Almost every enterprise leader now agrees that quantum resistant cryptography is necessary. Far fewer can say where their organization actually stands on the path to it. Agreement is easy. Movement is the hard part.

Becoming quantum-resistant isn't a purchase. It's a migration, and like every migration it has stages. Knowing which one you're in is the difference between a plan and a good intention.

"If you can't produce an inventory of your cryptography, you haven't started, no matter how many meetings the topic has had."

Stage One: Not Started (and Most Are Here)

At this stage, encryption is entirely classical, key exchange relies on RSA or elliptic curve, and no one has formally audited what that means. Crucially, many organizations that believe they're further along are actually here. They've discussed quantum resistant cryptography, but nothing has been measured. By most industry estimates roughly 97% of enterprise systems remain unprepared.

The tell is simple: if you can't produce an inventory of your cryptography, you haven't started, no matter how many meetings the topic has had.

Stage Two: Aware but Fragmented

Here, teams understand the threat but have addressed it in silos. The cloud team has looked into it. Networking has a task on the roadmap. But there's no unified view of the cryptographic estate and no single owner accountable for the outcome.

Fragmentation feels like progress because activity is happening. It isn't progress toward quantum resistant cryptography until someone can see the whole picture at once.

Stage Three: Assessed

An assessed organization knows what it has: a complete inventory of algorithms, keys, certificates, and data flows, plus a risk map ranking assets by sensitivity and longevity, and a migration timeline tied to real regulatory obligations like CNSA 2.0's 2027 milestones.

This is the stage where the problem becomes manageable, because for the first time it's fully visible. You cannot prioritize what you cannot see.

Stage Four: Migrating to Quantum Resistant Cryptography

Migrating means actively replacing the most exposed cryptography with quantum resistant cryptography (such as the ML-KEM and ML-DSA standards NIST finalized in 2024) in priority order, on a schedule that reaches compliance before the deadline. Often this runs as hybrid encryption during the transition, so protection never lapses.

Most enterprises have a limited window to move from wherever they are to "migrating." The same investment surge fueling AI is shortening that window, not lengthening it. The teams that start the inventory now are the ones who reach this stage calmly.

Why Most Enterprises Stall at Stage One

The gap between agreeing on quantum resistant cryptography and starting it is almost always organizational, not technical. Stage one stalls because no single person has been handed the question with the authority to answer it across silos. The cloud team can't inventory the network; the network team can't see application keys; everyone assumes someone else owns the whole.

Breaking the stall takes one unglamorous move: name an owner and fund a discovery phase. The first deliverable isn't a migration. It's a unified inventory, the artifact that makes every later decision possible. Until that exists, quantum resistant cryptography remains a topic rather than a program. It is the difference between a program that moves and a working group that meets.

Once the inventory exists, the path forward stops feeling overwhelming and starts looking like a sequence: discrete, prioritized steps against a known deadline, each one shrinking the exposure window a little more. That sequencing is also what makes the work fundable. A board can approve a prioritized roadmap with milestones far more easily than an open-ended initiative to "become quantum-safe."

The Payoff of Starting Now

Enterprises that begin the inventory today reach the migrating stage while the timeline still allows deliberate, low-risk sequencing. Those that wait compress the same work into a smaller window, which is how careful migrations turn into rushed ones. Starting early is not about being first. It is about giving yourself room to be careful. And careful migrations are the ones that don't break the business they were meant to protect.