MICKAI
Article · 8 July 2026

Harvest Now, Decrypt Later: Why an AI Audit Log Needs Post-Quantum Signatures

An AI evidence record built to last a decade must be signed with post-quantum ML-DSA today, or a future quantum computer can forge it retroactively.

Harvest Now, Decrypt Later: Why an AI Audit Log Needs Post-Quantum Signatures
Author
Micky Irons
Published
8 July 2026
Follow Micky Irons
LinkedInX
post-quantum cryptographyai audit logml-dsafips 204ai governance

An AI audit log needs post-quantum signatures because the record has to stay provable for longer than classical cryptography is expected to survive. A signature made today with RSA or ECDSA can be forged the day a cryptographically relevant quantum computer exists, and that day plausibly falls inside the ten-year lifespan of a regulated AI decision record. The fix is to sign the ledger now with a post-quantum algorithm such as ML-DSA under FIPS 204, so a record created in 2026 is still tamper-evident in 2036. The evidence must outlive the maths that protects it.

This matters in 2026 because AI systems now produce records that regulators, auditors and courts will read years later. Every prompt, model version, retrieval source, tool call and human override in a high-risk system becomes evidence of how a decision was reached, and if the signature on that evidence can be forged in the future, the evidence is worthless in the future. Mickai is a Sovereign Intelligence Operating System (a SIOS) built around this problem: an offline system on operator-owned hardware where every action is cryptographically sealed to hold long after classical signatures fail.

What is harvest now, decrypt later, and why does it apply to logs?

Harvest now, decrypt later describes an attacker who captures protected data today and waits for a future capability to break it. The phrase is usually applied to encrypted traffic, but it applies just as sharply to signed records, and there the twist is worse: with encryption the harm is disclosure, with signatures it is forgery. An adversary who anticipates tomorrow's signature break does not even need your audit log: they wait until the algorithm falls, then manufacture a false record and sign it with a forged key that verifies against your public key. A long-lived signed ledger is a standing invitation to backdate history.

Harvest Now, Decrypt Later: Why an AI Audit Log Needs Post-Quantum Signatures, illustration 1

Why is a classical signature not enough for a ten-year record?

RSA and ECDSA rest on problems a large quantum computer is expected to solve efficiently using Shor's algorithm. When that happens, anyone with the public key can derive the private key and sign anything. NIST has told organisations to migrate from RSA and ECC to post-quantum algorithms by 2030, with quantum-ready cryptography mandatory for US government systems after 2035. Read those dates against the retention of an AI decision, whose records may be challenged eight or ten years later. If the record is signed classically, its integrity guarantee expires before its evidentiary life does, so the signature is a promise that quietly stops being true.

Harvest Now, Decrypt Later: Why an AI Audit Log Needs Post-Quantum Signatures, illustration 2

How does ML-DSA under FIPS 204 fix it?

FIPS 204, finalised by NIST in August 2024, standardises ML-DSA, a signature scheme built on the Module Learning With Errors lattice problem, against which no efficient quantum algorithm is known. A record signed with ML-DSA today stays unforgeable even after a quantum computer arrives, because the underlying problem does not fall to Shor's algorithm. We bind each entry in the audit chain to the previous one and sign the chain with ML-DSA, so the ledger is append-only and post-quantum sealed: tampering with a past entry breaks the chain, and forging a new one needs a key no quantum computer can recover. The design runs offline behind a zero-egress inbound perimeter with hardware-attested identity bound to the chain, and it sits within 104 filed UK patent applications and approximately 2,340 claims owned by Mickai LTD, all patent pending.

Harvest Now, Decrypt Later: Why an AI Audit Log Needs Post-Quantum Signatures, illustration 3

What can an auditor actually check?

An auditor should be able to verify the record without trusting the vendor and without a network connection. A defensible ledger lets an auditor:

  • Recompute the hash chain from genesis and confirm no entry has been altered or removed.
  • Verify every entry's signature against a published post-quantum public key, offline.
  • Confirm the signing identity is bound to attested hardware, not a portable software key.
  • See the model version, prompt, retrieval sources, tool calls and any human override for each decision.
  • Repeat the check in ten years and get the same answer.
Harvest Now, Decrypt Later: Why an AI Audit Log Needs Post-Quantum Signatures, illustration 4

Which rules make this necessary?

Several regimes now demand durable, tamper-evident records of automated decisions. DORA has been in force across EU financial entities since January 2025 and requires demonstrable operational resilience and evidence. NIS2 raises logging and accountability duties for essential and important entities, GDPR gives data subjects rights over automated decisions that must be evidenced years later, and ISO/IEC 42001 sets an auditable AI management standard. The EU AI Act's high-risk obligations under Annex III, once due on 2 August 2026, were deferred by the Digital Omnibus to 2 December 2027, with embedded high-risk systems under Annex I moving to 2 August 2028 and the Article 50 transparency duties largely unchanged. We read that deferral as a build window, not a reprieve, because the records these rules govern must survive their full retention period, the exact horizon over which classical signatures fail.

Why does the location of the log matter too?

Post-quantum signing protects integrity, not custody. Public cloud AI services process regulated data on infrastructure a foreign government can compel under statutes like the US CLOUD Act, which alone rules those services out of the sensitive path for many regulated buyers. A sovereign design keeps the AI, the data and the ledger on operator-owned hardware behind a zero-egress inbound perimeter, so the seal is applied where the operator holds the keys and the evidence never leaves the operator's control. Integrity and custody are separate guarantees, and a serious record needs both.

A signature is a promise about the future, and a record built to last a decade must be signed with cryptography that will still be unbroken when the decade ends.

Frequently asked questions

When will quantum computers be able to break audit log signatures?

No credible source gives a fixed date, and we will not invent one. What is fixed is the guidance: NIST has told organisations to move off RSA and ECC by 2030 and treats quantum-ready cryptography as mandatory for US government systems after 2035. Because a harvest now, decrypt later attacker forges records after the break, any record you must defend past 2035 should be signed with a post-quantum algorithm today.

Is ML-DSA the same as CRYSTALS-Dilithium?

Yes. ML-DSA is the name NIST gave to the standardised CRYSTALS-Dilithium signature scheme when it published FIPS 204 in August 2024. It comes in three parameter sets, ML-DSA-44, ML-DSA-65 and ML-DSA-87, at increasing security levels, and serves as a category replacement for RSA and ECDSA signatures where long-term integrity matters.

Can we just re-sign our old logs later with a post-quantum key?

Re-signing helps only if the original record was already tamper-evident when you re-sign it. If a classical signature breaks before you migrate, an attacker can alter history first and present the forged record for re-signing, and you cannot tell the difference. Signing post-quantum at the moment of creation removes that window, which is why the decision belongs now, not at a future migration.

Does a post-quantum audit log satisfy the EU AI Act?

Post-quantum signing is not itself a checkbox in the AI Act, but the Act's high-risk record-keeping and traceability duties require records that stay reliable across a long retention period. A tamper-evident, offline-verifiable, post-quantum signed ledger is a strong way to meet that durability requirement. With the Annex III obligations now deferred to 2 December 2027, the sensible move is to build this in during the window rather than retrofit under deadline.

Why does the audit log need to run offline?

Offline operation gives you two things a cloud log cannot. First, verifiability without trusting the vendor: an auditor checks the chain and signatures on operator-owned hardware with no network call. Second, custody: the evidence and its signing keys stay inside the operator's jurisdiction, beyond the reach of foreign compulsion statutes.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/harvest-now-decrypt-later-why-ai-audit-logs-need-post-quantum-signatures. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles