The U.S. Intelligence Community Just Put Quantum on Equal Footing with AI. And Expanded the Threat Definition

27 Mar 2026 – Every March, the Office of the Director of National Intelligence publishes a document that most Americans will never read but that quietly shapes trillions of dollars in defense spending, intelligence priorities, and technology policy. The Annual Threat Assessment (ATA) is the Intelligence Community’s official, unclassified evaluation of the threats facing the United States – a consensus view from eighteen intelligence agencies, distilled into roughly thirty pages of carefully calibrated language.

This year’s edition, released on March 18 and presented to the Senate Select Committee on Intelligence by Director of National Intelligence, does something notable for anyone tracking quantum security: it treats quantum computing not as a footnote to cyber threats or a future curiosity, but as one of two defining technological challenges to U.S. national security – right alongside AI.

For those of us who have spent years arguing that quantum risk deserves boardroom and cabinet-level attention, this isn’t just bureaucratic reshuffling. It’s the U.S. intelligence establishment putting its institutional weight behind a position that the quantum security community has long advocated.

What the Annual Threat Assessment Is (And Why It Matters)

For readers unfamiliar with the ATA: The ATA is not a think-tank report or a vendor whitepaper. It is the product of a structured, multi-agency intelligence process – the National Intelligence Council coordinating input from the CIA, NSA, DIA, FBI, and every other component of the U.S. Intelligence Community. Its language is reviewed, debated, and negotiated among analysts with access to classified intelligence that will never appear in these pages. It’s debated for months. Every word and punctuation in this carries weight.

When the ATA says something, it reflects the considered judgment of the world’s largest intelligence apparatus. When it elevates a topic, budgets follow. When it introduces new framing, policy follows. The ATA is, in effect, the IC’s public signal about where America’s national security attention needs to be directed.

That context matters for understanding what the 2026 edition says about quantum computing – and, just as importantly, how it says it.

Quantum Gets Its Own Section – Alongside AI, Not Beneath Cyber

The structural choice is the first thing that jumps out. The 2026 ATA introduces a new top-level category called “Technological Challenges” that sits between the Homeland threats section and the traditional Diverse Threat Vectors section covering military, space, cyber, and WMD. Under this heading, only two technologies appear: AI and quantum computing. Each gets its own dedicated subsection.

This is a deliberate architectural decision. In previous assessments, quantum computing was typically discussed within the cyber threat section or mentioned in passing alongside other emerging technologies. Giving it co-equal billing with AI – the technology that has dominated every national security conversation for the past three years – sends a clear signal about where the IC believes the strategic competition is heading.

The opening line of the Technological Challenges section sets the tone: the IC states that leadership in emerging technologies is increasingly defining global power and influence, and that for technology powers like the U.S. and China, AI and quantum information science are at the center of this leadership competition.

Beyond CRQC: The IC’s Dual-Purpose Framing

Perhaps the most analytically interesting aspect of the 2026 ATA’s quantum section is how it frames the threat. The IC doesn’t limit its concern to the cryptographic implications – the scenario most familiar to the PQC community. Instead, it opens with a broader strategic framing that readers of PostQuantum.com will find significant.

The assessment states that early developers in quantum computers will give their countries an extraordinary technological advantage over others in terms of the ability to both quickly process national security information and break current encryption methodology.

That “both…and” construction is doing important work. DNI Gabbard echoed the same dual framing in her presentation to Congress, emphasizing both the ability to process national security information and the encryption-breaking capability.

This dual framing matters because it reframes quantum computing from a purely defensive problem (protect your encryption before it’s broken) into a strategic competition problem (whoever gets there first gains decisive advantage in both intelligence processing and cryptanalysis). The first dimension – rapidly processing national security information – speaks to quantum’s potential for optimization, simulation, and machine learning acceleration in intelligence contexts. The IC is signaling that the value of quantum computing to national security extends well beyond code-breaking.

For CISOs and security leaders, this dual framing reinforces a point we’ve made repeatedly at PostQuantum.com: the CRQC threat is real and urgent, but it exists within a broader strategic landscape where quantum capabilities confer advantages across multiple domains simultaneously.

This broader strategic dimension – quantum as a lever of national power, not merely a cryptographic hazard – is precisely the subject of my forthcoming book, Quantum Sovereignty. The book examines how nations and organizations that control quantum capabilities will reshape the balance of economic, intelligence, and military power – and what that means for those that don’t. The IC’s dual framing in this year’s ATA reads, in many ways, like a compressed version of the book’s central thesis: quantum advantage is indivisible from sovereign advantage.

CRQC in the IC’s Own Words

On the cryptographic threat specifically, the ATA is unambiguous. It explicitly uses the term “cryptographically relevant quantum computer (CRQC)” – the same terminology used by NSA, NIST, and the broader PQC community – and states clearly that no country has yet built one. The assessment then outlines the consequences in specific terms: CRQC could break the current encryption methods used to protect sensitive finance, health care, and government information, leading to a compromise in the confidentiality and integrity of that information.

The specificity here is notable. The IC doesn’t hide behind vague language about “potential future risks.” It names the sectors. It names the consequences – both confidentiality and integrity, meaning not just the ability to read encrypted communications but also to forge digital signatures and tamper with authenticated data. This mirrors the analysis in our coverage of CISA’s quantum readiness guidance and the BIS quantum roadmap for banking, which similarly emphasize that the threat extends beyond eavesdropping to the integrity of entire digital trust frameworks. And it aligns with the TNFL topic I’ve been trying to elevate for a while.

The ATA also acknowledges what it calls “the far-reaching consequences of such a compromise” as the driver behind technology leaders’ interest in quantum-resistant encryption methods. This is the IC validating, in its most official public document, the strategic urgency of PQC migration.

