AG-773
Quantum-Resilient Cryptographic Governance
EU AI Act
NIST AI RMF
ISO 42001
Quantum-Resilient Cryptographic Governance mandates the adoption of post-quantum cryptographic (PQC) algorithms for all governance-critical cryptographic operations performed by or on behalf of autonomous agents. The dimension addresses the "harvest now, decrypt later" threat model, in which adversaries capture encrypted governance audit trails, credential exchanges, and agent communications today with the expectation of decrypting them once cryptographically relevant quantum computers become available.
NIST's post-quantum cryptographic standards, finalised in SP 800-208 and the ML-KEM/ML-DSA/SLH-DSA suite, provide the algorithmic foundation. AG-773 requires that all new cryptographic material issued for agent governance purposes from 2026-Q3 onward must use hybrid classical/post-quantum constructions. This means pairing existing algorithms (e.g., ECDSA P-384, RSA-4096) with their PQC counterparts (e.g., ML-DSA-65, SLH-DSA-SHA2-256f) in a composite scheme where both signatures must validate for the overall verification to succeed.
The dimension recognises that migration to PQC is not instantaneous. Legacy agents, third-party integrations, and hardware security modules may require extended transition periods. AG-773 therefore establishes a phased migration timeline: awareness and inventory (completed by 2026-Q2), hybrid deployment for new systems (2026-Q3), hybrid deployment for existing critical systems (2027-Q2), and full PQC readiness (2028-Q4). Each phase has specific deliverables and compliance checkpoints.
Financial institutions face particular urgency. Governance audit trails for Financial-Value Agents may need to remain cryptographically verifiable for 10-25 years to satisfy regulatory retention requirements under MiFID II, Basel III, and DORA. If these trails are protected only with classical cryptography, they may become unverifiable within the retention period. AG-773 therefore prioritises financial agent governance trails for early PQC migration.
The dimension also addresses the performance implications of PQC adoption. ML-DSA-65 signatures are approximately 2.4 KB compared to 64 bytes for ECDSA P-256, and verification is roughly 3-5x slower. For high-throughput agent environments processing thousands of governance events per second, these overheads must be planned for and mitigated through efficient implementation, hardware acceleration, and architectural optimisation. AG-773 requires organisations to benchmark PQC performance impact before production deployment and to establish latency SLAs that account for the cryptographic overhead.
This dimension applies to all AI agent deployments operating under the AGS framework where the governance controls specified in Section 4 are relevant to the agent's operational context. Specifically:
Exclusions: Agents operating in fully sandboxed research environments with no access to production data or systems are excluded, subject to the condition that any transition to production immediately triggers compliance with this dimension. Single-purpose read-only agents with no write access to external systems may be excluded where a documented risk assessment confirms that the governance controls specified here are not applicable to the agent's operational scope.
Financial Services. Agents operating in financial services face heightened regulatory scrutiny under MiFID II, DORA, and FCA SYSC requirements. The controls in this dimension support compliance with these frameworks and should be implemented at the most stringent level applicable to the agent's transaction authority.
Healthcare. Agents processing patient data or supporting clinical decisions must implement this dimension's controls in conjunction with HIPAA safeguards and applicable medical device regulations. The governance controls directly support the duty of care that healthcare organisations owe to patients.
Public Sector. Government agencies deploying agents that affect individual rights or public services must implement this dimension's controls to satisfy transparency, accountability, and judicial review requirements applicable to algorithmic decision-making in the public sector.
Quantum-Resilient Cryptographic Governance addresses a governance gap that, if left unmanaged, creates systemic risk across the agent ecosystem. As AI agents move from experimental deployments to production operations with real-world consequences, the absence of structural controls in this area means that failures scale with the speed and autonomy of the agent population — not at the pace of human review.
