As AI Scales, can Data Security Keep Pace?

A recent AI macro deck from Andreessen & Horowitz has been circulating widely among security and technology leaders. It is a strong piece of work, particularly in how it frames the economics of AI, the scale of hyperscaler investment, and where long-term value is likely to accrue.

What stood out most was not just what the deck stated directly, but what it quietly assumed.

As AI adoption accelerates, there is an implicit belief that the underlying infrastructure will scale alongside it. Especially when it comes to data movement and encryption, many assume this layer will simply keep up. In regulated and high assurance environments, the assumptions underpinning AI and data security at scale are already being tested

AI Changes How Data Moves, Not Just How It Is Processed

One of the clearest signals in the deck is the sheer scale of what is coming. Trillions in AI driven revenue, unprecedented infrastructure spend, and AI embedded across everyday workflows rather than isolated use cases.

What follows from this is often under discussed. AI dramatically increases data in motion.

Not just traffic between users and systems, but continuous machine to machine flows, an increasingly AI driven data in motion pattern. Data moving between data centres, across sovereign and regulatory boundaries, from edge to core to cloud, and between autonomous services acting on each other’s behalf. In many environments, these flows are persistent, high-volume, and increasingly latency sensitive.

This shift matters because most security models were designed for a very different world, one where data movement was more bounded, more predictable, and easier to contain

Where the Friction Starts to Show

In highly regulated sectors such as banking, financial services, government, and critical infrastructure, teams are already feeling the pressure created by AI driven data in motion. These are environments where performance, availability, and security are tightly coupled, and where failures tend to be systemic rather than isolated.

Latency becomes a hard constraint. Encryption overhead is quietly traded off for performance often in ways that are difficult to see from a policy or audit perspective. Compensating controls are layered on top of fragile assumptions. Gaps open up between compliance intent and operational reality.

This does not mean teams are failing at security. It means the system boundaries have moved, and security controls are now operating in places and at scales they were never originally designed for.

As AI scales, the transport layer becomes a critical part of the risk surface. It is also a layer where existing security stacks are being stretched beyond what they were originally designed to handle. For many organisations, this is unfamiliar territory, a layer that was previously assumed to be stable, invisible, or someone else’s problem.

Infrastructure Is Where Durability Lives

One of the strongest themes in the deck is that AI winners will not all be visible applications. A disproportionate amount of long-term value will sit in infrastructure. The layers that are hard to replace, deeply embedded, and quietly assumed.

This is especially true in environments where performance is non-negotiable, compliance is continuous, and failures are systemic rather than local.

In those contexts, encryption cannot be a performance bottleneck, an operational burden, or a future cryptographic risk. It must operate at line rate, behave deterministically, and remain manageable without becoming another system teams need to fight.

Why This Matters Now for Regulated Industries

For sectors like banking, financial services, and insurance, this is not a future concern. It is already present in payments and clearing infrastructure, trading and market data environments, interconnects between regulated entities, and early sovereign and private AI deployments. These environments already operate at scale, under tight latency and availability constraints, and with little tolerance for unpredictable behaviour.

As AI increases both the volume and value of data in motion, the cost of getting this layer wrong compounds quickly, across performance, resilience, and compliance.

If encryption becomes the bottleneck, AI return on investment collapses.

A Closing Thought

The deck making the rounds does an excellent job of explaining why AI investment is accelerating and where economic value is likely to concentrate.

The next question for security and technology leaders is simpler, and harder.

Are the assumptions we are making about data in motion still valid at AI scale?

It is not a question with a single answer. But it is one worth asking early, before performance, security, and compliance start pulling in different directions.

Take a demo of Sitehop SAFE Series today!

To find out more, email info@sitehop.com

Or call us: +44 (0)114 478 2366

Sitehop.

Engineered for speed. Built for the future.

