Waterloo, 5 February 2026—The Centre for International Governance Innovation (CIGI) has published a new policy brief, Global Quantum Governance: From Principles to Practice, authored by Mauritz Kop and Tracey Forrest. The brief is written for policy makers, regulators, standards bodies, and industry actors facing a practical transition: quantum technologies are moving from laboratory milestones toward deployment pathways where governance choices—especially around cybersecurity and cross-border infrastructure—become difficult to reverse.

Download the Policy Brief here: https://www.cigionline.org/documents/3746/PB_No.222_Kop_and_Forrest.pdf

Why this brief on quantum governance, and why now

The brief’s central timing claim is that near-term milestones—particularly post-quantum cryptography (PQC) migration and quantum networking—create a governance tipping point. After that point, certain security and societal harms may be costly (or impossible) to remediate. In the brief’s framing, PQC migration is not merely an engineering update; it is a “temporal rights and resilience” imperative because present-day decisions about crypto-agility, key life-cycle management, and data minimization determine whether sensitive data remains protected against future adversaries.

This urgency is paired with a structural diagnosis: national initiatives—including the EU’s proposed Quantum Act—are important, but insufficient on their own given quantum’s dual-use characteristics, global supply chains, and asymmetric capabilities across states and firms. The authors argue for a governance architecture that is “standards-first” and internationally coordinated, capable of sustaining what they call “security-sufficient openness,” and overseen by an International Quantum Agency.

From fragmented national approaches to a standards-first global framework

A key move in the brief is to treat standards not as a secondary technical afterthought, but as a primary governance tool. It emphasizes early, globally harmonized technical standards—terminology, benchmarking, and safety—as a way to enable innovation while reducing regulatory fragmentation. From a security perspective, the brief identifies the first governance “stress test” as whether allied democracies can execute timely, interoperable PQC migration and quantum-secure networks to mitigate “harvest now, decrypt later” campaigns and reduce systemic risk to critical infrastructure.

The brief also situates quantum governance in a broader “convergence” context with artificial intelligence, noting AI’s practical role in quantum design, calibration, control, and error mitigation—and, conversely, the possibility that quantum capabilities will shift computational frontiers relevant to AI. This convergence intensifies the Collingridge dilemma: governing too early risks mis-specification; governing too late risks entrenchment.

To address that dilemma, the brief proposes “algorithmic regulation” as an adaptive governance model: embedding policy constraints into code, metrics, and dashboards for continuous monitoring and audit—distinct from regulating AI itself, and instead focused on governing quantum systems “via code,” potentially down to quantum control stacks. The authors also flag the associated governance hazard: systems built to govern complex infrastructures can themselves become too complex for meaningful human oversight.

An institutional proposal: an International Quantum Agency and allied coordination

The brief draws an explicit parallel to the atomic age to motivate institutional imagination: it discusses proposals for an “International Quantum Agency” (IQA) inspired by the IAEA, alongside the “Qubits for Peace” and “Bletchley Park for the Quantum Age” ideas, including an allied PQC migration blueprint as a concrete output. It also connects these ideas to existing security partnerships (including NATO and AUKUS) and to multi-stakeholder platforms such as the Open Quantum Institute, while emphasizing that governance architecture must avoid deepening a “quantum divide” by enabling access to PQC, secure networks, and peaceful applications beyond first-mover states.

Geopolitically, the brief warns that competing technical standards and misaligned export-control regimes can harden into “protocol politics,” embedding geopolitical fault lines into the future quantum internet and widening disparities in PQC-ready infrastructure and talent.

“Stress tests” that translate quantum-ELSPI principles into implementable oversight questions

Rather than treating governance as an abstract principles (the ethical, legal, socio-economic, and policy implication of quantum technologies) debate, the brief uses “high-stakes use cases” as legal and regulatory stress tests. It frames the “quantum imperative” as the need to map quantum-enabled capabilities onto familiar governance categories—due care, disclosure, liability, certification, and attribution—because some quantum capabilities can shift what is computationally feasible, measurable, and securely communicable, thereby resetting baseline expectations for safety and security.

Illustrative thought experiments show how existing regimes may strain under quantum-enabled pipelines:

• Health-care liability: a quantum sensor integrated into neuro-imaging generates a clinically actionable signal that is fused with longitudinal health data and machine learning to produce probabilistic prognosis—raising questions about standards of care, disclosure duties, post-market monitoring, and responsibility allocation across clinicians, vendors, and integrators in the quantum era.

• Financial regulation: quantum-enhanced clocks yield extreme timing advantages for high-frequency trading, challenging market integrity and auditability under rules built for classical time-stamping granularity.

• Digital forensics and lawful access: as PQC and quantum-secure communications scale, passive interception becomes less viable even for lawful investigations, shifting evidentiary practice toward endpoint security and key-management governance—raising proportionality and due process questions.

• Cross-border infrastructure: distributed quantum networks spanning fiber, repeaters, and satellites challenge jurisdiction, lawful intercept doctrines, service-provider duties, and attribution, motivating confidence-building measures and operational norms.