Traditional approaches to this governance challenge — contractual obligations, periodic audits, and application-layer policy enforcement — are necessary but insufficient for agentic contexts. Contractual obligations operate on legal timescales; agents operate on millisecond timescales. Periodic audits capture a snapshot; agent behaviour is continuous and dynamic. Application-layer enforcement can be bypassed through prompt injection, reasoning failure, or context manipulation. The AGS approach requires structural enforcement at the infrastructure layer — controls that operate independently of the agent's reasoning process and cannot be circumvented by the agent's own outputs.
The regulatory environment increasingly mandates the controls this dimension specifies. The EU AI Act requires risk management systems proportionate to identified risks. NIST AI RMF requires organisations to map, measure, and manage AI risks through enforceable controls. ISO 42001 requires an AI management system with documented operational procedures. This dimension operationalises these regulatory requirements into specific, testable, infrastructure-enforceable controls — bridging the gap between regulatory intent and technical implementation.
The consequences of absence are illustrated in Section 8 (Failure Scenarios). When this dimension is not implemented, the resulting governance gap permits agent behaviour that can cause material financial loss, regulatory enforcement action, reputational damage, and — in safety-critical deployments — physical harm. The blast radius scales with the agent's access scope and operational autonomy.
Basic Implementation — The organisation has documented policies addressing quantum-resilient cryptographic and has implemented initial controls. Implementation is primarily at the application layer with manual processes for monitoring and response. Logging covers key events but may lack full metadata. Coverage extends to the most critical agent deployments but may not encompass all in-scope systems. Staff are aware of requirements but formal training may be incomplete.
Intermediate Implementation — All Basic capabilities plus: controls are enforced at the infrastructure layer with automated monitoring and alerting. All MUST requirements from Section 4 are implemented with documented evidence. Coverage extends to all in-scope agent deployments. Audit trails are tamper-evident and retained per regulatory requirements. Formal change control governs all configuration changes. Regular review cycles are established and documented. Staff receive formal training and competency is assessed.
Advanced Implementation — All Intermediate capabilities plus: controls have been validated through independent adversarial testing. Real-time dashboards provide operational visibility into compliance status, anomaly detection, and response metrics. The organisation can demonstrate to regulators and counterparties that no known attack vector bypasses the governance controls. Continuous improvement processes incorporate lessons from incidents, testing, and regulatory developments. Integration with related dimensions provides defence-in-depth coverage.
Tamper-evident audit trail. Implement all governance event logging in an append-only, integrity-protected data store independent of the agent runtime. Every governance decision, configuration change, and enforcement action is recorded with full metadata including timestamps, actor identities, and outcomes.
Scheduled governance review cycle. Establish a formal review cadence (minimum quarterly) that examines governance effectiveness, reviews incident data, assesses emerging risks, and updates policies and controls accordingly. Review outcomes are documented and tracked.
Separation of governance and agent runtime domains. Deploy governance enforcement infrastructure in a security domain separate from the agent runtime. The agent cannot influence governance decisions, modify enforcement configuration, or access governance logs directly. This architectural separation is the foundation for infrastructure-layer enforcement.
Governance by instruction rather than infrastructure. Relying on agent system prompts or configuration files to enforce governance controls rather than infrastructure-layer enforcement. Instruction-based controls can be bypassed through prompt injection, context manipulation, or reasoning failure.
Monitoring without enforcement. Implementing detection and logging of governance violations without pre-execution blocking. By the time a violation is logged, the ungoverned action has already executed. Detection is necessary but not sufficient; prevention must be the primary control.
Manual processes for machine-speed operations. Relying on human review processes for governance decisions that occur at machine speed. Agents execute actions in milliseconds; governance controls that depend on human review cycles of hours or days leave gaps that scale with agent autonomy.
Objective: Verify that hybrid signatures require both classical and PQC components to validate. Procedure: Create a hybrid ECDSA-P384 + ML-DSA-65 signature. Attempt verification with: (a) both valid, (b) classical valid / PQC invalid, (c) classical invalid / PQC valid. Expected Result: Only case (a) succeeds. Cases (b) and (c) fail. Pass Criteria: 100% correct rejection of partially valid signatures.
