These are not fringe claims. They come from Google Quantum AI, Caltech, Stanford, the Ethereum Foundation. They were published on arXiv, coordinated with the US government, and covered in Nature under the headline “’It’s a real shock.’” Bas Westerbaan, a mathematician at Cloudflare – the company that routes a significant share of global internet traffic – was quoted saying, “It’s a real shock for us too.”

This would be alarming enough if the threat were purely forward-looking. It is not. Nation-states – principally the United States and China, but not exclusively – have been intercepting and archiving encrypted communications for years, on the reasonable assumption that quantum computers will eventually be able to read them. The strategy is called “harvest now, decrypt later,” and it means the data is already taken. What has not yet happened is the reading. And when it does happen, the readers will not be short of analytical capacity – the same period that compressed the quantum timeline also produced AI systems capable of processing, cross-referencing, and extracting intelligence from datasets at a scale that would have required entire agencies a generation ago. The archive will not be read by humans sitting at desks. It will be read by machines, very quickly.

Post-quantum cryptography can protect what is transmitted from today onwards. It cannot protect what has already been collected.

This is the kind of question that sits across multiple domains – quantum physics, cryptography, geopolitics, financial regulation, intelligence tradecraft – and cannot be answered from inside any one of them. At CanaryIQ, we track this as a cross-cutting risk with cascade impacts across financial services, defence, critical infrastructure, and healthcare. This briefing synthesises what has changed in the past twelve months, why the threat is retrospective rather than prospective, and what the implications are for anyone whose data needs to remain confidential beyond 2030.

1. The Repricing

In 1994, the mathematician Peter Shor published a paper demonstrating that a quantum computer could, in principle, break the encryption systems that protect virtually all modern digital communications. For three decades, this remained a theoretical concern. The quantum hardware required to run Shor’s algorithm at scale was so far beyond existing capability that most practitioners treated it as a problem for a future generation.

That distance has been collapsing. Here is the sequence.

In May 2025, Craig Gidney at Google Quantum AI published a paper showing that a 2048-bit RSA key – the encryption standard protecting most of the internet’s secure communications – could be factored with fewer than one million physical qubits, running for less than a week. His own previous estimate, published in 2019, was twenty million qubits running for eight hours. The qubit count fell by a factor of twenty, and the key innovations were all in how the computation is organised – better arithmetic, denser storage of idle qubits, cheaper error correction – rather than in the physical hardware. The machines did not change. The mathematics found a shorter path through them.

In February 2026, a Sydney-based startup called Iceberg Quantum pushed further, claiming the number could fall below 100,000 qubits using a more efficient error-correction architecture. Scott Aaronson’s assessment, on his blog, was characteristically measured: “I have no idea by how much this shortens the timeline for breaking RSA-2048 on a quantum computer. A few months? Dunno.” But he added the formulation that cuts through the noise: when you need to scale up qubit count by a thousand times while maintaining quality, “it becomes important to ask, well, how many years? Three? Four? Five?”

Then came the March papers.

The Google/Stanford/Ethereum Foundation paper targeted the elliptic curve cryptography that protects Bitcoin, Ethereum, and most digital signature systems. Their optimised implementation of Shor’s algorithm could break 256-bit ECC with fewer than 1,200 logical qubits and 90 million Toffoli gates – roughly a twenty-fold reduction in resources over the prior best estimate. Translated to hardware: fewer than 500,000 physical qubits, running for approximately nine minutes.

The Caltech/Oratomic paper, published the following day, proposed a new error-correction architecture for neutral-atom quantum computers. Their claim: the same class of computation could be performed with as few as 10,000 physical qubits. The approach exploits the ability of neutral atoms, held in place by laser tweezers, to be physically shuttled across the array and entangled over long distances. This cuts the ratio of physical qubits needed per error-corrected logical qubit from roughly 1,000-to-1 down to approximately 5-to-1. John Preskill – the Caltech physicist who coined the term “quantum supremacy” – is on the founding team. “I’ve been working on fault-tolerant quantum computing longer than some of my coauthors have been alive,” he said. “Now at last we’re getting close.”

