The agent economy is being built on a cryptographic floor that everyone in the standards community already expects to crack. That is not a contrarian view. It is the published position of the national institute that has spent the last several years finalising the first generation of post-quantum signature standards, including the module-lattice-based digital signature algorithm family now codified as a federal standard. The transition is on a known schedule. The question for anyone deploying agents that sign on behalf of humans is whether their architecture is also on that schedule, or whether it has quietly committed to being the counterparty risk in someone else's threat model.

To see why this matters specifically for agents — and not just for the well-rehearsed problems of TLS and code signing — consider what an agent actually is in the operating sense. An agent is a delegation envelope. It carries a chain of authority: a principal authorised it; an intermediate signed off a scope; the agent itself signs each downstream action; the counterparty records the action and replies with a signed receipt. Every link in that chain is a signature over a structured statement of intent. Every signature is computed under cryptographic assumptions that were chosen before the agent was a deployment category.

Two properties of agent signatures are uncomfortable when you hold them next to the quantum transition.

The first is duration. A human-issued payment signature is verified in seconds and then forgotten. An agent-issued mandate is often verified years after it was signed: a standing authorisation to act on someone's behalf, a delegation that flows through several systems before the final action lands, an audit trail that a regulator may pull a decade later. The signature has to remain unforgeable not at issuance time, but at every future verification time. If the algorithm under the signature is known to be vulnerable at a date inside the verification window, the signature was never really binding. It was binding-until-someone-cares-enough-to-forge-it. That is a different security property, and it is the one agent designers are actually shipping today.

The second is volume. Classical cryptography survives a great deal of inattention partly because most users sign rarely. Agents sign constantly. Once an autonomous system is making routine decisions on a human's behalf — small payments, scheduling, identity assertions, machine-to-machine handshakes — the number of signatures produced per user per day is several orders of magnitude above the human baseline. A vulnerability discovered in the underlying primitive is therefore a vulnerability discovered across an enormous, already-deployed signature surface. The cost of migration grows superlinearly in the volume of signatures that have to be re-issued, re-anchored, and re-trusted. Beginning the migration after the break is announced is, in practical terms, the same as not beginning it.

For these reasons, the module-lattice signature family ratified in the recent federal standard is not best understood as a research curiosity. It is best understood as a deployment requirement for any agent that signs cross-institutional, durable, or high-stakes actions. The standard exists. The reference primitives exist. The performance envelope is well-characterised. The remaining work is architectural, not algorithmic.

The architectural work is, in our view, more interesting than the algorithm choice. Three pieces need to be in place before an agent identity scheme is genuinely post-quantum, not just post-quantum-at-the-leaves.

First, the identity envelope. The certificate, credential, or attestation that names the agent and binds it to its principal must itself be signed under a post-quantum-safe scheme. If the leaf signature is quantum-resistant but the credential chain anchoring it is classical, the adversary moves up one layer and the property is lost.

Second, the delegation chain. Agents rarely act alone. A principal grants scope to an intermediate; the intermediate grants narrowed scope to the agent; the agent signs an action; another agent counter-signs. Every link in that chain must use a signature whose verification will still hold at the moment a counterparty audits the action. Mixed-strength chains are weaker than their weakest link, and the weakest link is usually the oldest.

Third, the audit trail. Logs that prove what an agent did, when, and under whose authority are themselves signed artefacts. Their evidentiary value collapses when the underlying signature scheme collapses. Post-quantum audit logs are not a nice-to-have feature for the compliance team; they are the only logs that will still be admissible in a decade.

None of this requires waiting for an academic breakthrough. The breakthrough already shipped. What it requires is treating the migration as a normal engineering project: planning the cutover, designing for algorithm agility, signing new agent credentials under a quantum-resistant scheme from day one, and re-anchoring existing chains on a known timetable. Teams that do this quietly, before the migration becomes news, will hand their counterparties a clean trust story when the question comes up. Teams that wait will find the question turns into a procurement requirement, then a regulatory requirement, then a liability.

The shorthand we use internally is simple. Classical signatures are not yet broken. They are already a counterparty risk. The first useful question to ask of any agent system you are about to trust is whether its identity, delegation, and audit layers are on the post-quantum side of the transition, or on the wrong side of a published timetable.

智能体一旦开始为人类签署具有跨机构效力且不可逆的行为，经典密码学便不再是研究课题，而成为对手方风险。后量子签名并非学术好奇心，而是部署要求：身份信封、委托链与审计轨迹必须在量子转型的正确一侧。

理解这一点，需要先理解智能体在运行层面究竟是什么：一个委托信封。它承载着一条权限链——委托人授权了它；中间人签署了某项范围；智能体本身为每一个下游行为签名；对手方记录该行为并以签名回执作答。这条链上的每一个环节，都是一次对意图声明的签名；每一次签名，都在智能体作为部署类别出现之前，依据某个密码学假设计算而来。

智能体签名有两个特性，令其与量子转型的碰撞尤为棘手。其一是时效性：智能体签发的授权往往在签署数年之后仍被验证，签名须在每一次未来验证时刻保持不可伪造性，而非仅在签发时刻。其二是数量级：智能体每日代表用户签发的签名数量，远超人类基线。底层原语一旦被攻破，暴露面呈超线性增长，而迁移成本亦随之超线性上升。在漏洞公开之后再启动迁移，实际上等同于未曾启动。

在身份信封、委托链与审计轨迹三个层面完成后量子迁移，才算真正实现后量子智能体身份——而非仅在叶节点替换签名原语。这不需要等待学术突破。突破已经出炉。它需要的是将迁移视为一项正常工程项目，从第一天起就以量子安全方案签发新凭证，按已知时间表重新锚定现有链条。

智能體一旦開始為人類簽署具有跨機構效力且不可逆的行為，傳統密碼學便不再是研究課題，而成為對手方風險。後量子簽名並非學術好奇心，而是部署要求：身份信封、委託鏈與審計軌跡必須在量子轉型的正確一側。

理解這一點，需要先理解智能體在運行層面究竟是什麼：一個委託信封。它承載著一條權限鏈——委託人授權了它；中間人簽署了某項範圍；智能體本身為每一個下游行為簽名；對手方記錄該行為並以簽名回執作答。這條鏈上的每一個環節，都是一次對意圖聲明的簽名；每一次簽名，都在智能體作為部署類別出現之前，依據某個密碼學假設計算而來。

智能體簽名有兩個特性，令其與量子轉型的碰撞尤為棘手。其一是時效性：智能體簽發的授權往往在簽署數年之後仍被驗證，簽名須在每一次未來驗證時刻保持不可偽造性，而非僅在簽發時刻。其二是數量級：智能體每日代表用戶簽發的簽名數量，遠超人類基線。底層原語一旦被攻破，暴露面呈超線性增長，而遷移成本亦隨之超線性上升。在漏洞公開之後再啟動遷移，實際上等同於未曾啟動。

在身份信封、委託鏈與審計軌跡三個層面完成後量子遷移，才算真正實現後量子智能體身份——而非僅在葉節點替換簽名原語。這不需要等待學術突破。突破已經出爐。它需要的是將遷移視為一項正常工程項目，從第一天起就以量子安全方案簽發新憑證，按已知時間表重新錨定現有鏈條。