About Melissa Chambers – CEO & Co-Founder, Sitehop

Melissa is the CEO & Co-Founder of Sitehop, and leads the development and scaling of high-speed, post-quantum encryption hardware and securing data-in-motion without compromising performance. With a background in hardware engineering, Melissa specialises in designing, manufacturing, and scaling deep tech products from concept to market.
Passionate about solving complex problems through engineering and advocating for women in STEM, Melissa has seen firsthand the impact of diverse technological perspectives. A proud member of Cyber Runway Ignite and the Women’s Engineering Society, Melissa was honored to be recognised as Startup Magazine’s 2023 Inspirational Woman in Industry and 2024’s Most Inspiring Woman in Cyber, as well as leading Sitehop’s win in the recent ClimbUK Awards with Cyber Security Innovation of the Year 2025.

For years, encryption has been treated as a box to tick. If traffic is encrypted, data is protected, and the audit passes. Or so the assumption goes. But that assumption no longer holds in financial services.
Cryptographic standards are evolving faster than procurement cycles, faster than infrastructure refreshes, and faster than most regulatory frameworks explicitly acknowledge. The result is a growing, largely invisible risk: encryption that is still running, still compliant on paper, but no longer fit for purpose.

This is where cryptographic agility becomes critical. Not as a future upgrade tied to quantum computing, but as an immediate operational requirement for financial institutions that need to maintain security, performance, and regulatory confidence at scale.

Understanding Cryptographic Agility in Financial Services

Regulators may not always use the term cryptographic agility, but their expectations are clear. Frameworks such as DORA and NIS2 place increasing emphasis on operational resilience, adaptability, and demonstrable control across ICT systems. Including encryption.

In practice, this means institutions are expected not only to encrypt data, but to prove they can adapt cryptographic controls over time, without introducing unacceptable operational or systemic risk. Cryptographic agility is best understood in this regulatory context, not as an abstract cryptographic concept.

What Cryptographic Agility (Crypto-Agility) Really Means for Financial Institutions

Cryptographic agility, often shortened to crypto-agility, is the ability to change cryptographic algorithms, parameters, and implementations without replacing, re-architecting, or disrupting underlying infrastructure.

This matters acutely in financial services. Data often has long retention periods. Networks are complex, interconnected, and highly regulated. Infrastructure lifecycles run for years, not months. In this environment, the difference between having encryption and being cryptographically agile is material.

An institution can be fully encrypted and still unable to respond safely or quickly when algorithms are deprecated, parameters need to change, or new standards are introduced. Crypto-agility supports regulatory requirements around long-lived data, evolving standards, and multi-year compliance horizons.

Increasingly, audits are assessing the ability to change cryptography, not just the presence of encryption. This is especially relevant for regulated data flows between institutions, third parties, market infrastructure, and regulators themselves.

Why Encryption Alone Is No Longer Sufficient in Banking and Finance

Many financial services environments run encryption that is technically present but operationally obsolete. Algorithms continue to function, traffic remains encrypted, and controls appear compliant — until standards move on.

This creates the risk of silent cryptographic failure. Nothing visibly breaks. No alarms trigger. But the cryptography no longer provides the level of assurance regulators, customers, or counterparties expect.

Audits and compliance checks often fail to detect this early because they focus on whether encryption exists, not whether it can evolve. As standards change, institutions can find themselves exposed despite appearing secure.

Under regulations such as DORA, which emphasise continuous ICT risk management, this gap matters. Environments can be encrypted but not crypto-agile, leaving institutions vulnerable as expectations evolve.

Key Drivers for Cryptographic Agility in Financial Services

Several forces are accelerating the need for cryptographic agility:

• Faster deprecation of cryptographic algorithms
• Post-quantum cryptography timelines that do not align with financial services procurement and refresh cycles
• Growing interconnection between on-premises, cloud, and third-party networks

At the same time, regulatory pressure is increasing. DORA, NIS2, and guidance from bodies such as ESMA all emphasise future-ready controls for data in motion, third-party risk, and secure machine-to-machine communications. The expectation is no longer static compliance, but demonstrable adaptability.

Common Barriers to Cryptographic Agility in Financial Environments

Despite this, many institutions struggle to implement crypto-agility in practice.

Legacy network infrastructure often has hard-coded cryptography. Software-based encryption is constrained by CPU, latency, and maintenance windows. Making cryptographic changes in live trading or payments environments introduces unacceptable operational risk.

