A new paper in PNAS is getting attention because it argues that quantum computing may face a fundamental ceiling. The author proposes an alternative theory called “Rational Quantum Mechanics,” and from that model estimates that current technologies may top out around 200–400 qubits, with a hard upper bound of 1,000 perfect qubits. Just as important, the paper also says that standard quantum mechanics does not itself impose this limit. In other words, this is not settled science. It is a bold hypothesis, not the final word.

But here is the bigger point for business leaders: even if one quantum computer hits a wall, the quantum risk to enterprises does not disappear. Why? Because the cybersecurity problem was never only about one giant machine in one lab. It is about the steady advance of quantum hardware, better error correction, improved algorithms, modular architectures, and eventually networked quantum systems. IBM, for example, still publicly targets fault-tolerant milestones including 200 logical qubits and 100 million gates in 2029, and the U.S. Department of Energy has long described distributed quantum computing over quantum networks as a path to computing capacity that is hard or impossible to reach with a single standalone system.

That means this paper should not be read as “quantum threat over.” It should be read as: the architecture of quantum may matter as much as the scale of any single chip. If nature or engineering makes one processor hard to scale, the industry may respond by linking smaller quantum nodes together. That is exactly why quantum networking matters. memQ, for example, is building an extensible quantum network architecture and has outlined an Extensible Distributed Quantum Compiler (xDQC) roadmap designed to distribute workloads across multiple quantum processors in a system or network based on modality and availability. That is highly relevant in a world where one monolithic system might not be the winning design.

Now, let’s be intellectually honest. Quantum networking is not a magic escape hatch. If this paper’s proposed ceiling turns out to be a truly fundamental limit on the total coherent quantum state that can be maintained across a computation, then networking many systems together may not fully bypass that limit. But if the real bottleneck is more practical—connectivity, noise, control, cooling, yield, or the difficulty of scaling one machine cleanly—then networking smaller quantum systems could become one of the most important paths forward. That is my take: networking helps a lot against engineering limits; it may not defeat a law-of-physics limit if Palmer is ultimately right. That distinction matters.

And regardless of which side wins this debate, enterprises still have a problem right now: today’s public-key cryptography is aging into a risk zone. NIST finalized its first principal post-quantum cryptography standards in August 2024. That was a signal to the market that this is no longer an academic discussion. Organizations do not need to know the exact date of “Q-Day” to know they should be inventorying cryptography, identifying weak certificates and dependencies, and planning migration now.

This is where the market needs a practical stack, not just theory.

QuSecure is important in this conversation because the real enterprise challenge is not merely picking a future algorithm. It is achieving crypto-agility across messy, real-world environments. QuSecure’s platform messaging is centered on helping organizations discover vulnerabilities, modernize encryption, and move toward post-quantum cryptography without ripping apart everything they already run. That is the kind of operational bridge enterprises need while the science keeps evolving.

iVALT matters because the next wave of security risk is not just broken encryption. It is also broken trust. Identity fraud, deepfakes, AI agents acting on behalf of users, and machine-to-machine authentication all get more dangerous in a world of stronger AI and expanding automation. iVALT positions its platform around identity validation for humans, AI agents, and IoT devices, which is exactly the kind of control layer enterprises will need when “who or what is on the other end” becomes a bigger security question than a password can answer.

AI PQ Audit fits here as the management layer CISOs and boards need. The platform presents itself as a way to identify, prioritize, and explain AI-driven and post-quantum risks in business terms, with features such as predictive assessments, attack-path analysis, certificate scanning, KEV correlation, dashboards, and compliance-oriented reporting. That is critical because most organizations do not fail on strategy decks; they fail on visibility, prioritization, and execution.

And memQ represents something many executives still underestimate: the possibility that the future of quantum advantage is not one giant computer, but an ecosystem of connected quantum resources. In the classical world, we already learned this lesson. We did not scale by building one infinitely large server. We built clusters, networks, distributed systems, and orchestration layers. It would be strange to assume quantum will evolve in only one box, in only one modality, under only one architecture. DOE’s blueprint explicitly discusses distributed quantum computing through a quantum network, and memQ’s technology narrative is built around scaling connectivity across systems and distances.

So what should leaders conclude from this paper?

Not that quantum is dead.

Not that RSA and ECC are suddenly safe forever.

Not that we should pause migration.

The right conclusion is this: the path to powerful quantum computing may be more complicated than many assumed, but the strategic response for enterprises barely changes. You still need to find your cryptographic exposure. You still need crypto-agility. You still need identity assurance in an AI-heavy world. You still need board-level visibility into quantum and AI risk. And you should pay close attention to quantum networking, because if large monolithic systems struggle, distributed architectures may become the next major path to scale.

What enterprises should do now

Do not bet your security roadmap on one paper. This PNAS article is important, but it is a hypothesis, not industry closure.

Start or accelerate PQC migration planning. NIST has already finalized the first core standards.

Focus on crypto-agility, not just algorithm replacement. That is where operational resilience lives.

Treat identity as a first-class control layer. Deepfakes, AI agents, and machine identities are raising the stakes.

Use AI-driven risk visibility. Enterprises need business-level clarity on post-quantum and AI exposure, not just technical noise.

Track quantum networking closely. If one-system scaling proves hard, networked quantum architectures may become much more important.

The real lesson is simple:

Even if one quantum computer has limits, the quantum era does not. It just changes shape.

QuantumComputing #PostQuantumCryptography #PQC #QuantumNetworking #Cybersecurity #CryptoAgility #IdentitySecurity #AIsecurity #QuantumSecurity #CISO #RiskManagement #ZeroTrust #Deepfakes #AIagents #QDay #QuSecure #iVALT #AIPQAudit #memQ

Copyable links

PNAS paper: https://www.pnas.org/doi/10.1073/pnas.2523350123

PubMed abstract: https://pubmed.ncbi.nlm.nih.gov/41838912/

Oxford summary of the paper: https://www.physics.ox.ac.uk/news/rational-quantum-mechanics-new-theory-quantum-physics

NIST PQC project: https://csrc.nist.gov/projects/post-quantum-cryptography

NIST 2024 finalized PQC standards: https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards

DOE Quantum Internet Blueprint: https://www.energy.gov/articles/quantum-internet-future-here

IBM Quantum roadmap: https://www.ibm.com/roadmaps/quantum/

QuSecure: https://www.qusecure.com/

iVALT: https://www.ivalt.com/

AI PQ Audit: https://aipqaudit.com/

memQ: https://memq.tech/

memQ technology: https://memq.tech/technology/