of action the system can take without human authorization. In a financial institution context, this typically includes network isolation of compromised endpoints, blocking of anomalous outbound connections, and suspension of compromised user credentials, while requiring human authorization for actions that could disrupt customer-facing services or affect the integrity of financial transactions. The permission scope must be reviewed and approved by both the security function and the business operations function, because the operational consequences of autonomous security actions affect business continuity in ways that the security function alone cannot fully assess.
The audit trail architecture for AI security systems must satisfy multiple simultaneous requirements: the forensic requirements of incident investigation, which require the ability to reconstruct the full sequence of events leading to and following a security incident; the regulatory requirements of the applicable frameworks, which specify the information that must be retained and the retention periods; and the operational requirements of the security operations center, which require real-time visibility into AI system decisions and the ability to override those decisions when necessary.
08 โ Joemah Approach
How Joemah structures cybersecurity engagements for financial and critical infrastructure organizations navigating the quantum transition.
Joemah's cybersecurity practice is organized around the three capability areas where the intersection of quantum computing and AI creates the most significant security implications: post-quantum cryptographic migration, AI-native threat detection and response, and quantum-secure architecture design for critical infrastructure.
Post-quantum cryptographic migration
The cryptographic migration engagement begins with a comprehensive cryptographic asset inventory that maps every system, application, and data store that uses public key cryptography, classifies the data protected by each cryptographic dependency by sensitivity and retention requirement, and produces a risk-ranked migration sequence that prioritizes the highest-risk assets. The migration sequence is designed to satisfy the timeline requirements of applicable regulatory frameworks, including the Office of Management and Budget's memorandum on migration to post-quantum cryptography for federal agencies and the emerging guidance from financial regulators on quantum security preparedness.
AI-native security architecture
The AI security architecture engagement designs the behavioral baseline models, anomaly detection systems, and agentic response capabilities required for the client's specific threat environment, governed from the outset by the permission scope and audit trail requirements that the regulatory and operational context demands. The architecture is designed to integrate with the client's existing security information and event management infrastructure and to provide the human-readable explanations of AI decisions required for both operational use and regulatory examination.
Quantum-secure critical infrastructure design
The critical infrastructure engagement assesses the cryptographic posture of operational technology systems, designs the migration path to post-quantum-compliant communications protocols, and produces the governance framework for ongoing cryptographic posture management. It is designed to satisfy the specific regulatory requirements of the applicable critical infrastructure sector, including NERC CIP for electricity, Transportation Security Administration requirements for pipeline and transportation, and the emerging CISA guidance on AI and quantum security for critical infrastructure broadly.
09 โ Conclusion
The quantum security transition will separate organizations that prepared from organizations that responded. The window for preparation is narrowing.
The convergence of AI-enabled offensive capabilities and quantum cryptographic threats is creating a security environment that is qualitatively more challenging than the one that current security architectures were designed to address. The organizations that maintain secure operations through this transition will not be the ones with the most sophisticated current-generation security tools. They will be the ones that treated post-quantum cryptographic migration as a present-tense infrastructure program when it was still optional, rather than an emergency retrofit when it became mandatory.
The compound risk of inaction is specific and calculable. Every day that data is transmitted or stored under current public key encryption is a day of additional harvest-now-decrypt-later exposure. Every day that security operations rely on human-paced detection and response is a day of structural disadvantage against AI-enabled adversaries operating at machine pace. Every day that cryptographic migration is deferred is a day that reduces the time available to complete the migration before regulatory requirements or operational incidents force it.
Joemah works with financial institutions and critical infrastructure operators that are ready to address both threats with the architectural precision and governance rigor that the stakes require. The engagement begins with the cryptographic asset inventory and AI security architecture assessment that establishes where the organization sits in the threat landscape, and ends when the migration is complete and the AI security architecture is in production and performing against defined security outcome metrics.
Apply this to your organization
ยฉ 2025 Joemah. All rights reserved.
joemah.com/whitepaper/cybersecurity