The Deliberate Ambiguity on Timelines

Where the ATA is notably less precise is on timelines. It states that the timeframe for transitioning to quantum computing is unclear due to a multitude of challenges, listing the need for more effective private-public coordination, scaling qubits and overall quantum computer architecture, and R&D in foundational areas including advanced software and algorithms, materials, hardware, and standards and benchmarks.

This deliberate ambiguity is itself analytically interesting. The IC has access to classified intelligence on quantum programs worldwide – including China’s, which is particularly opaque to the public. If eighteen intelligence agencies, with satellite imagery, signals intelligence, and human intelligence at their disposal, decline to offer even a rough timeline window, that tells you something about the genuine uncertainty involved.

But the absence of a timeline should not be confused with the absence of urgency. The ATA’s structural elevation of quantum, its explicit naming of CRQC consequences, and its focus on first-mover advantage all convey a message that contradicts any temptation to delay: the race is on, the outcome is uncertain, and being second means being vulnerable.

I’ve covered this extensively: even without a precise Q-Day estimate, the combination of long migration timelines and uncertain threat timelines means the rational response is to begin migration now.

The Five-Way Race

The ATA identifies five entities investing billions to secure a first-mover advantage in quantum: the United States, China, the European Union, Japan, and the United Kingdom. This is the IC publicly acknowledging that quantum computing is not a bilateral competition between the U.S. and China – it is a multi-front race with several serious contenders.

For organizations planning their PQC migration, this has practical implications. The cryptographic standards landscape is already fragmenting along geopolitical lines, with China publishing its own quantum-resistant standards independent of the NIST process. As the race accelerates, enterprises operating across borders will need to navigate an increasingly complex patchwork of standards, mandates, and migration timelines.

What the ATA Doesn’t Say

Equally revealing is what the 2026 ATA does not say about quantum computing. There is no mention of Harvest Now, Decrypt Later (HNDL) – the scenario where adversaries intercept and store encrypted data today to decrypt it once a CRQC becomes available. Given the IC’s explicit acknowledgment that nation-state cyber actors are pre-positioning for future attacks (detailed at length in the Cyber section), the omission of HNDL from the quantum discussion is surprising. The HNDL threat is arguably the most immediate quantum-related risk, as it means the damage is being done now, even before a CRQC exists.

A personal observation: in my talks and training sessions on quantum threats, audience members routinely ask me for proof that HNDL is actually happening. It’s a fair question – and one I can only answer by pointing to unambiguous public statements from intelligence agencies in the U.S., UK, Germany, Australia, and elsewhere, all of which have stated on the record that nation-state adversaries are harvesting encrypted data for future decryption. My speculation on why the US intelligence community avoided naming it now: HNDL may be omitted precisely because the IC knows too much about it. Acknowledging specific harvest-and-store campaigns in an unclassified document risks revealing what the IC knows about adversary collection programs, targets, and methods. The ATA’s Cyber section describes Chinese and Russian actors pre-positioning in U.S. critical infrastructure networks in considerable detail – but connecting that pre-positioning explicitly to a quantum decryption endgame may cross a classification line. If that reading is correct, the silence on HNDL is not evidence of indifference. It may be the opposite. But I am just speculating.

The assessment also does not mention post-quantum cryptography standards by name, nor does it reference NIST’s standardization of ML-KEM, ML-DSA, or SLH-DSA. The ATA is a strategic document rather than a technical one, so this isn’t unexpected – but it means the connection between “quantum threatens encryption” and “here’s what to do about it” remains implicit rather than explicit at the IC level.

Finally, there is no discussion of how quantum computing intersects with the AI capabilities the IC discusses in the adjacent section – a notable gap given the growing convergence between the two fields and the potential for AI to accelerate both quantum hardware development and cryptanalytic attacks.

What This Means for Security Leaders

The 2026 ATA provides security leaders with something they’ve needed: an authoritative, government-source document that frames quantum risk as a current strategic priority rather than a distant hypothetical. When the organization that prevents surprise for the President of the United States treats quantum computing as a peer threat to AI and explicitly warns about encryption-breaking capabilities, the “we’ll deal with it later” position becomes untenable.

Concretely, CISOs and CIOs can use this assessment to support three immediate actions. First, if you haven’t begun a cryptographic inventory, the IC’s explicit warning about encryption compromise makes this a board-level priority, not a technical exercise. Second, the IC’s dual framing – processing advantage plus encryption breaking – means quantum risk assessments need to consider more than just data confidentiality; integrity and authentication are equally at stake. Third, the five-way investment race confirms that multiple standards regimes will emerge, making cryptographic agility not just a best practice but a strategic requirement for any organization operating globally.

The Signal Beneath the Signal

The 2026 Annual Threat Assessment is many things – a policy document, a budget justification tool, a public communication from America’s intelligence apparatus. But for the quantum security community, its most important function may be as a signal amplifier.

When the IC elevates quantum computing to the same structural level as AI in its threat hierarchy, it doesn’t change the underlying physics or the engineering timelines. What it changes is the political and organizational environment in which migration decisions get made. Budget requests become easier to justify. Board conversations shift from “should we worry about this?” to “what’s our plan?” Vendor evaluation moves from theoretical to operational.

The U.S. Intelligence Community has now told Congress and the American public, in its most authoritative annual assessment, that quantum computing represents an extraordinary technological advantage for whoever gets there first, and that the encryption protecting sensitive finance, health care, and government data is at risk.

The question for every organization reading those words is no longer whether to act. It’s whether they’ve started.

Related Content

How ECC Became the Easiest Quantum Target

A New Algorithm Shrinks the Quantum Attack Surface for ECC

Shor’s Algorithm: A Quantum Threat to Modern Cryptography

Post-Quantum Cryptography (PQC) Standardization – 2025 Update