Utimaco: Protecting AI Systems Requires Transition to Post-Quantum Cryptography

Utimaco: protecting AI systems requires a shift to post-quantum cryptography

Utimaco believes that for corporate AI, the main challenge is no longer model quality, but rather protecting the data on which these models are trained and operate. The company warns: if you build AI infrastructure only for today's threats, in a few years you'll have to redesign it for post-quantum security.

The Main Barrier to Adoption

In the eBook AI Quantum Resilience, it's noted that companies most often slow down AI implementation not due to lack of use cases, but due to the risk of data leakage, substitution, or compromise of their own data. This is especially sensitive for organizations that want to train models on internal documents, financial information, intellectual property, and other information with long-term value. The more valuable the data, the costlier the mistake: compromising the training pipeline affects both model quality and legal risks.

The problem is that threats emerge at every stage of AI work. It's not just about the inference phase, where prompt injection and result leakage are typically discussed. Dangers arise during data loading, training, key storage, model deployment, and ongoing operation. If any of these layers lacks protection, an attacker gains an entry point into the entire system.

Three Risk Zones

Utimaco identifies three basic areas where AI systems are vulnerable right now, even without a full-scale era of quantum computers. These aren't theoretical scenarios, but practical risks for companies that collect data over years and then use it in models, assistants, and internal AI services.

• Training data poisoning — an attacker can inject or alter data so that the model starts producing distorted results, making it difficult to detect the cause.
• Model theft or copying — if a model is extracted or reproduced, the company loses intellectual property and competitive advantage.
• Disclosure of sensitive data — data used during training or inference can be intercepted if the environment and keys are weakly protected.

A separate risk involves the principle of harvest now, decrypt later: encrypted data can be stolen today and decrypted later when more powerful quantum tools become available. Therefore, protection must cover not only current operations, but also archives, datasets, and any assets that must remain confidential for years.

How to Build Protection

According to the authors, existing public key cryptography may start losing reliability within the coming decade. Because of this, migration to post-quantum algorithms cannot be delayed until the risk becomes widespread: rebuilding protocols, key management systems, compatibility, and performance takes years.

The authors directly point out that such migration will affect interoperability between systems and infrastructure performance. As a transitional strategy, Utimaco proposes crypto-agility — the ability to change cryptographic algorithms without a complete architectural overhaul, using a hybrid approach combining classical and post-quantum cryptography, including methods proposed by NIST.

But cryptography alone is not enough. The report separately emphasizes the role of hardware-secured environments and enclaves, which isolate keys and sensitive operations from ordinary infrastructure. In such a scheme, keys for data encryption and model signing can be generated and stored within a trusted boundary, model integrity can be verified before deployment, and data processed during inference can be protected. Additionally, hardware modules enable external attestation of the environment and maintain tamper-proof access logs, which is useful for compliance with requirements like the EU AI Act.

What This Means

For companies building AI on their own data, security stops being an "additional layer" and becomes part of the product architecture. Those who now embed crypto migration, key protection, and hardware trusted boundaries will have an advantage, rather than trying to fix everything after the first serious breach or after post-quantum threats arrive.