What Executive Order 14412 means for post-quantum AI and harvest-now-decrypt-later
Executive Order 14412 gives US federal systems until 31 December 2030 to move to post-quantum encryption, because adversaries are harvesting encrypted data now to decrypt it later.
What does Executive Order 14412 actually require?
On 22 June 2026, EO 14412 set a hard timeline for the US federal estate to migrate to post-quantum encryption: 31 December 2030 for encryption in general, and 31 December 2031 for authentication systems. The order names the threat directly. Adversaries are already capturing encrypted traffic and stored data and holding it, betting that a future quantum computer will let them decrypt it. The policy answer is to stop shipping data protected only by algorithms a quantum machine will one day break, and to start using standards built to survive that machine.
For anyone building or buying AI, the order is a signal that reaches well past federal IT. If data you protect today has to stay confidential or verifiable in 2032, the clock has already started.
What is harvest-now-decrypt-later, and why does it change the maths?
Harvest-now-decrypt-later is exactly what it sounds like. An attacker who cannot read your traffic today records it anyway. When a cryptographically relevant quantum computer arrives, they replay the recording against it and read everything at once. Classic public-key algorithms like RSA and elliptic-curve are the exposure, because a quantum computer running Shor's algorithm can factor and solve the discrete-log problems they rest on.
This flips the usual security timeline. Normally you protect data for as long as it is sensitive and you are done. Here you have to add the years an attacker is willing to wait. If a health record, a financial position or a defence decision has to stay private for ten years, and a quantum machine plausibly lands inside that window, then data encrypted with today's classic algorithms is already at risk the moment it leaves your building. That is why EO 14412 pushes migration now rather than at the point quantum arrives.
Why do AI audit records make the problem worse?
AI raises the stakes in two ways. First, AI systems ingest and generate enormous volumes of exactly the long-lived, high-value data that harvest-now-decrypt-later targets: patient histories, transaction flows, case files, intelligence products. Second, and less obvious, AI systems are increasingly asked to prove what they did. Regulated buyers want a tamper-evident record of every consequential action a model took, who approved it, and on what data.
That audit record has to stay verifiable for years. If the signature protecting it depends on a classic algorithm, a future quantum computer does not just read the record, it can forge new ones that look authentic. An audit trail you cannot trust in 2032 is worse than no audit trail, because it invites false confidence. So the post-quantum question is not only about encryption in transit. It is about the integrity of the evidence AI produces.
What is Mickai's answer to this?
Mickai seals every consequential AI action with an ML-DSA-65 signature under FIPS 204, a NIST-standardised post-quantum algorithm. ML-DSA is a lattice-based signature scheme built to resist quantum attack, so the attestations Mickai writes into its audit ledger stay verifiable even against an adversary who harvested them today and waits a decade to strike.
In plain terms: when Mickai records that a model made a decision, on which data, under which policy, that record is signed with the kind of cryptography EO 14412 is telling federal systems to adopt. The signature is designed to still mean something after quantum arrives. For a defence, finance, healthcare or government buyer, that is the difference between an audit log that ages into a liability and one that holds up.
We want to be precise about the limit. This protects the integrity and authenticity of Mickai's own attestations against harvest-now-decrypt-later. It future-proofs the evidence layer. It is not a whole-estate compliance guarantee. It does not migrate your other systems, your databases, your networks or your legacy applications to post-quantum cryptography. Meeting EO 14412 across an organisation is a programme of work that touches everything that stores or transmits sensitive data. Mickai secures its part of that estate to a post-quantum standard. It does not exempt you from doing the rest.
What should regulated buyers do now?
Start by inventorying where you rely on classic public-key cryptography for anything that must stay confidential or verifiable past roughly 2030. Prioritise the long-lived material: archives, backups, audit and evidence stores, anything under a legal retention duty. Those are the harvest-now-decrypt-later targets, because their value survives the wait.
Then, when you assess AI systems, ask a specific question. How are the system's audit records signed, and does that signature survive a quantum attack? A vendor that signs attestations with a classic algorithm is handing you an evidence base with an expiry date. One that uses a NIST post-quantum standard is giving you records built to outlast the threat. Mickai is designed to be the second kind, and to be an honest ally to a buyer running that scorecard rather than a claim that the box is now ticked everywhere.
The wider point of EO 14412 is that migration takes years and the harvest is already happening, so the safe assumption is that anything you protect with classic cryptography today may be read tomorrow. For the data AI touches, and above all for the records AI produces to prove its own work, post-quantum protection is not a 2030 project. It is a decision to make on the systems you deploy this year.
What Mickai does about it
We sign every consequential AI action with a NIST post-quantum signature, ML-DSA-65 under FIPS 204, so the audit ledger stays verifiable for the long haul. That hardens Mickai's own evidence against harvest-now-decrypt-later. It is one solid, provable piece of a post-quantum estate, offered plainly, not a promise that the whole migration is done for you.
“EO 14412, issued 22 June 2026, sets a 31 December 2030 deadline for US federal post-quantum encryption and 31 December 2031 for authentication.”
Frequently asked questions
What deadline does Executive Order 14412 set?
EO 14412, issued on 22 June 2026, requires US federal systems to move to post-quantum encryption by 31 December 2030, with authentication systems following by 31 December 2031. The order cites adversaries harvesting encrypted data now to decrypt it later once quantum computers arrive.
What is harvest-now-decrypt-later?
It is an attack strategy where an adversary records encrypted data they cannot yet read, then decrypts it in future using a quantum computer. It matters because any data that must stay private for years is already exposed if it is protected only by classic algorithms like RSA or elliptic-curve.
Why are AI audit records especially at risk?
Audit records have to stay verifiable for years, and if their signatures rest on classic cryptography, a future quantum computer could not only read them but forge convincing new ones. That would turn a tamper-evident record into one you can no longer trust.
How does Mickai address the post-quantum threat?
Mickai seals every consequential AI action with an ML-DSA-65 signature under FIPS 204, a NIST-standardised post-quantum scheme. This keeps its audit attestations verifiable against an adversary who harvests them today and attacks them years later.
Does using Mickai make an organisation compliant with EO 14412?
No. Mickai future-proofs the integrity of its own audit attestations to a post-quantum standard. It does not migrate the rest of an organisation's systems, databases or networks. Full compliance is a wider programme of work; Mickai secures its part of it honestly.
What should buyers ask AI vendors now?
Ask how the system's audit records are signed and whether that signature survives a quantum attack. A vendor using a NIST post-quantum standard gives you evidence built to outlast the threat; one using classic algorithms hands you records with an expiry date.




