Quantum is one of those topics that is easy to put in the wrong place.

Put it too far out, and it sounds like something to revisit later when the technology is more mature. Put it too close, and it starts to sound like every organization should already be building around it. I do not think either view is especially helpful.

Until recently, I would have leaned more toward the first one.

My view was pretty straightforward. If an organization had not addressed the basics of its data and AI strategy, quantum probably was not the place to spend much time. The better move seemed to be getting the fundamentals in place and making sure the right partners were around when quantum became more accessible and more usable in a practical way.

I still think there is truth in that.

Quantum may exist today, but it is not yet something most organizations can routinely access, operationalize, or rely on in any mainstream sense. Even if access existed, that still would not mean it was ready to be used in a repeatable enterprise way across ordinary operations.

But one part of my thinking has changed.

The most important quantum question is not whether most organizations are ready to use quantum.

It is whether we understand our data well enough to protect what needs to stay secure before quantum becomes routine enough to matter operationally.

That is a different question, and to me it is the more useful one.

Once you look at it that way, quantum stops being only a technology discussion. It becomes a data discussion. What are we keeping? For how long? Where does sensitive data live? Which systems move it? Which vendors touch it? Which decisions we are making now could quietly increase our exposure later?

That is why this feels less theoretical to me than it used to.

The issue is not just the future availability of stronger quantum capability. It is the fact that data with a long confidentiality horizon creates a planning problem right now. If encrypted data can be collected now and become more vulnerable later, then retention, classification, stewardship, and visibility stop looking like background disciplines. They start looking like the center of the issue.

That is also where the post-quantum cryptography conversation gets more practical.

This is not a matter of choosing one new standard and declaring the problem solved. Different standards are meant for different purposes, including key establishment and digital signatures, so the real challenge is understanding where your environment depends on what, where vulnerable public-key cryptography is embedded, and how a transition would actually work in the systems you run.

And that is the part I think matters most for the broader Data and AI journey.

If governance is weak, if retention is sloppy, if vendor oversight is thin, and if no one has a clear picture of where sensitive data lives or how it moves, quantum does not create a new problem out of nowhere. It reveals how exposed the existing problems already are.

That is why I do not see quantum as a reason to abandon the basics.

I see it as a reason to take the basics more seriously.

Data classification matters more. Retention matters more. Knowing where encryption sits in your stack matters more. Knowing which third parties carry part of your exposure matters more. The organizations that have done the patient work of governance and data discipline will not have solved everything, but they will at least know where to start.

That feels like the real dividing line here.

Quantum may not be mainstream yet. But the data decisions that will shape quantum-era exposure are already being made. They are being made in architecture choices, in vendor contracts, in storage practices, in retention schedules, and in the quiet assumptions organizations make about what their current encryption will protect and for how long.

So I do not think the right response is hype.

And I do not think it is delay.

I think it is disciplined preparation.

Start with the data that truly needs long-horizon confidentiality. Reduce what does not need to be kept. Build a better picture of where quantum-vulnerable cryptography exists. Ask harder questions of vendors. And make post-quantum planning part of governance and architecture now, while there is still time to do it deliberately rather than reactively.

Resources