I want to be precise about what these numbers mean. Every one of these results was an algorithmic or architectural improvement, not a hardware breakthrough. Nobody built a new machine. Researchers found more efficient ways to use the machines we already have blueprints for. And because algorithmic improvements compound with hardware improvements, the distance between where we are and a cryptographically relevant quantum computer – what the field calls a CRQC – is shrinking from both ends simultaneously.

The largest demonstrated neutral-atom qubit array is 6,100 atoms, assembled in Manuel Endres’s Caltech lab in September 2025 and published in Nature. The Oratomic paper says 10,000 would suffice for Shor’s algorithm. In raw qubit count, the gap between what exists and what is needed has gone from four orders of magnitude to less than one. The gap in engineering capability – achieving the error rates, gate fidelities, and sustained coherence that fault-tolerant computation requires – is larger, and nobody should confuse a trapped-atom count with a working cryptographic attack. But the direction is clear, and the distance is compressing on both axes.

Nobody knows when a CRQC will be built. The honest range is somewhere between five years and twenty, with the weight shifting towards the shorter end with every paper. But the question of when is the wrong question. The right question is what has already been taken.

2. The Harvest

There is a strategy in intelligence collection with a name that is also its explanation: “harvest now, decrypt later.” Adversaries intercept and store encrypted communications today, on the assumption that quantum computers will be able to decrypt them in the future. The encrypted data sits in archives – government data centres, private cloud environments, tape storage – for years, decades if necessary. It does not need to be read now. It just needs to exist.

This is not a theoretical concern. It is an active, acknowledged, ongoing intelligence operation conducted by multiple nation-states simultaneously.

The mechanics are mundane. Tap undersea fibre-optic cables. Record VPN traffic at network boundaries. Exfiltrate encrypted database backups. Copy email archives and cloud storage snapshots. None of this requires breaking the encryption. The attacker needs bandwidth and disk space, not a quantum computer. Storage costs have fallen roughly 95 per cent since 2010. A petabyte of archived ciphertext costs less than a mid-range car. For a nation-state with a strategic intelligence mandate, the economics are trivial: store everything, wait, decrypt later.

A clarification worth making: the quantum threat targets public-key cryptography – the RSA and ECC systems used for key exchange and digital signatures. Symmetric encryption like AES-256 is not meaningfully weakened by quantum computers. But almost all encrypted communication relies on public-key cryptography to establish the session in the first place. Break the key exchange and the symmetric layer is irrelevant – you have the key.

I want to draw out why this changes the shape of the threat, because most commentary on quantum computing focuses on the wrong date. The question everyone asks is “when will a quantum computer break encryption?” The question they should be asking is: “how long does my data need to remain confidential, and has it already been copied?”

The critical variable is the gap between data sensitivity lifespan and time-to-decryption. Diplomatic cables retain their value for decades. Weapons system designs remain sensitive for the lifetime of the platform. Intelligence source identities are sensitive permanently. Health records, biometric data, trade secrets, negotiating positions – all of these have confidentiality requirements measured in years or decades, not days. If a communication was intercepted in 2024, and a CRQC comes online in 2032, the eight-year gap is irrelevant. The data is just as compromising.

Post-quantum cryptography – the set of encryption algorithms designed to resist quantum attack – cannot retroactively protect data that has already been captured. PQC protects the future. It does nothing for the past. Every day that an organisation continues transmitting sensitive material under classical encryption is another day of plaintext-in-waiting added to an adversary’s archive.

NIST published its first post-quantum cryptographic standards in August 2024. The algorithms exist. They work. The migration path is understood. The typical estimate for PQC migration in a large enterprise is seven or more years. The sooner migration begins, the smaller the window of retroactive exposure – and for most organisations, that window is already wider than they realise.

3. The Geopolitics of the Archive

We track several risk scenarios related to quantum cryptographic disruption, including the cascade effects on financial infrastructure, government communications, and critical systems. The geopolitical dimension is where the risk compounds most dangerously.

The United States and China accuse each other of large-scale data harvesting, and both accusations are almost certainly accurate.

