Quantum Is Coming for Your Supply Chain

You know a session lands when people start photographing every slide.

Danny Thompson, Chief Solutions Officer at apexanalytix, packed the room at Gartner Supply Chain Symposium/Xpo in Barcelona and delivered one of the clearest, most unsettling talks of the week.

Unsettling in the best way, the kind where you leave with a list of notes and a slightly elevated heart rate. 

For those of you who couldn’t make it, here’s the recap.

A Quick Lesson In Physics

Danny opened with Schrödinger’s Cat, which sounds like a philosophy detour until it isn’t. 

The way classical computing has always worked: a bit of information is either on or off, one or zero, Binary, one-dimensional. That’s the foundation every chip, every server, every encrypted file has been built on for decades. 

A quantum bit, also known as a qubit, works differently. It doesn’t resolve into a yes or a no until you measure it. Until that moment, it exists across a multi-dimensional space, holding multiple states simultaneously, processing an enormous amount of information at a speed that makes classical computing look like a rotary phone. The cat is alive. The cat is dead. Until you open the box. 

That’s the architecture. And it has two sides. 

The Bright Side: Quantum computing can detect risk faster than any model running today. It can run remediation scenarios at scale, identifying the optimal mitigation path across thousands of variables in the time it currently takes to pull a report. Earlier signals, better models, faster decisions. 

The Dark Side: The same computing power that helps you see risk coming helps bad actors dismantle the encryption protecting your supplier contracts, financial transactions, and operational data. And according to a Gartner report Danny cited, that dark side is closer than most organizations want to believe. 

Within three to four years, the encryption models protecting the vast majority of companies will be rendered unsafe by quantum-powered attacks. Within seven years, all pre-quantum cryptography is broken…

Completely.

They’re Already Collecting Your Data

Bad actors aren’t waiting for the quantum computers to arrive before they start. They’re harvesting encrypted data right now, storing it, and planning to decrypt it once the compute power catches up.

That practice has a name, known as “harvest now, decrypt later.” It means anything transmitted today that isn’t quantum-resistant is already compromised in principle, sitting in someone’s storage, waiting. 

The survey numbers Danny shared made the room quiet.

1. 81% of IT leaders say they aren’t ready to even start migrating to quantum-level encryption.
2. 91% of companies have no roadmap. Only 19% have set short-term maturity goals. 

That’s not a preparedness gap. That’s a structural exposure most organizations aren’t even tracking. 

Three Actions Organizations Should Take Now

Danny was specific about what to do, which is rare and genuinely useful at a conference full of well-framed problems with no actionable exit. He gave the audience three clear directives, not as a future roadmap but as present-tense requirements. 

1. Adopt a quantum model for risk evaluation. 

Most supplier risk management solutions work the same way: they listen for risk signals, and when one comes in, they alert a risk manager to go evaluate it. The volume problem with that model is well documented. Risk teams are drowning in signals, most of which don’t require action, and the noise makes it nearly impossible to prioritize what does. 

The quantum model flips the logic. Rather than alerting on every signal, it evaluates each signal automatically in context before deciding whether a human needs to be involved.

Context meaning: 

• Which supplier is involved
• What they provide
• The business impact of a disruption
• Geographic exposure
• Sub-tier supplier dependencies

To make the point, Danny borrowed an analogy from Suzie Petrusic’s session, Strategic Resilience in a Volatile World: What CSCOs Must Do.

A hailstorm is coming. Do you panic?

It depends entirely on whether the car in your driveway is a 2004 offroad SUV or a brand new Bentley, and whether you have a garage to pull it into. Same storm, completely different response. The risk fact is identical. The context changes everything. 

The apexanalytix platform operationalizes that logic. Every supplier, part, geography, and raw material is mapped on a risk-versus-impact matrix. The suppliers sitting in the top-right quadrant, high risk, high impact, are the ones that surface for prioritization.

Click into any of them and the system maps the full picture: the product being manufactured, the sales orders booked against it, the bill of materials, the tier-one suppliers, their risks, the sub-tier suppliers behind them, all the way down to where data is available.

