Two unrelated forcing functions are about to collide in enterprise security budgets:

  1. Generative AI agents are entering production at every Fortune 500 — n8n, LangChain, CrewAI, OpenAI Swarm, Anthropic Computer Use, internally-built copilots. The agent attack surface is exploding.
  2. Quantum-relevant cryptographic breaks are 18–36 months out per NIST's 2025 roadmap. Carriers are starting to ask post-quantum questions during cyber-insurance renewals.

Most security teams are treating these as separate bets. They aren't.

An adversary with quantum-broken TLS access to an LLM agent backend gets a perfect adversarial AI red-team capability — they can read the system prompt, inject into the context window mid-conversation, and exfiltrate the model's responses without ever being detected.

This paper argues for a crypto-agnostic AI security layer: defenses that hold even when the transport layer is compromised, and attack-detection systems that don't depend on the inviolability of HTTPS-protected channels.

The threat model

Pre-quantum: today's assumptions

Today, defenders rely on a stack of assumptions that hold reasonably well:

  • TLS provides transport integrity and confidentiality
  • Provider-side safety filters (Lakera Guard, Preamble, native model RLHF) catch obvious attacks
  • Application-layer prompt sanitization handles known injection patterns
  • Audit logs are tamper-evident under ECDSA signatures
⛨ TLS-PROTECTED ZONEATTACKERExternaladversaryInternet-facingLLM AGENTtools · memory · planner⛨ behind TLSDATABASEPII / SECRETSPROVIDERRLHF · safety filters⛨ trusted channelpromptover TLSAttacker can only ingress through the prompt channel. Cryptographic boundary holds.
Pre-quantum threat model: attacker can only inject through the front door. TLS protects everything behind it. Provider and database are 'trusted' channels.

The attacker's only ingress is the prompt channel itself. Defenders can focus on inline sanitization, RLHF, and rate-limiting. The cryptographic boundary holds.

Post-quantum: when the boundary collapses

Once a sufficiently capable quantum adversary can break TLS-protected channels, the entire trust model inverts. The same attacker now has:

  • Read access to the system prompt, model responses, and tool calls in transit
  • Injection capability into the context window mid-conversation, undetected
  • Identity forgery — they can impersonate the provider's "I am Claude/GPT" assertion
  • Replay of cached LLM API responses
  • Direct database access because session IDs and bearer tokens are visible on the wire
✕ TLS BROKEN — ZONE COMPROMISEDATTACKER++ broken TLS+ wire reading+ identity forge+ replayQUANTUM-CAPABLELLM AGENTtools · memory · planner⚠ context window readableDATABASEREADABLEPROVIDERidentity forgeable✕ untrustworthyprompt + injectionread mid-flightDirect database read — no auth requiredEvery previously-trusted channel becomes a hostile one.
Post-quantum threat model: TLS no longer protects in-transit data. Attacker can read prompts, forge provider identity, and reach the database directly. Every previously-trusted channel becomes a hostile one.

The critical insight

Traditional network security assumes the attacker can't read the channel. AI security assumes the model is the weakest layer. In the post-quantum world, both assumptions collapse simultaneously — and they reinforce each other. A defender losing transport security AND model trust at once has no defensive moat left.

Four crypto-dependent assumptions in current LLM security

1. "The system prompt is private"

Today, the system prompt is sent over TLS to the model provider. Customers assume it's invisible to anyone outside the provider's infrastructure. Quantum-broken TLS reads it directly.

This is already the #1 finding category in ShieldPi's healthcare-sector scans — system prompts that contain hardcoded credentials, internal API keys, and database connection strings. These become trivially exfiltratable in a post-quantum world.

Today's mitigation: Move secrets out of the system prompt entirely. Use ephemeral derived keys per session. ShieldPi's response-leak scanner already alerts on this pattern in agent responses.

Post-quantum mitigation: Sign the system prompt with the customer's PQ keypair. The model provider can verify integrity even if the channel is read.

2. "Tool calls are authenticated by the agent runtime"

LangChain, OpenAI Function Calling, and Anthropic tool use all rely on TLS for transport authentication. The agent runtime trusts the provider's claim of "this response came from your model." Quantum-broken TLS lets an attacker substitute a forged tool result mid-flow.

Mitigation: Sign tool calls and tool results with PQ keypairs at the application layer. The runtime should reject any tool result whose signature doesn't match the request signer.

3. "Memory writes are isolated by session ID"

Memory backends (Redis, vector DBs, dedicated memory services) use session IDs in URL paths or headers. TLS hides the IDs. Post-quantum, session IDs are visible to anyone reading the wire — and an attacker who learns a session ID can poison its memory.

Mitigation: Per-session derived encryption keys for memory contents. The session ID becomes a public identifier; the contents require a customer-side decryption step.

4. "The audit log is tamper-evident"

SOC 2 / ISO 27001 audit logs assume an attacker can't forge log entries from the future. Quantum-broken signature schemes invalidate this. An attacker who can break ECDSA can rewrite the audit trail to hide their breach entirely.

Mitigation: Migrate audit log signing to PQ schemes (Dilithium, SPHINCS+) ahead of NIST's 2027 deadline. Use append-only log structures (Merkle-tree commitments) that don't depend on a single signature scheme.

A real kill chain that survives the transition

The MedCareBot demo we use to validate ShieldPi's v7 architecture provides a concrete example of an attack that works in both threat models. The kill chain runs identically whether or not the attacker has quantum-broken TLS — because the breach happens at the application logic layer, not the cryptographic one.