These scenarios are not predictions; they are governance probes meant to identify where legal and regulatory paradigms may need new measurement tools, auditability expectations, and standards-based assurances.

The “Nexus” challenge: IP, national security, and strategic competition

A second major contribution is the integrated treatment of quantum, intellectual property (IP), national security, and geoeconomic competition. The brief argues that export controls and other security measures feed back into corporate IP strategy, sometimes incentivizing trade secrets over patents and reshaping market strategies for dual-use technology. It highlights the need for “security-sufficient openness” and proposes maintaining proportionality and ecosystem viability through an LSI test—least-trade-restrictive, security-sufficient, innovation-preserving—as a disciplining framework for capability-targeted controls.

The brief frames several policy questions as central: managing the patent–secrecy dilemma; preventing a “quantum thicket” of overlapping foundational patents; and harmonizing export controls so they remain narrowly tailored to the most dangerous military applications without chilling legitimate scientific exchange.

The brief’s recommendations in practical terms

The brief concludes with a multi-pronged path “from principles to practice,” emphasizing four implementable priorities:

1. Strengthen foundations through standards and PQC execution: align cryptographic profiles across sectors; update procurement so crypto-agility, key life-cycle management, and “harvest now, decrypt later” mitigation become baseline requirements; and adopt “cryptographic resilience” via agile standards, testing, and incident playbooks.

2. Harmonize among allies: coordinate export controls, investment screening, and supply-chain security via mechanisms such as a proposed G7 Quantum Technology Point of Contact Group and narrowly scoped license-exception approaches in Five Eyes/AUKUS-style arrangements, while avoiding poorly designed measures that impose high compliance costs and chill benign collaboration.

3. Incentivize global collaboration and capacity building: federate national quantum clouds, SDG-oriented demonstrators, and regional test networks under common governance rules; and consider, longer-term, a “CERN for Quantum” that provides shared access anchored in transparency and equitable access, including for Global South partners.

4. Institutionalize foresight and bounded algorithmic regulation: resource international foresight capacities—within an IQA-type body or linked observatories—to update risk scenarios and stress-test legal frameworks, while experimenting with limited, well-governed AI-assisted monitoring and red-teaming to inform accountable human decision makers.

Takeaway for AIRecht’s readership

For legal and policy practitioners, the brief’s message is that quantum governance is entering a phase where operational artifacts—standards, benchmarks, procurement baselines, and interoperability profiles—will increasingly determine real-world rights, liabilities, and security outcomes. PQC migration and quantum networking are treated as the near-term proving ground for whether democracies can coordinate “security-sufficient openness” at scale.

For innovators and investors, the brief underscores that governance is not a brake on quantum progress but a design constraint that—if addressed early—can preserve global interoperability, reduce fragmentation, and support responsible diffusion of quantum capability without deepening geopolitical divides.

The Authors:

Mauritz Kop is the founder of Stanford RQT and a senior fellow at the Centre for International Governance Innovation (CIGI). His research spans AI regulation, machine learning training data governance, intellectual property, and quantum technologies, with a focus on responsible innovation, standards, geopolitics, and national and economic security. A technology lawyer by training, he supports deep-tech start-ups through RQT Ventures and serves as a quantum-AI adviser to Daiki. He is a guest professor at the U.S. Air Force Academy, serves as quantum ecosystem expert on the von Neumann Commission, holds a patent in AI, and founded AIRecht.

Kop has advised governments and international and multi-stakeholder bodies on responsible quantum and AI governance, including work with organizations such as UNESCO, the OECD, the World Economic Forum, and the G7. His work contributes to policy discussions on emerging technology regulation in Europe and the United States, including issues relevant to the EU AI Act and post-quantum security. He is a frequent international conference speaker and has delivered keynote remarks at major academic, policy, and industry venues; his scholarship has appeared in leading peer-reviewed outlets, including Nature and Science, as well as in publications at Stanford, Harvard, Berkeley, Columbia, Oxford, and Yale.

Tracey Forrest is research director of transformative technologies at CIGI. Her experience spans renewable energy to quantum technologies and has included working with multi-sectoral partners to accelerate the transition from a laboratory curiosity to an impactful device. At CIGI, she leads a network of researchers focused on opportunities and challenges relating to the evolving interface of transformative technologies and international governance.

Tracey is a professional engineer, adjunct professor at the University of Waterloo and former board member of technology and environmentally focused organizations. Over the course of a career in both academia and industry, Tracey has become an authority on thoughtfully bridging emerging technology to high-value applications. She formerly served as a member of the Federation of Canadian Municipalities Green Municipal Fund Council, director of the Transformative Quantum Technologies program at the University of Waterloo, and advisory board chair of the National Research Council of Canada’s Nanotechnology Research Centre.

Tracey completed a B.A.Sc. in environmental (chemical) engineering at the University of Waterloo, and a master’s in energy and environmental economics at the Scuola Mattei, Italy. She completed professional training in topics such as quantum, data science and sustainable business strategy at Harvard University and MIT.