AI Export Controls Expose Hidden Risks to Post-Quantum Cryptography Migrations
In a recent development that underscores the complexities of cybersecurity, the U.S. government implemented a directive on June 12, suspending access to some of the most advanced artificial intelligence models from foreign nationals. This significant move has compelled governments and Chief Information Security Officers (CISOs) globally to reassess their strategies regarding the procurement of cyber defense technologies. As organizations embark on their journey toward adopting post-quantum computing cryptography, the timing of the AI sovereignty issue raises critical questions about dependencies and vulnerabilities.
Experts in quantum readiness have pointed out that this directive has unmasked the structural dependencies embedded in the cryptographic infrastructures that both governments and enterprises are striving to build. Countries are actively pursuing post-quantum cryptography migration initiatives, but the tools facilitating this transition primarily come from a narrow pool of vendors. This raises critical concerns regarding who controls the future of quantum-safe cryptography, as many organizations depend heavily on external sources, such as the U.S. National Institute of Standards and Technology (NIST) standards for post-quantum cryptography.
The implications of these dependencies have led to a growing conversation among policymakers, defense strategists, and technology leaders about "quantum sovereignty." This concept focuses on who builds, hosts, and controls quantum infrastructure and explores the repercussions when control is exercised against a nation. Louise Davey, a quantum risk advisor to the Canadian government and financial institutions, emphasizes the risk linked to reliance on foreign quantum computing capabilities. The crux of her argument centers on an often-overlooked question in boardrooms: What happens if our post-quantum cryptography vendor becomes inaccessible?
While some nations, like Canada and those in Europe, have started to grasp these risks, others lag in their understanding. Davey notes the prevalent narrative surrounding quantum computing as a threat to encryption, yet there is seldom a deep dive into the cascading risks associated with being part of a globally interconnected tech network. Davey elaborates that a significant portion of their post-quantum cryptography capabilities relies on a hyperscale vendor whose operations are based in a jurisdiction that may, without warning, limit access.
This reality leads to a sobering assessment of cryptographic agility. When such agility is dependent on a vendor that can be swayed by foreign governmental interests, the illusion of being prepared collapses. "It’s merely outsourced dependency dressed up as peace of mind," she declares.
Marin Ivezic, CEO of Applied Quantum and author of "Quantum Sovereignty," expands on the nuances of sovereignty. He argues that it exists on a spectrum rather than as a binary concept. Most countries are unlikely to produce their own quantum processors, but various forms of meaningful independence can still be achieved. The focus, he says, should be on understanding dependencies and the ability to withstand the loss of critical components within their infrastructure, offering the option to pivot when necessary.
The gap in awareness regarding these issues is not uniform across the globe. For instance, the U.S. has made significant strides by signing an executive order mandating a transition to post-quantum encryption for sensitive federal systems by 2030. This order also extends the requirement for federal contractors to comply with NIST post-quantum standards. Similarly, the European Union’s Quantum Europe Strategy, adopted in July 2025, highlights "technological sovereignty" as a fundamental goal, with an anticipated European Quantum Act focusing on supply-chain security and investment scrutiny.
Conversely, Canada’s Defense Industrial Strategy emphasizes the importance of developing sovereign capabilities in quantum technology but acknowledges a lack of clearly articulated policies. Meanwhile, countries like India are striving to build indigenous capabilities across various sectors of the quantum stack, inspired by historical efforts in the nuclear and space fields to minimize dependence on foreign technologies.
In a similar vein, Rajkumar Upadhyay, CEO of C-DOT, highlights that true quantum sovereignty extends beyond simply possessing a Quantum Key Distribution (QKD) system or a Post-Quantum Cryptography (PQC) algorithm. It requires ownership of critical intellectual property, manufacturing capabilities, and standards participation necessary to foster these technologies independently over time.
The situation in Singapore illustrates a varied approach, where regulatory measures play a central role. Instead of constructing its own quantum framework, the Monetary Authority of Singapore mandates financial institutions to actively manage their existing dependencies. This includes maintaining an accurate inventory of cryptographic assets capable of being swiftly replaced with quantum-safe alternatives and addressing potential risks linked to IT vendor supply chains.
Meanwhile, China is advancing its own path without participating in the NIST standards process, focusing on developing indigenous PQC algorithms in response to export restrictions from the U.S. As the Royal United Services Institute pointed out, such controls may inadvertently accelerate the development of Chinese domestic capabilities, as highlighted in its 15th Five-Year Plan.
Ultimately, the broader picture of quantum sovereignty poses an availability challenge. For security leaders, it’s not merely about whether encryption methods are resistant to quantum threats, but whether the vendors implementing these crucial measures will remain accessible during critical times.
Joe Spencer, director of Global Quantum Intelligence, offers an insightful breakdown of dependency risks that most organizations have not yet considered in their risk assessments. He categorizes these dependencies into three distinct layers: the materials needed for quantum systems, the components required for their operation, and the specialized talent to manage these technologies. The countries that command these capabilities and their supporting ecosystems are uniquely positioned to reap significant economic, security, and geopolitical advantages.
Organizations that proactively ask dependency-related questions—such as the whereabouts of their cryptographic vendors and their capacity for swift recovery—will be better equipped for unforeseen disruptions. As seen with the Anthropic export restrictions, those who delay such discussions may only recognize their vulnerabilities when it’s too late, underscoring the urgency for organizations to take action now. The architecture and choices being made today will ultimately define their options in an unpredictable future.