Objective: Confirm that the cryptographic inventory accounts for all agent credentials. Procedure: Cross-reference the cryptographic inventory against the IAM system's complete credential list for 500 agents. Expected Result: Zero discrepancies between inventory and IAM credential list. Pass Criteria: 100% inventory completeness.
Objective: Verify that PQC proxy gateways correctly translate between classical and hybrid protocols. Procedure: Legacy agent sends a classical-only signed request through the PQC proxy. Verify that the proxy re-signs with hybrid algorithm and forwards. Expected Result: Downstream system receives and validates a hybrid signature. Legacy agent's original classical signature is preserved in the audit trail. Pass Criteria: Hybrid signature validates. Latency overhead < 5 ms.
Objective: Measure hybrid signature verification latency against the 10 ms SLA. Procedure: Run 10,000 hybrid signature verifications and measure p50, p95, and p99 latencies. Expected Result: p99 latency < 10 ms. Pass Criteria: All percentile targets met.
Objective: Confirm that the annual quantum risk assessment has been completed and is current. Procedure: Verify the existence, completion date, and findings of the most recent quantum risk assessment. Expected Result: Assessment completed within the last 12 months with documented findings and migration timeline adjustments. Pass Criteria: Assessment exists, is current, and includes actionable migration recommendations.
| Evidence ID | Description | Collection Frequency | Retention Period |
|---|---|---|---|
| AG773-E01 | Cryptographic inventory with PQC migration status | Weekly | 10 years |
| AG773-E02 | Hybrid signature generation and verification logs | Continuous | 10 years |
| AG773-E03 | PQC proxy gateway throughput and latency metrics | Daily | 3 years |
| AG773-E04 | Annual quantum risk assessment reports | Annually | 10 years |
| AG773-E05 | Migration phase completion evidence and sign-off | Per phase | 10 years |
| AG773-E06 | Vendor PQC readiness assessments for third-party agents | Semi-annually | 5 years |
| AG773-E07 | Benchmark test results for PQC algorithm performance | Quarterly | 5 years |
| Score | Level | Description |
|---|---|---|
| 0 | No implementation | No quantum-resilient cryptographic governance exists. The organisation has no controls, policies, or monitoring in place for the capabilities this dimension governs. Agent behaviour in this area is ungoverned. |
| 1 | Basic | Basic controls exist but are enforced at the application layer — dependent on correct implementation rather than structural guarantees. Coverage may be partial. Configuration is not governed through formal change control. Logging exists but may lack full metadata. |
| 2 | Infrastructure-layer enforcement | Controls are enforced at the infrastructure layer, independent of the agent's reasoning process or instruction set. All requirements are structurally enforced with no application-layer bypass path. Full audit trail with tamper-evident logging. Configuration is governed through formal change control. |
| 3 | Verified by independent adversarial testing | All Level 2 capabilities are in place and have been validated through independent adversarial testing. An independent party has attempted to bypass, circumvent, or degrade the governance controls using known attack techniques relevant to this dimension and has failed. Test results are documented, reproducible, and available for regulatory review. |
A Financial-Value Agent executing algorithmic trading strategies on EUREX generates approximately 12,000 audit trail entries per trading day. Each entry is cryptographically signed to ensure integrity for the DORA-mandated 5-year retention period and the MiFID II 7-year retention requirement. Under AG-773, starting 2026-Q3, each entry is signed with a composite signature: ECDSA P-384 (classical) concatenated with ML-DSA-65 (post-quantum). The composite signature adds approximately 3,309 bytes per entry (1,652 bytes for ML-DSA-65 signature, overhead for composite encoding). For 12,000 daily entries, this represents an additional 38.8 MB of storage per day, or approximately 14.2 GB annually. The organisation's storage cost increase is estimated at USD 142 per year (at USD 0.01/GB/month), a negligible cost against the risk of a governance trail becoming unverifiable. Signature verification latency increases from 0.3 ms (classical only) to 1.8 ms (hybrid), remaining well within the 10 ms SLA for audit trail verification.