The former FBI director described China’s hacking programme as “bigger than every other major nation combined.” China’s Ministry of State Security responded by accusing the NSA of “systematic” attacks to steal Chinese data. Neither denial is credible. The intelligence logic is identical on both sides: if your adversary’s encrypted traffic will eventually become readable, and the cost of collecting and storing it is low, the rational strategy is to collect everything and sort it out later. Both the United States and China are rational.

Russia, Iran, and several other states are running the same playbook at smaller scale. The Five Eyes alliance has the most extensive signals intelligence infrastructure for collection. China has the most aggressive state-backed cyber espionage capability for targeted exfiltration. The result is a global intelligence competition in which the prize is not today’s secrets, but tomorrow’s ability to read today’s secrets.

China’s Dual-Track Strategy

Beijing’s position reveals the strategic logic most clearly, because it is doing both things at once: building quantum computers to attack others’ encryption, and building its own post-quantum defences to protect its own.

In February 2025, China launched the Next-Generation Commercial Cryptographic Algorithms Programme – its own PQC initiative, independent of NIST’s standards. This is not duplication. It is strategic distrust. Beijing is unwilling to rely on American-designed cryptographic standards to protect Chinese state communications, and may be concerned that NIST’s standards contain weaknesses that Western intelligence agencies could exploit. The submission deadline for new algorithms is June 2026. China expects to have its own national PQC standards within three years.

The quantum computing ecosystem backing this is deeper than most Western commentary acknowledges. Origin Quantum’s 72-qubit Wukong processor handled over half a million computing jobs in its first year of commercial operation. China Telecom’s Tianyan platform provides cloud access to superconducting systems totalling 880 qubits across four machines. QuantumCTek, now controlled by a state-owned enterprise, supplies the hardware for China’s national quantum key distribution backbone: a fibre-optic network connecting Beijing to Shanghai that has been operational for years.

US export controls on quantum technology were designed to slow China down. In our assessment, the effect has been the opposite: a crash programme in domestic manufacturing across dilution refrigerators, cryogenic electronics, and photonic components, with funding pouring into every major qubit modality simultaneously. We see the same pattern in our semiconductor export controls analysis – restrictions that hand domestic manufacturers a political mandate and a captive market.

The dual-track logic is clean. Defend your own future communications with quantum-resistant cryptography. Hoard everyone else’s current communications for future decryption. That is not paranoia, it is game theory.

The Asymmetry That Matters

Here is the strategic point that most analysis misses: China does not need to build the first CRQC to benefit from the harvest. It only needs to build one eventually. The archive is patient. Every year of delay in Western PQC adoption is another year of retroactively decryptable material added to the pile.

The inverse is also true. Every year of Western intelligence collection against Chinese targets creates an archive that a future American or allied CRQC could unlock. The race is not merely to build the machine. It is to have accumulated the largest, most strategically valuable archive by the time someone does.

4. The Classification Problem

There is a historical precedent that makes this story more uncomfortable, not less.

Public-key cryptography (the mathematical system that underpins virtually all modern encryption), was invented by Whitfield Diffie and Martin Hellman in 1976, and implemented as RSA by Rivest, Shamir, and Adleman in 1977. This was the accepted history until 1997, when GCHQ declassified documents revealing that British mathematician Clifford Cocks had described an equivalent system in an internal memo in 1973. Three years before the academic world “invented” public-key cryptography, a British intelligence agency already had it and kept it secret.

The gap between what a nation-state knows and what it discloses is determined by strategic advantage, not scientific norms.

Google’s ECDLP paper, published in March 2026, contains a line that deserves more attention than it has received: “It is conceivable that the existence of early CRQCs may first be detected on the blockchain rather than announced.” This is Google Quantum AI stating that a state actor might achieve cryptographic quantum capability and choose not to tell anyone. The first sign would not be a press conference. It would be Bitcoin moving out of wallets whose private keys should be unknowable. There are roughly 6.9 million Bitcoin in addresses with exposed public keys. At current prices, that is a very large incentive.

Scott Aaronson, reading the March 2026 results, reached for the comparison that matters:

When I got an early heads-up about these results—especially the Google team’s choice to “publish” via a zero-knowledge proof—I thought of Frisch and Peierls, calculating how much U-235 was needed for a chain reaction in 1940, but not publishing it, even though the latest results on nuclear fission had been openly published just the year prior. Will we, in quantum computing, also soon cross that threshold?

