Vendors Are Selling Quantum-Safe Industrial AI. Nobody Has Proven It Actually Is.

The industrial edge AI market has found its pitch.

Vendors are now selling "quantum-safe" infrastructure to factories, grids, and defense contractors — a category that did not exist two years ago. The timing is not accidental. The National Institute of Standards and Technology finalized its first post-quantum cryptography standards in late 2024 (CyberArk). The Department of Defense has mandated cryptographic inventory and migration planning across all operational technology and IoT systems (BusinessWire). And industrial hardware runs for 15 to 30 years, meaning systems deployed today will still be in service past the 2035 deadline when NIST expects quantum-vulnerable algorithms to be prohibited (BusinessWire).

That is a real problem. It is not clear the solution being sold solves it.

Patero and Orilla announced a partnership on May 13 to sell exactly this. Patero, a startup based at the Quantum Startup Foundry at the University of Maryland, calls itself a pioneer in post-quantum encryption. Orilla sells edge-native industrial AI software. Together, they are offering what their press release calls "quantum-safe AI infrastructure" for the industrial edge (BusinessWire).

The press release is the entirety of the public evidence.

When asked for technical documentation or audit reports confirming implementation of specific NIST post-quantum algorithms, neither company provided documentation beyond the press release.

Nobody outside the two companies has published a technical whitepaper, audit report, or certification document confirming that their platform actually implements any of the NIST-standardized post-quantum algorithms — FIPS 203 (ML-KEM, formerly CRYSTALS-Kyber), FIPS 204 (ML-DSA, formerly CRYSTALS-Dilithium), or FIPS 205 (SLH-DSA, formerly SPHINCS+) (SDxCentral). No entry exists for either company in NIST's Cryptographic Module Validation Program database. No independent cryptographer has reviewed their implementation. The phrase "quantum-safe" appears throughout the announcement; the word "audit" does not appear at all.

This is not unique to Patero and Orilla. It is the state of the market.

"We've been asking the same question about every vendor in this space," said one cryptography researcher at a major technology company who asked not to be named because their employer has pending procurement decisions. "Anyone can claim quantum-safe. The question is whether they can show you the code, the testing, and the certification. Most cannot." The researcher and independent analysts who track industrial infrastructure purchasing patterns agree on the underlying dynamic: genuine security urgency and vendor sales urgency are not the same thing. The gap between them is where procurement decisions get made before the evidence exists to evaluate them.

The Shanghai University result from October 2024 — where researchers cracked a 22-bit RSA key using a quantum computer — is frequently cited by vendors as evidence of an accelerating threat. The actual implications are more constrained. A 22-bit key is orders of magnitude smaller than the 2048-bit RSA keys protecting most industrial communications. The result demonstrates direction of travel, not proximity to practical compromise. Expert consensus, as reflected in NIST's timeline, places cryptographically relevant quantum computers at least a decade away for most practical purposes (CyberArk).

The DoD mandate is real. The NIST timeline is real. The 15-to-30-year industrial lifecycle is real. The gap is between the threat and the verifiable evidence that specific implementations are quantum-safe. That gap is where the sales narrative lives.

This has a structure that will be familiar to anyone who watched the Y2K market form. A genuinely important long-term problem — the millennium bug, the quantum decryption threat — becomes the justification for immediate infrastructure purchases. The urgency is real. The timing alignment between that urgency and organizations' existing capital expenditure cycles is not always coincidental. The specificity of what the money buys is not always clear until after the contract is signed.

Industrial buyers face a structural problem that quantum-safe vendors are positioned to exploit. The systems they are buying now will outlive the RSA and ECC era by design. The only way to make that bet defensibly is to require evidence of cryptographic implementation — not just a claim. Buyers should ask for a technical whitepaper naming which FIPS algorithms are implemented, a NIST Cryptographic Module Validation Program listing for the specific cryptographic module, or an independent cryptographer audit. As of now, neither Patero nor Orilla has produced any of these. The burden of proof for "quantum-safe" in the industrial edge AI market is a press release — and the buyer has no reliable way to know what they are purchasing until after the contract is signed.

The angle is not that the threat is fake. The angle is that the market is forming around the threat before the verification infrastructure exists to separate real cryptography from marketing language. Until that changes, the vendor has no incentive to be specific about it.