Post-quantum cryptography has moved from research papers to published standards, and forward-thinking organizations are starting to inventory where long-lived sensitive data is encrypted with algorithms that will eventually be breakable. The practical first step is not a wholesale migration — it is an inventory: which systems encrypt data that needs to stay confidential for a decade or more? For most businesses, that is a short list, and it is the right place to start planning a hybrid classical/post-quantum approach over the next 12 to 24 months.