Skip to main content

AI-Driven Workflows: Transforming hybrid IT environments with AI and Post-Quantum Cryptography (PQC)

GovernmentFederalAI
June 17, 2025

As hybrid IT environments grow more complex, the intersection of artificial intelligence (AI) and post-quantum cryptography (PQC) is reshaping workflows, security paradigms, and the way organizations prepare for the future. At the AFCEA TechNet Cyber 2025 CompTIA Learning session, industry leaders from CompTIA, Vectra AI, GDIT, and  NIST came together to discuss how vendors, government integrators, and government leaders are collaborating to address these challenges.

This session featured insights from:

  • Dr. James Stanger, Chief Technology Evangelist at CompTIA
  • Bill Newhouse, Cybersecurity Engineer at NIST
  • Dr. Matthew McFadden, Vice President of Cyber and Distinguished Technologist at GDIT
  • Zachary Vaughn, Director of Federal Security Engineering at Vectra AI

Here’s a breakdown of the session’s most impactful insights and strategies for navigating ever-evolving attack surfaces.

The reality of tech debt: AI and encryption challenges

The session opened with a discussion on the persistent challenge of tech debt, the accumulation of outdated or unsupported technology, and how it impacts both AI and encryption. Today, we use key exchange algorithms such as Diffie-Hellman and encryption algorithms such as RSA all the time. These two algorithms currently secure everything from online purchases to video calls. But they will become vulnerable to quantum computing as it becomes more viable. Bill Newhouse from NIST outlined how these algorithms will eventually be replaced by PQC algorithms. The problem is, the transition to PQC algorithms will be anything but simple.

Mr. Newhouse explained that every computer will require new certificates, and with the average workstation containing 120 certificates, the process will take years. As Dr. Stanger likened the transition to the famous line from The Lord of the Rings: “One doesn’t simply walk into Mordor.” This underscores the complexity of the rollout and the need for careful planning.

To navigate this “age of long rollouts,” organizations must focus on both technical and soft skills. Project management, encryption knowledge, and even curiosity are critical for managing this transition effectively. Tools such as a Software Bill of Materials (SBOM) can help organizations inventory their software and certificates, providing a clear roadmap for what needs to be updated.

AI as an abstraction layer: Simplifying complexity

Zach Vaughn highlighted how AI is increasingly being used as an abstraction layer to simplify human interaction with complex systems. Just as Google hides its intricate search algorithms behind a simple search bar, AI can help organizations drill down into vast datasets and uncover actionable insights. However, Vaughn cautioned that this potential comes with risks.

First, it is possible to misuse any abstraction layer. One of the most common issues of using any abstraction layer is that it can inadvertently hide, or abstract, the very information you are looking for. You need to be properly trained to interact well with AI when it comes to using cybersecurity as a defensive tool. Second, AI is a tool used by both defenders and attackers. Adversaries are leveraging AI to automate reconnaissance, create sophisticated phishing campaigns, and exploit vulnerabilities faster than ever before. Vaughn shared an example of how attackers used an IP camera with no endpoint protection to exfiltrate sensitive data, bypassing traditional security measures.

To counter these threats, organizations must adopt defensive AI capabilities that can detect and respond to attacks in real time. Vaughn emphasized the importance of security-first AI models that reduce noise and provide actionable signals for analysts, enabling them to focus on the most critical threats.

Post-quantum cryptography: Discover, assess, manage

Bill Newhouse outlined a practical framework for transitioning to PQC: Discover, Assess, and Manage. This approach begins with conducting a cryptographic inventory to identify where encryption is used across the organization. Tools such as an SBOM can simplify this process, helping organizations pinpoint what needs to be updated.

Once the inventory is complete, organizations must assess their readiness for PQC migration, evaluating the impact on existing systems and workflows. Automation will play a critical role in this process. By 2029, certificates will expire every 47 days (down from the current 398 days), making automation essential for discovery and replacement.

Collaboration is also key. Newhouse noted that 46 organizations in multiple industries (e.g., finance, manufacturing, tech) contributed to the development of PQC migration standards, highlighting the importance of working together to achieve “quantum readiness.”

Upskilling for the future: AI and PQC skills

Dr. Matthew McFadden emphasized the growing importance of upskilling to manage the complexities of AI and PQC. These technologies touch multiple areas, from device certificates to application deployment, requiring IT professionals to develop a broad skill set.

McFadden also stressed the need for automation in cybersecurity. As certificate lifecycles shorten and AI becomes more integrated into workflows, automation will be critical for managing discovery, replacement, and overall system efficiency. Training programs and certifications can help IT teams build the skills needed to navigate these changes effectively.

The core principles of information security and AI: Integrity takes center stage

When it comes to AI, ensuring the accuracy and trustworthiness of data and systems is becoming increasingly critical. The session explored how techniques such as data tagging and labeling can enhance data classification and minimize the risk of data leakage.

Adversarial testing, including AI pen testing, input validation, and red teaming, was also highlighted as essential for safeguarding AI systems against attacks such as prompt injection and jailbreaking. These strategies help ensure that AI systems function as intended and remain resilient in the face of evolving threats.

The race condition: Balancing innovation and security

The session concluded with a discussion on the race condition between innovation and cybersecurity. As technology evolves at an unprecedented pace, the tension between adopting new tools and securing them is reaching critical levels.

All of the presenters emphasized the importance of proactive planning and governance to strike a balance between innovation and security. By leveraging AI as a defensive tool and preparing for long-term rollouts such as PQC, organizations can stay ahead in this rapidly changing landscape.

Ready to take the next step?

If you missed the live session or want to revisit the valuable insights shared by our expert panel, you can now access the on-demand recording of the AFCEA TechNet Cyber session. By registering to view the session, you’ll not only gain actionable insights for integrating AI and PQC into hybrid IT workflows but also be eligible to earn Continuing Education (CE) credits.

Register Now to View the On-Demand Session and Earn CE Credits