The Architecture No One Can Defend Anymore
The G7 is now saying quantum security goes beyond cryptography. Some of us started there.
For years, it was easy to dismiss encrypted computation, proof-based access, and privacy-preserving workflows as interesting. Too complex. Too early. Too academic. Too expensive. Too specialised. The usual excuses. That argument is becoming less valid everyday (1).
Not because vendors suddenly became honest, let’s not get carried away. It’s getting weaker because the institutions responsible for global financial stability are pointing it out, and looking at options.
The post-quantum conversation is no longer just about replacing vulnerable algorithms. It’s becoming a discussion about architecture (something we have been talking about for over a year on our Substack), third-party concentration, trust boundaries, operational dependencies, and, critically, what happens to sensitive data when it actually has to be used.
For decades, security has been built around a quiet, problematic assumption: Sensitive data needs to become visible to be useful.
The industry wrapped endless layers around this problem: VPNs. SIEMs. SOCs. IAM. EDR. Zero Trust. Flashy dashboards pretending to be strategy. Some of those tools matter. But they left the core mechanism intact: Decrypt. Process. Re-encrypt.
The deadline is closer than it looks
In January 2026, the G7 Cyber Expert Group published its coordinated roadmap for transitioning the financial sector to quantum-safe technologies.
The document is careful, measured, and very institutional. The roadmap is explicit that this transition is not a quick patch. It is meant to support a timely, secure, and coordinated shift to quantum-resistant cryptography across the financial sector, and it warns that cryptographic transition is complex, time-consuming, and has to be done carefully. That alone should kill the “we still have time” argument.
Organisations have a shrinking window and a procurement process that moves very slowly. The roadmap also makes clear that this isn’t just about swapping algorithms and calling it modernisation. It points financial entities toward mapping critical systems, functions, sensitive data, communication protocols, cryptographic assets, and third-party dependencies. That isn’t a software update. It’s an architectural inventory.
And a lot of organisations are not going to like what they find.
While 2035 is treated as the broad target for migration, the G7 roadmap points to a closer priority window for the most critical systems, around 2030 to 2032. It also acknowledges that data may already be at risk under harvest-now, decrypt-later scenarios, even before a cryptographically relevant quantum computer exists.
So 2030 is not some distant milestone.
By the time an organisation says, “We should probably start looking at this,” it may already be late. And that’s only the first problem.
The real threat is not only a future quantum computer breaking public-key encryption. It’s also the data being harvested today, stored today, copied today, and quietly held for tomorrow’s decryption. The risk isn’t theoretical.
Cryptography alone won’t save you
Moving to PQC is necessary. Let’s be clear about that. PQC matters for key establishment, digital signatures, authentication, integrity, and long-term confidentiality. But PQC doesn’t solve the problem of data in use.
When sensitive data becomes operational, analysed, matched, routed, scored, searched, summarised, or fed into an AI model, the architecture requires it to be exposed. The cybersecurity industry has spent decades improving the locks and accepting that the room had to be opened every time work needed to be done.
The May 2026 G7 central bank report, co-chaired by the Banque de France and the Bank of Canada, makes this harder to ignore (2). It clearly states that post-quantum cryptography is not a simple substitution exercise. Migration will require inventorying cryptographic dependencies, testing compatibility with existing systems, and coordinating updates with counterparties and service providers. They are overtly stating that the problem is the architecture.
The same report goes further in its section on Data Security beyond cryptography. It says quantum security considerations extend beyond encryption and key exchange, into new interfaces, architectures, and operational models. That sentence should make boards, CISOs, regulators, insurers, and infrastructure operators sit up a little straighter.
Because once you say the problem extends beyond encryption and key exchange, you’re not talking about a narrow cryptographic migration. You’re talking about:
architecture
workflows
exposure.
And the report names the exact issue the industry has avoided for years: the protection of data during computation, especially when sensitive data is processed outside the direct control of the data owner, such as in cloud-based or remote platforms. That is the plaintext problem. That is the data-in-use problem. That is the part “we encrypt our data” does not answer. That is also the part we have been covering in our Substack for over a year.
The report also identifies fully homomorphic encryption (FHE) as one of the approaches that allows computation on encrypted data, while acknowledging the complexity and performance overhead involved. That qualification matters.
It is not a button someone presses because a vendor put “AI” and “quantum” on the same slide. Encrypted computation is difficult. Proof-based access is difficult. Integration is difficult. But difficulty is not the same as irrelevant. A lot of important architecture starts as difficult before it becomes inevitable. The G7 is not using startup language. It’s describing the same architectural layer PrivID has been focused on for years: not just securing the path to the workflow, but changing what happens inside it.
The old model can’t survive AI
This architectural shift is hitting a massive accelerant: Artificial Intelligence. AI doesn’t create the exposure problem. It amplifies it.
AI demands more data, more access, more integration, more inference, more third-party processing, and more automated decision-making. If your underlying architecture still relies on plaintext exposure, AI makes your exposure scale faster.
That’s why “we encrypt our data” is not an acceptable answer anymore.
Where?
When?
Who processes it?
What system touches it?
What gets logged?
What gets copied?
What gets inferred?
What gets retained?
What happens during computation?
Legacy architectures struggle to answer those questions. They were designed around the assumption that exposure was a normal part of making data useful. That assumption has always been the liability. AI just makes it bigger liability.
Change the architecture
Large institutions rarely sprint unless something is burning, and even at that, there may be a committee involved. But the direction is undeniable. The conversation is moving from encryption alone to the systems around encryption.
It is moving from transport and storage to processing.
It is moving from blind trust to mathematical proof.
It is moving from managing exposure to reducing the need for exposure at all.
This is not about replacing systems overnight. This is about admitting that the old system had a flaw. A critical one.
By 2030, “we didn’t know” will not be a good enough answer.
By 2035, “we were waiting for guidance” will be even worse.
The roadmap is already telling organisations to identify critical systems, sensitive data, protocols, cryptographic assets, and third-party dependencies.
The central bank report is already saying quantum security extends beyond cryptography into architectures, trust boundaries, operational dependencies, and data during computation. It also states that protecting data and communications in a quantum-enabled environment means understanding system architecture and operational dependencies, not just selecting cryptographic primitives.
The institutions are now describing, in their own careful language, the architectural problem PrivID was built to solve.
PrivID was built around a different assumption. Encrypted computation. Proof-based access. Verification without unnecessary exposure. Not just protecting the path to the workflow, but changing what happens inside it. We’ve been building for this moment for years.
Now the market is finally catching up.