Google moved two deadlines this week. Your roadmap is now wrong.

Three things landed in the same week that, taken together, invalidate most 2026 plans I've seen.

Google pulled its internal post-quantum cryptography deadline from 2035 to 2029 — six years of compression, backed by PQC keys already shipping in Android 17 beta. Google Research published TurboQuant: 6x KV-cache compression, up to 8x attention speedup on existing H100s, zero accuracy loss. Memory stocks dropped 3–5% the same session. And ARC-AGI-3, the hardest interactive reasoning benchmark anyone has built, scored every frontier model under 1% on tasks humans solve at 100% — Gemini Pro 0.37%, GPT-5.4 0.26%, Opus 4.6 0.25%, Grok-4.20 a clean zero.

Three separate teams, one message: the assumptions underneath your hardware spend, your security roadmap, and your agent strategy are all simultaneously wrong. Not subtly. Materially.

The capex projections you signed off on are too high

TurboQuant works on hardware you already own. No retraining. No accuracy tax. The paper has been on arXiv since April 2025 — it took the formal ICLR presentation a year later for the market to price it in, which tells you something useful about how slowly preprint-to-production absorption happens, and how much room there is to move ahead of consensus.

If inference memory drops 6x across the industry within twelve months — and it will, because every lab has the paper and the incentive — your 2026–2028 GPU and HBM line items are overstated by something like 40–60% for inference workloads. Every long-dated compute contract you signed under scarcity assumptions becomes a liability the moment your competitors are running 8x throughput on the same boxes. If you're negotiating GPU procurement this quarter, you need flexibility clauses you'd have considered insulting six months ago.

The second-order effect is more interesting than the first. Combined with Apple's Gemini distillation rights, frontier-class inference is moving to the device. For anyone in healthcare, financial services, defense, or anything where "send the data to someone else's cloud" was the load-bearing objection, that objection is dissolving on a measurable timeline.

Your crypto migration is now this fiscal year

Google is the company building the Willow quantum processor. When their internal threat model jumps six years, that's a data point, not marketing. The White House is reportedly considering pulling the federal deadline to 2030. FedRAMP, CMMC, and sector regulators will follow. Hyperscalers will follow. Enterprise RFPs will follow within eighteen months.

The practical problem isn't the math — NIST finalized ML-KEM, ML-DSA, and SLH-DSA. The problem is the inventory. Most teams cannot answer "where do we use RSA and ECC" without a multi-quarter project. ML-DSA signatures are roughly 40x larger than ECDSA, which means certificate chains, bandwidth, and any system that assumed signature size as a constant all need re-examination.

The load-bearing question is whether your architecture is crypto-agile — whether you can swap algorithms via configuration without redeploying forty-seven services. If the answer is no, fix that first. The algorithm migration is downstream of the architectural one. And harvest-now-decrypt-later is not a 2029 problem. It's a today problem for any data with a confidentiality shelf-life past 2030.

Your agent roadmap is built on a capability that doesn't exist

ARC-AGI-3 is the cold shower. Not because labs won't push the score up — they will, the same way they pushed AGI-2 from 3% to ~50% in a year. The point is the spread between models: 0.37 percentage points between first and fourth place. That's noise. Every frontier architecture is failing the same way at the same level, which means the gap is structural, not competitive.

If your roadmap has features that quietly assume the model can discover rules in a novel environment, form goals from interaction, or plan strategies without instructions — those features are building on a foundation that isn't there yet. Pair this with the 48% hallucination rate measured in o4-mini code generation, and the grey-box pentest of a fully Claude-Opus-built web app that came back with textbook LFI, IDOR leaking password hashes, and three known Vite CVEs. AI-generated code optimizes for functional correctness, not defensive programming. Every team I know is shipping faster and accumulating security debt faster, in roughly equal measure.

The move isn't to abandon agents. It's to design honestly. Tool-orchestrated pattern matching with human gates at the reasoning boundaries. Multi-model orchestration over single-vendor lock-in — Novo Nordisk is running Anthropic and OpenAI through Celonis as the routing layer, and that's the architecture that survives commoditization. Their CDO's standard is the one to steal: if I can do it better in Excel, stay in Excel. They killed Found Data — their own Claude-powered research tool — when it couldn't beat that bar, then redirected to process-automation agents worth $10–100M per week of trial acceleration. That's the discipline that converts pilots to production. The S&P 500 is sitting at 12% production conversion against 1,000+ announced AI partnerships. That ratio is a product problem, not a sales problem.

What to do this week

One thing, concrete. Run curl -I against your Spring-backed endpoints and confirm HSTS, CSP, and X-Frame-Options are actually being sent — Spring Security 5.7–7.0 silently stopped writing them, and nothing in your logs will tell you. Then commission the cryptographic inventory. Not the migration — the inventory. You cannot plan a 2029 deadline without a map, and the teams that have one by July will be negotiating from a different position than the ones still scoping the project in Q4.