MICKAI®
Article · 12 July 2026

Post-quantum migration: a CIO sequence from cryptographic inventory to air-gapped record

A staged post-quantum migration for CIOs, from cryptographic inventory to a sovereign air-gapped ledger, so quantum readiness is planned rather than improvised at Q-Day.

Post-quantum migration: a CIO sequence from cryptographic inventory to air-gapped record
Author
Micky Irons
Published
12 July 2026
Follow Micky Irons
LinkedInX
sovereign aipost-quantum migrationcryptographic inventorycrypto-agilityair-gapped ledger

A CIO migrates post-quantum in stages: inventory cryptography, prioritise long-lived records, adopt FIPS 204 or 205, run hybrid, then air-gap, because Q-Day rewards preparation.

The question matters in 2026 because harvest-now-decrypt-later collection is already under way, NIST published its post-quantum standards in 2024, and regulated sectors face rising resilience duties: DORA has been in force since January 2025 and NIS2 covers essential and important entities. Records signed today with classical cryptography may still need to hold their integrity long after a quantum computer can forge those signatures, so the migration clock started before the hardware arrived.

Where does a CIO start a post-quantum migration?

Start with a cryptographic inventory: map every place cryptography signs, encrypts or protects data, because you cannot migrate what you have not located and named.

A migration that skips discovery fails quietly. We begin by cataloguing every key, certificate, signing service and protocol across the estate: TLS termination, code signing, document signatures, database encryption, backups and hardware roots of trust. The output is a cryptographic bill of materials that names each algorithm, its key length and where it lives. Nothing moves until the map exists, because an unlisted signing key is an unmanaged risk.

Post-quantum migration: a CIO sequence from cryptographic inventory to air-gapped record, illustration 1

Which records must move first?

Prioritise long-lived records first: anything an adversary can harvest now and decrypt later, because data with a decade of secrecy value is already exposed today.

Not every record carries the same clock. Data whose secrecy must hold for a decade, health records, defence material, legal holds, financial archives and state records, is the harvest-now-decrypt-later target, because an adversary can store encrypted traffic today and open it once a cryptographically relevant quantum computer exists. We rank records by secrecy lifetime and migrate the longest first, so the most exposed data leaves the vulnerable scheme soonest.

Post-quantum migration: a CIO sequence from cryptographic inventory to air-gapped record, illustration 2

Which signatures should protect new records?

Sign new records with FIPS 204 (ML-DSA) or FIPS 205 (SLH-DSA); FIPS 203 (ML-KEM) only encapsulates keys and never signs the audit ledger.

New records should be born quantum-resistant. NIST standardised the signature schemes in 2024: FIPS 204, ML-DSA, and FIPS 205, SLH-DSA, sign records and the audit ledger. FIPS 203, ML-KEM, encapsulates keys for confidentiality and never signs. Keeping that distinction clean matters: a signature proves who acted and that a record is unaltered, and only FIPS 204 or 205 belong on the ledger that an auditor will one day verify.

Post-quantum migration: a CIO sequence from cryptographic inventory to air-gapped record, illustration 3

What does the full CIO sequence look like?

The sequence runs in six stages from inventory to air-gapped record, each producing evidence for an auditor, so proof accumulates rather than arriving at Q-Day.

StageGoalWhat you control after itProof it produces
InventoryLocate every use of cryptographyA named map of keys, certificates and signing pointsA signed cryptographic bill of materials
PrioritiseRank records by secrecy lifetimeAn ordered queue led by long-lived dataA risk register of harvest-now targets
Adopt signaturesSign new records post-quantumFIPS 204 or 205 protecting fresh outputQuantum-resistant signatures on new records
Run hybridKeep classical and post-quantum togetherContinuity if either scheme is brokenDual-signed records through the transition
Build crypto-agilitySwap algorithms without re-architectingAlgorithm identifiers you can rotateA registry of versioned algorithm identifiers
Air-gap recordMove sensitive records offlineA sealed ledger with no egress pathA post-quantum signed, offline audit chain
Post-quantum migration: a CIO sequence from cryptographic inventory to air-gapped record, illustration 4

Why run hybrid and build crypto-agility?

Run hybrid so a break in either scheme cannot expose you, and tag records with algorithm identifiers so future rotation is configuration, not reconstruction.

During the transition, neither scheme should stand alone. Hybrid signing binds a classical signature and a post-quantum signature to the same record, so a break in either does not expose it and interoperability with older systems holds. Crypto-agility is the second half: every signed object carries an algorithm identifier, so when a scheme is deprecated, rotation becomes a configuration change and not a rebuild. Systems without identifiers force reconstruction; systems with them adapt.

Post-quantum readiness is not a product you buy at Q-Day; it is a sequence you execute now, so the ledger that outlives the threat was signed before the threat arrived.

Where do the most sensitive records finally rest?

The most sensitive records belong in a sovereign air-gapped ledger: offline, operator-owned, with zero-egress perimeter and hardware-attested identity bound to a post-quantum signed audit chain.

The endpoint of the sequence is a record that no network can reach. Mickai is a Sovereign Intelligence Operating System, a SIOS, built and live, running offline on operator-owned hardware with every action cryptographically sealed. Sensitive records rest in an air-gapped ledger behind a zero-egress inbound perimeter, with hardware-attested identity bound to a post-quantum signed audit chain and cross-model consensus across 50 brains, 25 domain and 25 operational, recording each decision. This matters because the US CLOUD Act can compel a US-based provider to disclose data regardless of where its servers sit, so the most sensitive records cannot live in a public cloud AI service such as ChatGPT, Copilot or Gemini. Those services are the right choice for open, low-sensitivity work at scale; sovereign records simply belong somewhere no external subpoena can reach. Our approach is documented across 104 filed UK patent applications and 2,340 claims, owned by Mickai LTD (Companies House 17166618), filed and patent pending.

Frequently asked questions

When is Q-Day, and should we wait for it?

Q-Day is the point at which a cryptographically relevant quantum computer can break today's public-key cryptography, and no fixed date is guaranteed. Waiting is the risk, because long-lived records harvested now can be decrypted retrospectively once that day arrives. The safe posture is to migrate the longest-lived records first and treat readiness as work completed before the threat, not after it.

Do we have to migrate every system to post-quantum at once?

No. The sequence is deliberately staged: inventory first, then the longest-lived records, then new signatures, then hybrid and crypto-agility. Migrating by secrecy lifetime means the most exposed data moves soonest while lower-risk systems follow, so the estate transitions in a controlled order rather than a single disruptive cutover.

Which standard actually signs the audit ledger?

FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) sign the audit ledger and new records. FIPS 203 (ML-KEM) is a key-encapsulation mechanism for confidentiality and never signs anything. A ledger that must prove who acted and that a record is unaltered relies on the signature schemes, so keeping FIPS 203 out of the signing path is deliberate.

How does hybrid cryptography avoid breaking my existing systems?

Hybrid binds a classical signature and a post-quantum signature to the same record. Older systems that only understand classical schemes continue to verify, while post-quantum-aware systems gain the stronger guarantee. If either scheme is later broken, the record is still protected by the other, so the transition carries no single point of failure.

Can we keep the most sensitive records in a public cloud AI service?

For open, low-sensitivity work, public cloud AI services are capable and convenient. For the most sensitive records, the US CLOUD Act can compel a US-based provider to disclose data regardless of where servers sit, so those records belong on offline, operator-owned hardware. A sovereign air-gapped ledger with a zero-egress perimeter removes that exposure entirely.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/post-quantum-migration-a-cio-sequence-from-inventory-to-air-gap. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles