The Post-Quantum Deadline

Somewhere right now, in a data centre you will never see, a copy is being made. Not of a stolen password or a leaked spreadsheet, but of encrypted traffic that nobody can read yet. The people making the copy are patient. They do not need to break the encryption today. They only need to keep it, indexed and dated, until the machine arrives that turns it into plain text. That machine is a large fault-tolerant quantum computer, and the entire premise of this strategy is that it does not exist in public hands yet. The premise is also that it eventually will.

This is harvest-now-decrypt-later, and it is not a thriller plot or a conference slide. It is the single most underestimated fact in the design of every artificial intelligence system being built this year. We talk endlessly about model safety, alignment, hallucination, bias, and the social weight of automated decisions. We talk far less about the cryptographic floor those systems stand on, and whether that floor is already cracked. Because the inconvenient truth is this. If your AI runs on classical public-key cryptography, then every secret it holds, every signed decision it makes, and every record it produces is on a countdown that has already started.

The deadline is not in the future

There is a comfortable way to read the quantum threat, and most institutions have chosen it. The comfortable reading goes like this. A cryptographically relevant quantum computer is years away, perhaps a decade, perhaps more, and so the migration to quantum-safe algorithms is an engineering project for the future, to be scheduled, budgeted, and de-risked in the calm manner of all large infrastructure work. This reading is wrong in a way that matters, and the error is about time, not technology.

The error is to treat the threat as if it arrives on the day the quantum computer switches on. It does not. The threat arrives on the day your data is captured, and that day is today, or yesterday, or any day in the last several years. Encrypted information is not perishable in the way a stolen credit card is perishable. It does not expire when you rotate a key or patch a server. A medical record, a legal judgment, a model weight, a state secret, a decision an AI made about a human being, these things remain sensitive for years and often for decades. If that data is exfiltrated in encrypted form now and decrypted in 2032, the harm is identical to the harm of decrypting it today. The interval bought nothing.

So the real deadline is not the arrival of the quantum computer. The real deadline is the moment data with a long shelf life starts crossing a network you do not control. For most organisations that moment is already in the rear-view mirror. They have already lost the race they did not know they were running. The only question that remains open is how much of what they generate from this day forward will join the harvest, and whether they will keep feeding it out of habit and inertia.

“The quantum computer is not the threat. The patience of the people waiting for it is the threat.”

Why AI raises the stakes beyond ordinary data

Every system that handles sensitive information faces the harvest. Banks, hospitals, governments, all of them. But artificial intelligence raises the stakes in three specific ways that ordinary databases do not, and it is worth being precise about each, because the difference is not rhetorical.

The first is the model itself. A trained model is a compressed, lossy memory of everything it was trained on. Weights are not inert numbers. They are an asset that can be stolen, copied, and, with effort, partially inverted to recover characteristics of the training data. A harvested encrypted copy of a proprietary model, decrypted years later, hands an adversary not just a file but the accumulated intelligence baked into it. The cost of producing that model can be enormous. The cost of copying the ciphertext is nearly nothing.

The second is the record of decisions. We are rapidly moving into a world where AI systems do not merely advise but act. They approve, deny, allocate, flag, and decide, sometimes at scales no human committee could match. When such a system makes a consequential decision, that decision needs to be attributable, tamper-evident, and verifiable, often for years afterwards, in audits, in court, in the slow reckonings of accountability. If the signatures and audit trails that prove who decided what, and when, are themselves signed with classical cryptography, then a future quantum adversary cannot only read those records. It can forge them. It can produce a perfect counterfeit of a decision that never happened, signed with a key it has reconstructed, and no classical verifier will be able to tell the difference.

The third is concentration. AI centralises. It pulls the most sensitive data of an organisation, a sector, sometimes a nation, into training corpora and inference pipelines and logs. It creates dense, high-value targets where there used to be scattered, low-value ones. The harvest loves concentration. A single compromised AI pipeline can yield more decryptable intelligence in one capture than a thousand ordinary breaches. We are building the richest possible targets and, in many cases, wrapping them in cryptography we already know how to date-stamp for future breaking.

Signatures are the part nobody mentions

Most of the public conversation about post-quantum cryptography fixates on confidentiality, on keeping secrets secret. That is the harvest-now-decrypt-later story, and it is real. But there is a second front that gets far less attention and may matter more for the future of trustworthy AI, and that is authenticity. The question is not only can an adversary read this, but can an adversary forge this.

Digital signatures are the connective tissue of trust in any serious system. They are how a piece of software proves it has not been tampered with, how a transaction proves it was authorised, how a record proves it was written by who it claims and has not been altered since. The classical signature schemes underpinning almost all of this, the ones based on the hardness of factoring or discrete logarithms, fall to the same quantum algorithm that breaks classical encryption. When they fall, confidentiality is not the only casualty. Provenance is. The ability to prove that something is genuine, and that a record of an action is the true record, evaporates.

For an intelligence system that takes consequential actions, this is the deeper wound. An organisation can perhaps survive the embarrassment of old secrets being read. It is far harder to survive a world in which the chain of evidence proving what your systems actually did can be rewritten after the fact by anyone with the right machine. That is why a sovereign approach has to treat signatures as a first-class quantum-safe concern from the very first line of code, not as a confidentiality afterthought. The standard that matters here has a name, and it is worth knowing it.

FIPS 204 and the standard worth committing to

In 2024 the United States National Institute of Standards and Technology finalised the first federal standards for post-quantum cryptography, the product of a multi-year open competition that drew the world's cryptographers into a public, adversarial vetting process. Among them, FIPS 204 standardised a digital signature scheme called ML-DSA, the Module-Lattice-Based Digital Signature Algorithm, derived from the CRYSTALS-Dilithium submission. Its security rests not on factoring or discrete logarithms, which quantum computers are known to demolish, but on the hardness of lattice problems, for which no efficient quantum attack is known.

The parameter set worth committing to is ML-DSA-65, which targets a robust security level suitable for protecting information that must stay protected for the long term. It is not the smallest option and it is not the fastest, and that is precisely the point. When the asset you are signing is a consequential decision that may be examined in a courtroom in 2040, you do not optimise for the shortest signature. You optimise for the longest survivable trust. ML-DSA-65 is, today, a defensible answer to the question every sovereign system should be forced to answer. What happens to your signatures when the classical ones are forgeable?

A standard, though, is only as good as the discipline of its application. It is entirely possible to adopt FIPS 204 in name, sign a handful of things with it, and leave the soft underbelly of the system on classical cryptography, the keys, the transport, the storage, the long tail of records nobody thought to migrate. Half-migration is a particularly dangerous state, because it produces the confidence of being protected without the substance of it. This is why the honest position is not retrofit. It is genesis.

• Confidentiality at rest and in transit, so harvested ciphertext stays unreadable even to a future quantum adversary.
• Authenticity of every consequential action, signed under a standardised post-quantum scheme such as ML-DSA-65.
• Tamper-evidence, so any alteration of a record breaks a verifiable chain rather than passing silently.
• Offline verifiability, so trust does not depend on a live server, a vendor, or a network anyone can cut.
• Long-horizon key management, designed around data that stays sensitive for decades, not days.

Why retrofitting fails and genesis wins

There is a seductive logic to retrofitting. Build the system now with the tools we have, ship it, capture the market, and bolt on quantum-safe cryptography later when the standards settle and the libraries mature. It sounds prudent. It is, in fact, a quiet surrender, and it fails for reasons that are structural rather than merely cautionary.

It fails first because of the harvest. Everything a retrofitted system produces before its migration is already exposed to harvest-now-decrypt-later. You cannot retroactively protect a record that has already been copied off your network in classically encrypted form. The migration protects the future and abandons the past, and in a long-lived intelligence system the past is most of what matters. The records you generated in your first three years do not become less sensitive because you upgraded your cryptography in year four.

It fails second because cryptography is not a coat of paint. In any honestly engineered system, the assumptions of the cryptographic layer reach into the data formats, the key hierarchies, the audit structures, the verification flows, the very shape of how trust is represented. Tearing that out and replacing it later is not a patch. It is reconstructive surgery on a living system, performed under load, with every legacy record an awkward special case. Teams that promise to do it later are, in practice, promising to do the hardest possible version of the work at the least convenient possible time, and most will simply not do it at all. They will ship the retrofit plan and quietly let it rot in the backlog.

It fails third, and most importantly, because of what it signals about who the system is for. A system designed to be quantum-safe from genesis is making a statement about its time horizon and about whose interests it serves. It is saying that the records it produces are meant to outlast the cryptographic era they were born in, that the people who depend on it are owed protection measured in decades, that its trustworthiness is not a function of the next funding round but of the next generation. Retrofitting says the opposite. It says we will protect you when it becomes convenient for us. Sovereignty cannot be built on that sentence.