An enterprise operating 3,400 agents across 8 business units initiates its AG-773 Phase 2 (hybrid deployment) migration. The credential infrastructure currently uses RSA-2048 for agent certificate signing and ECDH P-256 for key exchange. The migration team identifies that 2,890 agents can be migrated to hybrid (RSA-4096 + ML-KEM-768 for key exchange, ECDSA P-384 + ML-DSA-65 for signing) via automated certificate rotation. The remaining 510 agents run on legacy hardware that does not support ML-KEM or ML-DSA. For these agents, the team deploys PQC proxy gateways that terminate classical connections from legacy agents and re-encrypt/re-sign using hybrid algorithms for all external communications. Migration completes in 47 days. Cryptographic inventory dashboard shows 100% hybrid coverage (85% native, 15% proxied). Total migration cost: USD 287,000 (primarily proxy gateway infrastructure).
| Regulation | Provision | Relationship Type |
|---|---|---|
| # | Framework / Standard | _Pending v2.1 editorial review_ |
| ---- | ----------------------------------- | _Pending v2.1 editorial review_ |
| 1 | NIST SP 800-208 | _Pending v2.1 editorial review_ |
| 2 | NIST FIPS 203 (ML-KEM) | _Pending v2.1 editorial review_ |
| 3 | NIST FIPS 204 (ML-DSA) | _Pending v2.1 editorial review_ |
| 4 | NIST FIPS 205 (SLH-DSA) | _Pending v2.1 editorial review_ |
| 5 | NCSC Quantum Security Guidance | _Pending v2.1 editorial review_ |
| 6 | EU Cybersecurity Act | _Pending v2.1 editorial review_ |
| 7 | DORA | _Pending v2.1 editorial review_ |
| 8 | EU AI Act | _Pending v2.1 editorial review_ |
| 9 | BSI TR-02102-1 | _Pending v2.1 editorial review_ |
| 10 | ANSSI Post-Quantum Guidelines | _Pending v2.1 editorial review_ |
| 11 | ISO/IEC 18033-2 | _Pending v2.1 editorial review_ |
| 12 | NIST CSF 2.0 | _Pending v2.1 editorial review_ |
| 13 | PCI DSS v4.0 | _Pending v2.1 editorial review_ |
| 14 | Basel Committee | _Pending v2.1 editorial review_ |
| 15 | ETSI QSC | _Pending v2.1 editorial review_ |
| 16 | Cloud Security Alliance | _Pending v2.1 editorial review_ |
This dimension supports compliance with the following NIST AI RMF subcategories: GOVERN 1.1, GOVERN 1.6, GOVERN 6.1, MANAGE 2.2. These subcategories address the risk management, governance, and operational controls that this dimension implements within the AGS framework.
This dimension supports compliance with the following ISO/IEC 42001:2023 clauses: Clause 6.1, Clause 6.1.3, Clause 8.2. These clauses address the AI management system requirements that this dimension operationalises.
| Dimension | Name | Relationship |
|---|---|---|
| AG-770 | Agentic Identity and Credential Lifecycle Gov. | PQC requirements for credential material |
| AG-780 | Decentralised and Blockchain-Native Agent Gov. | PQC for blockchain signatures and wallet security |
| AG-771 | Cross-Jurisdictional Governance Compliance | Jurisdiction-specific cryptographic requirements |
| AG-779 | Regulatory Reporting Integrity Governance | Cryptographic integrity of regulatory submissions |
| AG-772 | Synthetic Media and Deepfake Detection Governance | Provenance manifest cryptographic resilience |
| AG-774 | Autonomous Financial Market Impact Governance | Audit trail integrity for financial market governance |