He was asking whether quantum computing was approaching that threshold – the point at which a result is too dangerous to publish in full.

The cryptography community pushed back. Their position, grounded in decades of vulnerability disclosure practice: you publish. If publishing causes people still running quantum-vulnerable systems to panic, then perhaps that is exactly what needs to happen right now.

Both sides are probably correct.

Google chose a middle path. It published its ECC results via a zero-knowledge proof – a cryptographic technique that lets independent researchers verify the result without revealing the attack circuit. This is the first time a major mathematical result has been announced this way. The team coordinated with the US government before publication and is proposing this framework – responsible disclosure via zero-knowledge verification – as the norm for future quantum vulnerability research. The cryptography community is, in real time, developing its own classification culture.

That alone should tell you how close the field believes we are.

5. What This Means For You

The leaders have already moved. Chrome, Signal, and iMessage already use post-quantum key exchange. Google has set a 2029 deadline for completing its full internal post-quantum cryptography migration. Cloudflare – which handles over 20 per cent of human web traffic – announced in April 2026 that it is matching that 2029 target, explicitly citing the March papers as the reason for accelerating. NSA’s CNSA 2.0 mandates quantum-resistant cryptography for all new national security systems by January 2027. NIST’s published timeline calls for quantum-vulnerable algorithms to be deprecated after 2030 and disallowed after 2035.

The consumer platforms and infrastructure providers are migrating. The question is whether enterprises, governments, and financial institutions – the organisations holding the data that intelligence agencies actually want – are keeping pace. Most are not. If you are behind these timelines, you are behind the organisations whose threat modelling you should be matching.

The calculation is blunt. Take the number of years your most sensitive data must remain secret. Add the number of years it will take to complete PQC migration. If that sum exceeds the number of years until a CRQC becomes available, you are already exposed – and every month of inaction widens the window.

If you hold long-lived secrets – government agencies, defence contractors, financial institutions, healthcare organisations, critical infrastructure operators – begin cryptographic inventory immediately. Identify which systems rely on RSA, ECC, or other quantum-vulnerable algorithms. Prioritise migration based on data sensitivity lifespan. Start with key exchange protocols, where PQC can be deployed in hybrid configurations alongside classical encryption, and work outward.

If you are a policymaker, the structural observation is this: the quantum threat has inverted the traditional timeline of cybersecurity risk. Normally, the attack comes first and the defence follows. Here, the collection has come first. The attack will follow whenever the hardware matures. Regulatory frameworks that treat quantum risk as a future concern are mispricing the present.

If you are an investor, the signal is the pace of algorithmic compression. The qubit estimates for breaking RSA-2048 have dropped by roughly twenty times per publication cycle. The estimates for ECC have dropped faster. The companies and sectors most exposed are those holding large quantities of classically encrypted long-lived data – financial services, healthcare, government contracting, critical infrastructure – and those that have not begun PQC migration planning. In our view, the market has not priced this.

Conclusion

Quantum computing has spent three decades as a future problem. In the past twelve months, a series of papers from Google, Caltech, Stanford, and others have repriced the distance between now and the point at which modern encryption breaks. The estimates moved by orders of magnitude, and they moved in one direction.

But the repricing is not the threat. The threat is the archive – the collection of encrypted data that has been building for years, waiting for the moment it becomes readable. Post-quantum cryptography can protect what is transmitted from today onwards. It cannot protect what has already been taken. And every day of continued transmission under classical encryption adds to the pile.

The averaged expert estimate of a cryptographically relevant quantum computer emerging within the next ten years was between 28 and 49 per cent in 2025 – the highest in the seven years that figure has been tracked – and will likely be higher still this year as a result of the recent publications. The infrastructure companies have set their deadlines. The standards bodies have published their timelines. Governments have been filling their archives for a decade.

What cannot be undone is already done. What can still be controlled is what happens from here. The standards exist. The migration paths are published. The engineering is understood. The only thing missing – and it is the only thing that matters now – is the decision to start.

