Most technical decisions can be revisited. Cryptographic decisions rarely can.

Once encryption is embedded, it tends to persist. Keys are issued. Certificates are trusted. Data is encrypted, archived, and carried forward even as systems are replaced. Cryptographic assumptions often outlive the environments they were designed for, and sometimes the people who made them.

This is how cryptographic debt accumulates. When encryption works, it is invisible. Problems surface years later, when assumptions fail or compatibility breaks. By then, the original decision is distant, undocumented, and difficult to unwind.

We have seen this pattern before. The deprecation of SHA-1 took more than a decade. The risk was well understood. The timeline was known. Execution lagged anyway. The obstacle was not awareness. It was dependency mapping. Systems no one remembered building still relied on assumptions no one had recorded.

Treating cryptography as plumbing understates its role. It is infrastructure. And like all infrastructure, progress is not always visible. It shows up as fewer irreversible decisions, clearer ownership, and a realistic understanding of where change would be costly.

Post-quantum readiness is not measured by declarations. It is measured by optionality.

Can algorithms be changed without rewriting applications?
Can every cryptographic dependency be identified?
Can you explain, clearly and defensibly, why certain systems remain unchanged?

If not, the work has not started.