Identity Refined at the Quantum Gate: Framing the AI + Post-Quantum Challenge for IAM

Abstract

Identity & Access Management (IAM) is being reshaped by two concurrent forces: (i) the use of Artificial Intelligence (AI) to turn rich telemetry into policy decisions and (ii) the migration to Post-Quantum Cryptography (PQC) across credentials, certificates and protocol touchpoints. We argue that the most consequential risks live in the seams account recovery/reset, Non-Human Identities (NHIs) and crypto-agile upgrades where attackers concentrate and operations are fragile. This paper contributes four things. First, it frames a precise problem statement that links AI decisioning pipelines (signals → models → policies → evidence) with PQC adoption realities (artifact sizes, timing, interop and governance). Second, it organizes the landscape into a literature/practice map for AI-in-IAM and PQC-in-IAM that practitioners can immediately use for scoping. Third, it reports results from three small, reproducible experiments designed for teaching and early planning: a policy-level risk simulation spanning sign-in and recovery (risk-based control stops ~81% of simulated fraud vs. ~63% for a static baseline while reducing legitimate friction from ~38% to ~25% at ~+50 ms p95 decision latency); an overhead model for PQC artifacts showing modest size-driven latency on typical enterprise links (incremental over RTT on the order of ~1–6 ms); and a micro-pilot comparing passkeys to password+OTP (median sign-in time ~7.2 s vs. ~12.1 s; completion ~97% vs. ~92%; support tickets 6 vs. 10 per 100 users). Finally, it outlines a research agenda for recovery governance, machine identity attestation and rotation, crypto-agile policy engines and explainability/appeals. All datasets are synthetic to enable easy replication without sensitive data.