CanaryIQ maintains analytical positions on quantum computing, post-quantum cryptography, semiconductor supply chains, and AI infrastructure, along with risk scenarios covering technology export controls, signals intelligence escalation, and cryptographic disruption cascades. This briefing draws on that work.

For as long as organisations and governments have existed, effort has been the invisible governor on what gets built, what gets reformed, and what gets attempted. Ideas die not because they are bad, but because the cost of testing them is too high. Backlogs grow not because nobody cares, but because nobody has the bandwidth. This constraint has been so universal, so deeply embedded in how we plan and prioritise, that we have stopped noticing it. It is simply the water we swim in.

That constraint is now collapsing. The emergence of autonomous AI agents – systems that can be given a goal and trusted to deliver it continuously, at high quality, with minimal human intervention – has fundamentally altered the economics of knowledge work. This is not a projection about what might happen in five years. It is a description of what is already happening, today, at the leading edge of software engineering. And what begins in software will not remain in software.

This briefing sets out what has changed, why it matters, and what decision-makers in both the private and public sectors need to understand now – before the window for coherent response narrows further.

1. What Has Changed

In late 2025, a series of capability upgrades to the leading AI coding agents crossed a threshold that practitioners immediately recognised as qualitatively different from what came before. The most prominent of these tools is Claude Code, Anthropic’s autonomous coding agent, though similar capabilities are emerging across the industry.

AI coding assistants have existed for several years. The good ones were genuinely useful: tools that might make a competent engineer two or five times more productive. But the early-2026 generation is not a better assistant. It is, for most practical purposes, a replacement for the engineer. The system can be given a well-defined goal – build this feature, fix this system, refactor this architecture – and trusted to deliver it autonomously, at production quality, correcting its own errors along the way.

The numbers bear this out. Claude Code crossed one billion dollars in revenue by November 2025. Word-of-mouth exposure surged thirteen percentage points between late December and January 2026, according to data from Caliber. In mid-January, a Google principal engineer publicly stated that Claude had reproduced a year of architectural work in a single hour. Microsoft – which sells its own competing product, GitHub Copilot – has reportedly adopted Claude Code internally across major engineering teams. The creator of Claude Code, Boris Cherny, tweeted that he and his team now complete near 100% of work using Claude1.

I can speak to this from direct experience. Over the past six weeks, I have built six internal tools that have materially improved how I work. Each of these would previously have been a multi-week project requiring sustained coding effort. Each now took between two and six hours, with Claude Code doing the vast majority of the implementation work. In aggregate, I am completing what would previously have constituted roughly a year of professional development work every two to three weeks.

I want to be precise about what I mean by this, because the claim sounds extraordinary. I do not mean that I am doing rough, prototype-quality work at high speed. I mean that the finished output – the code, the architecture, the test coverage, the documentation – is at or above the standard I would previously have produced myself, and it is being delivered at a rate that no human team could match.

2. Why This Extends Beyond Software

The natural objection is that this is a story about software engineering, and software engineering is a special case. Code is structured, testable, and unambiguous. Surely the messier domains of law, finance, medicine, and policy are different.

They are different – for now. But the gap is closing faster than most observers appreciate, and understanding why requires seeing what code actually is. Code is not a technical curiosity. It is a well-defined way of expressing process: sequences of reasoning, transformation, verification, and execution, arranged to achieve some outcome. All knowledge work, when you examine it closely enough, reduces to process of some form. The difference between software engineering and, say, contract review or financial analysis or policy drafting is not a difference in kind. It is a difference in how explicitly the process has been formalised.

The evidence that AI agents are already moving into adjacent domains is substantial. In law, firms are deploying AI for contract analysis, due diligence, and compliance review. A survey of nearly 2,300 knowledge workers published in late 2025 found that 81 per cent had used AI-powered tools to start or edit their work at least once. In accounting and audit, agentic AI systems are now performing invoice processing, reconciliation, anomaly detection, and compliance workflows with decreasing human oversight. In finance, 68 per cent of hedge funds now use AI for market analysis and trading strategies, and AI-managed robo-advisory assets exceed 1.2 trillion dollars globally.