Sovereign intelligence has to be born quantum-safe

This is the heart of the argument, and it is where the abstract threat becomes a design principle. Sovereign intelligence, intelligence that a person, an institution, or a nation genuinely owns and controls rather than rents, cannot treat post-quantum security as a roadmap item. It has to be a property of the genesis state, present in the first block, the first key, the first signed record. Anything less is sovereignty with an expiry date, and a system that surrenders its secrets to a future adversary was never truly sovereign in the first place. It was merely private for a while.

This is the principle Mickai is built on. Mickai is a Sovereign Intelligence Operating System, and its design treats the cryptographic floor as the foundation rather than the finish. Every consequential action a brain takes is signed through the Open Audit Record, which uses FIPS 204 ML-DSA-65 to sign each action and hash-chains them into a tamper-evident sequence that can be verified offline, without a server, a vendor, or a network anyone can cut. The point of offline verifiability is exactly the point of this whole essay. Trust that depends on someone else staying online, staying honest, and staying in business is not trust you own. The Open Audit Record is the answer to the forgery problem, not the reading problem. It is designed so that the proof of what the system did survives into a future where classical signatures cannot be believed.

Underneath the intelligence layer sits Pantheon, the sovereign Layer 1, post-quantum from genesis and anchored to Bitcoin, currently on testnet. Pantheon exists because a sovereign intelligence needs a settlement and record layer that shares its threat model rather than undermining it. It carries a fixed supply of five billion PAN, and the raise behind it is thirty million pounds, but the figure that matters for this argument is not the supply or the raise. It is the word genesis. Post-quantum from genesis means the chain does not have a pre-quantum history waiting to be harvested and rewritten. It was born on the right side of the deadline. As with anything still on testnet, the honest framing is that this is a system being proven, not a finished product making finished claims, and it should be read that way.

On the model side, the same long-horizon discipline applies. Mickai's brains today are fine-tuned and specialised open foundations, Llama 3.2 and Qwen 2.5, and at the same time Mickai is actively training its own models now, with funding scaling that work toward fully native weights over time. The cryptographic genesis principle does not wait for the native weights to arrive. The signing, the audit chain, the offline verification, these are properties of the operating system the models run inside, true on day one regardless of how native the intelligence has become. That is what genesis means in practice. You do not earn quantum-safety by reaching maturity. You start there.

None of this is a small undertaking, and it is worth being candid that quantum-safe design carries real costs in size, speed, and engineering effort, which is exactly why so many systems defer it. The portfolio of 101 filed UK patent applications, with approximately 2,234 claims, owned by Mickai LTD and naming Micky Wagstaff-Irons as inventor, reflects how much of this architecture is novel rather than assembled from off-the-shelf parts. But the patents are evidence, not the argument. The argument is simpler and older than any filing. If you would not hand your secrets to your adversary today, do not encrypt them in a way that hands them over tomorrow.

The choice in front of everyone building intelligence

There is a tendency, when a threat is invisible and its payoff is deferred, to assume it is therefore optional. The harvest is invisible. The decryption is deferred. And so the natural human response is to file the whole matter under future problems and return to the urgent business of shipping. This is exactly the response the patient adversary is counting on. Every system that defers is a system that keeps feeding the harvest, and the harvest does not forget.

The choice in front of everyone building intelligence is not whether quantum computers will eventually arrive. That debate is a distraction, a way of arguing about the date so as to avoid acting on the principle. The choice is whether the records you produce from today onward will be readable and forgeable by whoever holds that machine when it comes. You can decide that today. You do not need to know the date. You only need to decide which side of the deadline your genesis is on.

Sovereign intelligence is not, at bottom, a technology category. It is a stance about time and ownership. It says that the things we build to think for us, to decide for us, to remember for us, must be built to outlast the cryptographic assumptions of the moment they were born in, because the consequences of their decisions will. A system that cannot keep a secret for a generation has no business making decisions that bind one. That is the standard. Quantum-safe from genesis, signed under a standard the world has openly vetted, verifiable without anyone's permission, owned by the person who depends on it and not by whoever happens to hold the keys this quarter.

The post-quantum deadline already passed for most of what has been built. It has not passed for what you build next. Mickai is one attempt to build everything that comes next on the right side of that line, with the cryptographic floor as bedrock rather than veneer. The harvest is patient, and it is already running. The only sovereign reply is to make sure that everything you commit to the record from this moment forward is born quantum-safe, so that when the machine finally arrives, it finds nothing of yours worth keeping. That is not a date in the future. It is a decision available now, and the only one that holds.