Organisationally, security policy is often separated from network operations. Regulatory change can outpace internal procurement, certification, and infrastructure refresh cycles. The result is encryption architectures that increase risk precisely when cryptographic change is required to maintain compliance.

Implementing Cryptographic Agility Without Disrupting Financial Operations

In financial services, regulatory compliance cannot come at the expense of latency, uptime, or operational stability. Crypto-agility, therefore, has to be treated as an architectural requirement, not an operational afterthought.

The challenge is enabling cryptographic change without disruptive maintenance windows or widespread reconfiguration.

Designing Agility in to Financial Network Architectures

Crypto-agility is most effective when designed into the network layer itself. Modular cryptographic design allows algorithms and parameters to be updated independently of applications and endpoints.

By decoupling cryptography from software stacks, institutions can enforce consistent controls across environments while aligning with established financial services operating models.

Why Software-Led Crypto-Agility Struggles at Financial Scale

Software-based encryption struggles to deliver crypto-agility at scale. CPU-bound encryption introduces performance limits in high-throughput environments. Latency and jitter affect trading, payments, and inter-data-centre traffic.

Cryptographic changes in software stacks have a large operational blast radius, increasing the risk of outages or unintended side effects — risks most financial institutions are unwilling to accept.

How Hardware-Enforced Encryption Enables Crypto-Agile Networks

Hardware-enforced cryptography changes this equation. By delivering deterministic performance, it removes the trade-off between security and speed.

Hardware also simplifies cryptographic transitions. Algorithms can be updated centrally, with minimal operational impact, while improving resilience, segregation of duties, and auditability — all critical requirements in regulated financial environments.

Preparing for Post-Quantum Cryptography in Financial Services

Post-quantum cryptography is not a single upgrade event. It is a transition that will unfold over years, involving hybrid classical and PQC approaches.

Crypto-agile architectures allow institutions to introduce PQC incrementally, without forklift upgrades, as standards evolve and regulatory guidance matures.

Governance, Key Management, and Lifecycle Control

Crypto-agility also depends on governance. Managing keys, certificates, and algorithms across large financial estates requires centralised control and clear lifecycle management.

Regulatory frameworks increasingly expect this visibility. DORA and NIS2 elevate evidence generation for audits, incident reviews, and third-party assurance. Crypto-agile architectures simplify regulator access, reporting, and long-term compliance management.

Building a Practical Roadmap for Cryptographic Agility in Financial Services

Effective roadmaps align cryptographic change with regulatory timelines, not just technology refresh cycles.

Assessing Current Cryptographic Risk in Financial Networks

This starts with identifying where encryption is static or tightly coupled to infrastructure, and mapping algorithm exposure across network paths and data flows.

Phased Adoption of Cryptographic Agility

Institutions can reduce risk by introducing agility at critical network boundaries first, separating cryptographic change from application change.

Moving From Policy to Enforced Cryptographic Control

Crypto-agility cannot live solely in policy documents. It must be embedded into the network fabric itself, ensuring security keeps pace with financial services innovation. There’s some more good reading here from FS-ISAC: FS-ISAC’s Guide to Building Cryptographic Agility in the Financial Sector.

Cryptographic Agility as a Core Control for Crypto-Agile Financial Services

Cryptographic agility is an immediate operational requirement in Financial Services, Banking and Insurance, not a future upgrade tied to quantum timelines. Under DORA and NIS2, the risk is no longer unencrypted data, but encryption that cannot evolve fast enough.

The most exposed institutions are not those without encryption, but those running infrastructure that is encrypted yet obsolete. Crypto-agility must move from policy and roadmaps into enforced, infrastructure-level control, particularly at the network layer.

Aligning security, performance, compliance, and long-term resilience is no longer optional. Future-proof your encryption security today, book a demo of Sitehop and see how crypto-agile networks are built for financial services. Or visit this page for more information.

To find out more, email info@sitehop.com

Or call us: +44 (0)114 478 2366

Sitehop.

Engineered for speed. Built for the future.