These are not speculative applications. They are in production today. The pattern is consistent: AI enters a domain, initially handling routine and well-structured tasks, and then – as the models improve and as practitioners learn how to direct them – moves progressively up the complexity curve. In accountancy, Deloitte and others are already describing a future in which the mid-tier of knowledge work is hollowed out, leaving an “hourglass” workforce concentrated at junior (AI-supervisory) and senior (strategic) levels. The same structural pressure will apply across every knowledge profession.

3. Three Structural Shifts

3.1 The Repricing of Labour

Claude Code costs approximately two hundred dollars per month at the individual tier. A competent senior software engineer in a major market commands a salary well north of $250,000 per annum. For roughly one per cent of that cost, an organisation can now access something that produces not ten times the output, but orders of magnitude more.

This is not a productivity gain in any conventional sense. It is a repricing of labour. The historical parallel is not the introduction of better tools to an existing workforce – it is the introduction of the power loom, which did not make weavers more productive but rendered the economics of hand-weaving untenable.

The comparison is not exact, of course. The power loom took decades to diffuse through the textile industry, constrained by the capital required to build factories and install machinery. AI agents face no such constraint, which brings us to the second shift.

3.2 Near-Zero Adoption Costs

Every previous industrial revolution placed its capital burden squarely on the balance sheets of individual firms. Factories had to be built. Machines had to be purchased. Infrastructure had to be installed and maintained. The result was that adoption was slow, uneven, and gated by access to capital.

This time, the capital costs are borne upstream. A small number of companies – Anthropic, OpenAI, Google, Meta, and xAI among them – have invested tens of billions of dollars in model training, infrastructure, and compute. Their customers need invest almost nothing. Capability is rented instantly, scaled elastically, and priced at a level that is functionally trivial for any organisation of meaningful size.

This collapses the time between intent and execution. When a factory had to be built, there was a multi-year lag between a firm deciding to adopt a new technology and actually deploying it. When capability can be rented by the hour, the lag is measured in days or weeks. The traditional buffers that gave firms, workers, and governments time to adapt – the lead time of capital investment – are largely absent. Gartner’s own hype cycle analysis now places AI agents at the Peak of Inflated Expectations, but with the critical caveat that unlike most technologies at that point, the underlying capability is already production-grade.

3.3 Expertise as a Depleting Asset

Deep, specific expertise still matters. There are moments when an AI agent needs to be pointed toward exactly the right documentation, the right regulatory nuance, the right domain-specific edge case. A skilled practitioner directing an AI agent will outperform an unskilled one.

But expertise is no longer a durable moat. It is a depreciating asset. Each time an expert’s knowledge is used to direct an AI system, that interaction becomes training data, documentation, or a codified workflow. The knowledge transfers from the individual to the system. What was once a career’s worth of accumulated insight becomes, progressively, a set of instructions that anyone can invoke.

Consider what has already happened in software engineering. Two years ago, deep expertise in a specific programming framework or infrastructure stack was a genuinely scarce and valuable commodity. Today, Claude Code can navigate those frameworks with a fluency that matches or exceeds most human practitioners, because the collective expertise of the field has been absorbed into the model. The experts who remain most valuable are those who can identify which problems to solve – not those who know how to solve them. The distinction between strategic judgement and technical execution has never been starker.

4. The Core Implication: Effort Is No Longer a Constraint

The three shifts above are important, but none of them is the most important thing. The most important thing is this: effort itself has ceased to be a binding constraint on what can be attempted.

This is the highest-impact change in the entire transition, and it is the one that decision-makers most consistently fail to internalise. For decades, the limiting factor on what got built, reformed, or investigated was not imagination or even resources in the abstract. It was the sheer human effort required to move from idea to execution. The cost-benefit calculation killed ideas before they were ever tested. The internal tool that would save three hundred hours a year was never built because it would take eight hundred hours to create. The policy analysis that might have revealed a better approach was never conducted because no team had the capacity. The legacy system that everyone knew was failing was tolerated because replacing it was a two-year project.

That calculus has changed, decisively. When the effort required to build, test, and deploy a solution drops by one or two orders of magnitude, the entire landscape of what is “worth doing” is redrawn.

