Verified Author Share
I’ve been hearing, with a frequency that’s starting to concern me, technology leaders saying they’ll “worry about quantum computing when it arrives.” The problem is that, for Quality Assurance, by the time it “arrives”, the system will already be in production — and it will already be too late. Because, unlike other technologies, the risks quantum computing introduces don’t wait for adoption. They are already underway.
This article is not about the future of quantum computing. It’s about the present state of quality in a world where the paradigm has already begun to shift. We address three dimensions that QA needs to tackle now, not later.
There is a distinction that Brooks already taught us — one I like to reinforce in maturity assessments: there are essential complexities, inherent to the domain, and accidental complexities, created by engineers themselves. Quantum computing introduces a new and unprecedented essential complexity: quantum systems do not operate with binary determinism. They operate with probabilities.
This silently breaks an assumption at the foundation of virtually every acceptance criterion we use today. What does “the test passed” mean when the correct output is not a fixed value, but a probability distribution? What does functional coverage mean when the same input can produce different outputs on each execution — and both can be correct? This demands a structural shift in the very concept of testing:
In practice, this implies:
These are not future problems. Companies like IBM, Google, and Quantinuum already offer access to quantum processors via the cloud. Pilots using hybrid quantum-classical systems are already happening in logistics, finance, and pharmacology. Quality engineers who are not building governance criteria for these environments today will arrive in them without a framework, without a process, and without a vocabulary.
Quantum governance is not a luxury for large enterprises — it is the bare minimum for quality to hold any meaning in systems that incorporate quantum components.
In the Quality Assurance assessments I conduct, one of the most recurring — and most damaging — patterns is teams confusing an executed process with a consolidated one. Running a test pipeline works while the environment is stable and assumptions hold; but when the paradigm shifts, what was never truly consolidated collapses.
The NISQ era (Noisy Intermediate-Scale Quantum) already represents exactly this kind of assumption shift: current quantum computers are noisy, have high error rates, and lack full error correction. This means quantum algorithms integrated into real pipelines can produce incorrect results silently — without exceptions, without obvious failures, without error logs. In other words: the bug passes, validation approves, and the damage happens further downstream.
The IBM Systems Sciences Institute’s “Rule of 100” — one of the most cited references in the cost of quality — demonstrates that the cost of finding a defect increases by an order of magnitude at each phase of development. For hybrid quantum systems, this calculation becomes even more complex, because we’re talking about defects that may be probabilistic in nature, and therefore intermittent.
Risk mapping specific to quantum systems — decoherence, error rates per qubit, sensitivity to environmental noise, absence of determinism — must happen before integration, not after. Those who map risk in advance have a choice about how to mitigate it; those who discover it in production have only the damage.
This is the point where urgency stops being strategic and becomes operational — and where QA has a role that cannot be delegated to any other discipline.
Shor’s algorithm, published in 1994, mathematically demonstrated that a sufficiently powerful quantum computer can factor large integers in polynomial time. This breaks RSA, ECDSA, and Diffie-Hellman — the three pillars of asymmetric cryptography that protects virtually all digital communication today. This is not speculation. It is applied mathematics waiting on hardware.
NIST responded by publishing the first post-quantum cryptography standards: CRYSTALS-Kyber for public-key encryption and CRYSTALS-Dilithium for digital signatures. The migration window is open — what is not guaranteed is that it will remain open forever.
QA’s role in this transition is straightforward: validate the implementation of these new standards with the same rigor — and the same lead time — we apply to any critical infrastructure migration. This means mapping every point in the system where cryptography is used, ensuring test coverage for updated libraries, and guaranteeing that the migration does not introduce functional regressions or new vulnerabilities. It’s work in auditing, traceability, and risk management — exactly what QA does when it is properly positioned within the process.
A QA framework that ignores post-quantum cryptography today is not ensuring quality — it is merely postponing a problem that will arrive, and will arrive with compound interest. Moreover, the problem already exists today, even without quantum computing existing at scale. The real risk is the model known as “harvest now, decrypt later”: sensitive data is being captured today, stored by malicious actors, and will be decrypted the moment quantum hardware makes it possible.
The first step is not to hire quantum computing specialists. It is to recognize, as a Quality Assurance team, that the quantum transition introduces three real and measurable gaps: the absence of governance for probabilistic systems, the absence of risk mapping specific to NISQ environments, and the absence of a validation strategy for the cryptographic migration. Naming these gaps with precision is, in itself, an act of quality. The rest — framework, process, coverage — comes after, but only comes if you start now.
Quality Assurance has always been about anticipating failures before they become incidents.
Quantum computing changes only one thing: the failure is no longer deterministic, but the impact remains just as real.
Verified AuthorSenior Principal QA Engineer and Head of the Quality Vertical at Zallpy, with over 30 years of experience in software quality, process engineering, leadership, and digital transformation, working across large corporations and international projects. Graduated from Poli-USP, with specializations in Software Development Quality and Digital Government/Digital Transformation, he holds an advanced ISTQB certification (CTAL-TM). His background includes governance architecture projects, award-winning initiatives, and research in maturity modeling. With professional experience in countries such as the Netherlands, Germany, Turkey, the United States, and India, he combines strategic vision, strong conceptual foundations, and hands-on expertise to promote a comprehensive view of Quality Assurance through continuous improvement, operational excellence, and real impact on software processes and products.
Senior Principal QA Engineer and Head of the Quality Vertical at Zallpy, with over 30 years of experience in software quality, process engineering, leadership, and digital transformation, working across large corporations and international projects. Graduated from Poli-USP, with specializations in Software Development Quality and Digital Government/Digital Transformation, he holds an advanced ISTQB certification (CTAL-TM). His background includes governance architecture projects, award-winning initiatives, and research in maturity modeling. With professional experience in countries such as the Netherlands, Germany, Turkey, the United States, and India, he combines strategic vision, strong conceptual foundations, and hands-on expertise to promote a comprehensive view of Quality Assurance through continuous improvement, operational excellence, and real impact on software processes and products.
Verified Author
Verified Author