ICIT urges unified post-quantum shift for AI and space infrastructure on 2030–2035 timetable

AI data centers and satellite ground stations have become the coordination layer for modern critical infrastructure—and they are running on cryptography that a future quantum-capable adversary could break.

That is the central warning of a new analysis from the Institute for Critical Infrastructure Technology (ICIT), which calls for treating AI modernization and post-quantum cryptography (PQC) migration as a single program on the federal 2030–2035 timetable used by NIST, DHS, and the National Cybersecurity Center of Excellence.

According to the paper, AI clusters, Low Earth Orbit (LEO) ground segments, and operational technology (OT) gateways now host long-lived data sets, model weights, privileged credentials, firmware signing chains, and control paths that reach into power grids, financial platforms, logistics networks, and space assets.

While these environments share capital refresh cycles, control planes, and telemetry pipelines, the cryptography tying them together remains largely classical—making them prime “harvest-now, decrypt-later” targets for adversaries collecting encrypted traffic today in anticipation of future decryption.

The analysis argues that postponing PQC and treating it as a bolt-on to deployed systems will invite expensive retrofits and embed predictable vulnerabilities by design. Instead, it maps where PQC must land across the operational stack, from protocols and crypto libraries to hardware modules and public key infrastructure.

Specific touchpoints include TLS and IKE, hardware security modules (HSMs), accelerators and service meshes, applications, firmware, and update chains.

Partial or hybrid migrations are flagged as especially risky if they retain classical roots of trust, rely on accelerators or SmartNICs that will never support PQC, or depend on long-lived signing keys baked into firmware and satellite control systems that are difficult to replace mid-lifecycle.

The paper cautions that such compromises could undermine the very protections PQC is intended to deliver. For homeland security leaders, the recommendations are procedural as much as technical.

The paper says AI infrastructure should serve as the engine of PQC migration, using observability, Automated Cryptographic Discovery and Inventory (ACDI), and CBOM discipline to map existing cryptography, stage rollouts, and detect downgrades at scale.

It identifies governance and procurement as decisive levers—aligning with NIST and General Services Administration PQC guidance and writing explicit PQC requirements into requests for proposals. The author contends that embedding PQC into acquisition strategies now, rather than retrofitting later, is the most practical path to quantum-resilient AI, space, and critical infrastructure systems.

With the 2030–2035 clock already set for quantum-relevant systems, the paper frames the next refresh cycles for AI clusters, LEO ground segments, and OT gateways as the window to make that convergence real.