For businesses, the implications are immediate. Every firm of any age has a backlog of “too hard” work: internal tools never built, legacy systems never replaced, process inefficiencies tolerated for years because the effort to fix them exceeded the pain of living with them. That backlog is now liquidatable. The firms that move first will not merely gain efficiency. They will gain the compounding advantage of having fixed problems that their competitors are still living with.

For governments, the implications are more profound and more uncomfortable. State capacity has always been constrained by administrative effort: the drafting, coordination, review, consultation, and enforcement that any policy action requires. This is not a failure of intent. It is a structural feature of governance, one that shapes what policies are feasible and what reforms are attempted. When the effort required for these activities collapses, governments face a stark choice. Those that harness the change will find that policy interventions previously dismissed as “too complex” or “too resource-intensive” become achievable. They could, for example, conduct regulatory impact assessments in days rather than months, maintain living legislative codifications that update automatically as new case law emerges, or run continuous compliance monitoring across entire sectors. Those that do not adapt will find themselves outpaced not just by other states, but by private actors whose execution velocity has accelerated by orders of magnitude.

5. The Timeline

The lag between the leading edge – where I am writing from now – and mainstream adoption is twelve to twenty-four months. This estimate is grounded in three observations.

First, the adoption curve for AI is compressing dramatically relative to historical precedent. Deloitte’s 2026 Tech Trends report notes that a leading generative AI tool reached one hundred million users in two months, compared to fifty years for the telephone and seven years for the internet. More pointedly, AI agent adoption does not require hardware procurement, physical infrastructure, or long implementation cycles. It requires a subscription and a willingness to experiment. The adoption friction is near zero.

Second, the “holiday effect” of December 2025 demonstrated how fast adoption can move when practitioners have time to experiment. Claude Code’s viral adoption over the winter break showed that the barrier to adoption is not capability or cost. It is attention and habit. As awareness spreads through professional networks, adoption follows rapidly.

Third, competitive pressure will force the hand of laggards. Once early adopters demonstrate order-of-magnitude productivity gains, organisations that fail to follow will face an existential cost disadvantage. This is not a technology that firms can afford to “wait and see” on, because by the time the results are visible, the gap may already be insurmountable. Microsoft’s data shows global generative AI adoption reached 16.3 per cent of the world’s population in the second half of 2025, up from 15.1 per cent in the first half – and that figure understates enterprise adoption, which is moving considerably faster.

Twelve to twenty-four months is not a comfortable window. It is barely enough time to understand the problem, let alone respond to it in any coordinated way.

6. What This Means For You

If you run a business, the question is not whether to adopt AI agents but how fast you can integrate them into your operations without destabilising what already works. Begin with the backlog. Every organisation has one: the list of things that everyone agrees should be done but nobody has the resources to do. That list is now your highest-return investment. A single competent generalist, working with current AI tools, can liquidate years of accumulated technical and operational debt in months.

If you manage or advise on policy, the imperative is to understand that the administrative effort constraint – the single biggest structural limitation on state capacity – is dissolving. This creates opportunity and risk in equal measure. The opportunity is a step-change in what government can accomplish. The risk is that private-sector actors, unconstrained by the deliberative processes of democratic governance, will move so much faster that the regulatory environment becomes permanently reactive.

If you are a knowledge worker, the honest assessment is this: your value as a pure executor of well-defined tasks is declining rapidly. The value that remains – and it is real and substantial – lies in judgement, in the ability to identify which problems matter, in the capacity to navigate ambiguity and politics and human relationships, and in the wisdom to know when the machine’s output is wrong. These are not skills that most organisations currently hire for, train for, or reward. That will need to change.

Conclusion

Effort, until now, has been the invisible governor on everything we build, everything we govern, and everything we choose not to attempt. It has shaped our institutions, our strategies, our career structures, and our sense of what is possible.

The governor has been removed.

What follows from that fact –in business, in government, and in the structure of professional life – will be determined by how quickly and how honestly we reckon with it. The temptation will be to wait for certainty, for the technology to mature, for best practices to emerge, for someone else to go first. That instinct is understandable. It is also, in this case, a serious strategic error.

It is always worth remembering that silicon – as in rocks, albeit very complicated rocks – is what we are teaching to do all of this.