Kill Chain · MedCareBotPre and post quantum — the attack runs identicallyT+00:00RECONNAISSANCEfingerprintT+00:47INITIAL ACCESSinjectionT+01:55CREDENTIAL ACCESScreds extractedT+04:30COLLECTION847 records pulledT+06:18EXFILTRATIONexfil → externalTOTAL TIME TO COMPROMISE — 6:18 · NO HUMAN REQUIRED
Kill chain timeline against MedCareBot — pre and post quantum. The breach reaches credential extraction in 1m55s and full data exfiltration in 6m18s. Cryptographic protection of the channel is irrelevant: the agent itself is leaking.

The implication: defenses that catch this kill chain catch it regardless of crypto layer status. ShieldPi's behavioral monitoring, breach artifact synthesis, and content-integrity hashing are all crypto-agnostic. They detect the attack from the agent's own behavior, not from network telemetry that the post-quantum attacker can fabricate.

The crypto-agnostic security stack

ShieldPi v7 is designed around four layers that hold regardless of the crypto layer's status:

Crypto-agnostic AI security stackEach layer holds independently of the crypto layer01Behavioral anomaly detectionTrajectory analyzer · pattern match · memory integrityLIVE02Content-addressed artifactsBreach artifact synthesis · SHA-256 evidence chainsv703Reproducibility hashesCustomer-verifiable scan inputs / outputsv704PQ-ready signingDilithium / SPHINCS+ for tool calls + audit logsv8A break at any single layer does not collapse the stack.
Crypto-agnostic AI security stack. Each layer holds independently. A break at the transport layer does not collapse any of the others.

Behavioral anomaly detection (Live Agent Monitor)

Detects breaches based on what the agent did (tool sequences, memory writes, response leak patterns), not on who connected. Even if an attacker has perfect TLS visibility, they can't make the agent behave normally while exfiltrating PHI — the trajectory analyzer fires regardless.

The relevant ShieldPi modules: trajectory.py (lateral movement, tool frequency spike, repeated refusals, authority escalation, goal drift), pattern_match.py (19 prompt injection regexes), and the new v7 response_leak_scanner.py that catches credential and PII leaks in the agent's outbound responses.

Per-finding breach artifact synthesis (Sprint 0 / C1)

Every L3+ finding produces a structured artifact tagged [REPRESENTATIVE OF REAL EXPOSURE] with the breach ID, kill-chain stage, and extracted evidence. The artifact is content-addressed — the report is independently verifiable from the original payload + response, with no transport trust required.

Memory integrity hashing (existing, pre-v7)

Each memory write records a SHA-256 hash of the value keyed by session ID. A subsequent write with a different hash from a different session is flagged as MINJA-class memory drift. Crypto-agnostic — the hash is post-quantum-safe, and the alert fires on content mismatch regardless of who controlled the channel.

Reproducibility hashes (Sprint 3 / D3)

Every scan emits a reproducibility_hash derived from inputs (target URL, scan mode, sorted categories, corpus version, persona). Two scans with the same inputs MUST produce the same hash. A post-quantum attacker who compromises the report cannot forge a fresh "passed" report — the hash won't match the inputs the customer saved.

code
sha256(target_url || scan_mode || sorted(categories) || corpus_version || persona)[:32]

Recommendations for CISOs (12-month horizon)

  1. Inventory your AI surface. Every agent, every LLM API call, every prompt that touches production data. ShieldPi's free tier does this in 10 minutes per target.

  2. Move credentials out of system prompts now. This is the #1 finding category across the ShieldPi corpus. It's already a problem. Quantum just makes it worse.

  3. Add behavioral monitoring, not just network monitoring. Your SOC's Splunk rules don't fire on "agent leaked credentials in response." They fire on "TLS handshake from unusual IP." Different problem class.

  4. Demand PQ-readiness from your AI vendors. Anthropic, OpenAI, Google — ask them publicly what their PQ migration timeline is. Most don't have one yet.

  5. Build evidence trails now. Cyber insurance renewals starting Q3 2026 are asking AI red-team questions. SOC 2 AI addendums are appearing in audit checklists. Customers who can show reproducible scan history ahead of renewal save 20–40% on premiums (per Beazley's Q1 2026 broker briefing).

The bet

Defenses that already work in a zero-trust content-integrity model are the only defenses that survive both the AI and the quantum transition. Everything ShieldPi v7 ships — breach artifact synthesis, kill chain narrative, agent monitor, knowledge graph — is content-layer defense. The crypto layer is incidental.

Conclusion

The post-quantum transition is not just a crypto migration. For LLM-powered applications, it's a complete rethink of the trust boundary. The model is no longer the only weakest link — the transport layer joins it.

If you're a CISO who needs to write the 2026–2027 budget line item for AI + quantum convergence: this is what you should be asking your vendors for. Behavioral monitoring. Content-integrity verification. Reproducible scan evidence. PQ-ready signing.

ShieldPi already does the first three. The fourth is on the v8 roadmap.

References

  1. NIST PQ Cryptography Standardization, FIPS 203/204/205, 2024.
  2. IBM Cost of a Data Breach Report 2024.
  3. OWASP Agentic AI Threats and Mitigations v1.0, Feb 2025.
  4. Anthropic, "Trustworthy agents in practice," April 9, 2026.
  5. Siu et al., Contextual Security Properties for LLM Agents, arXiv:2603.19469 (2026).
  6. ShieldPi Living Leaderboard, https://shieldpi.info.
  7. ShieldPi Methodology Endpoint, https://shieldpi.io/methodology.