Where it runs out, AI can generate the next level of mapping to fuel a supplier conversation. Contextualized risk assessment at every node, so the decision to act or not act is grounded in the full picture, not just the signal.

2. Build a migration plan to post-quantum cryptography. 

NIST and several other organizations have published post-quantum cryptography standards that are expected to withstand quantum-powered attacks. The standards exist. The path exists.

What most organizations are missing is the starting point: a cryptography inventory. This begs us to ask:

Which systems are exposed? Which third parties are exposed? What’s the migration sequence, and who owns tracking it? 

Danny outlined a three-step approach:

1. Understand your exposure across IT systems, operational technology, and critical third parties
2. Build a migration roadmap to post-quantum encryption
3. Track that migration so nothing falls through.

The supplier piece matters as much as the internal piece. If your supplier’s systems are vulnerable, your data that lives in their environment is vulnerable too. Part of this work is education. Helping your suppliers understand what’s coming and what they need to do about it. 

3. Prepare to take advantage of quantum when it arrives. 

This is the forward-looking piece, and Danny was direct about the organizational commitment it requires.

Treat quantum the same way serious companies are treating generative AI right now. That means:

• Dedicated focus on quantum readiness
• Dedicated talent and internal expertise
• Dedicated investment in data foundations and API integrations that enable rapid adoption when quantum compute becomes commercially viable

The organizations that lead won’t be the ones who react when quantum computing matures. They’ll be the ones who already embedded risk intelligence into their operating flows, built the semantic layer, and made their data AI-ready (eventually quantum-ready), before they needed it. 

How apexanalytix Is Preparing Clients Today

Danny didn’t just describe the problem. He walked through what’s already in production. 

All apexanalytix platforms are post-quantum encrypted, in motion, and at rest. If your data is in an apexanalytix solution today, it is already protected at the level the rest of the market is still building a roadmap to reach. Most clients deploy in a private cloud hosted in a secure apexanalytix facility, which adds another layer of protection against quantum-level attacks. 

Inside the risk management solution, quantum readiness assessments for suppliers are prebuilt. The platform segments suppliers to prioritize engagement, captures their readiness plans, uses large language models to interpret and score those plans, and tracks supplier progress until completion. The LLMs doing that work run on NVIDIA hardware inside apexanalytix’s private, on-prem environment. Client data doesn’t touch a public cloud unless the client explicitly chooses it. That’s not a marketing commitment. It’s an architectural one. 

And then there’s QubitOn, which launched within the last month and was a centerpiece of Danny’s session. QubitOn makes the entire apexanalytix supplier data infrastructure available through APIs, including:

• Address validation
• Tax and ID verification
• Bank account verification
• Business registration validation
• Data enrichment
• Cyber risk signals
• Sustainability data
• Compliance information

The platform connects to more than 1,200 external data sources and is anchored to a golden record database of 280 million suppliers worldwide.

Danny also walked through a practical example: upload a supplier document containing addresses, contacts, operating locations, and SOC 2 reports, then generate a due diligence report. The system returns sanctions screening, tax ID verification, business registration validation, bank account verification, routing and account status checks, and in some countries, confirmation that the bank account owner matches the supplier.

That’s not a roadmap feature. It’s operational today.

The entire stack, including QubitOn and the risk management platforms, is MCP-enabled and integrates directly with Claude and other major language models, making the intelligence accessible wherever the work is happening.

The Window to Prepare Is Closing

Every piece of Danny’s session pointed to the same conclusion.

The organizations that survive the quantum shift are not waiting for it to arrive. They’re building the data foundation now. They’re migrating encryption now. They’re embedding risk intelligence into operating processes now, so that when the compute power becomes commercially available, they can take advantage of it rather than scrambling to defend against it. 

The companies that wait for the box to be opened before deciding what to do about the cat will not like what they find. 

The slides are worth your time. So is a conversation with the team.

Check out the link to the full presention here.