Maman Ibrahim is a cyber and digital risk executive, helping boards, CRO, CIO, and CISO turn risk work into decisions, delivery, and proof.getty​In my advisory work with boards and senior risk leaders, I have seen the same pattern with most emerging technology risks of the past two decades: A specialist function raises an early warning, executive colleagues acknowledge the issue and return to the demands of the current quarter and the specialist team is left holding a risk that belongs to the whole enterprise, without the authority or reach to address it. Quantum exposure is the next candidate. In recent conversations, I have seen it labeled "the quantum project" and handed to the cryptography function.The regulatory backdrop now makes this approach untenable. The U.S. National Institute of Standards and Technology has finalized its first post-quantum cryptography standards. The U.K.'s National Cyber Security Centre expects discovery and migration planning by 2028, high-priority migration by 2031 and full migration by 2035. The European Commission has instructed Member States to begin the transition by the end of 2026, with critical infrastructure migrated by 2030. These developments address the technical and accountability dimensions, but they do not resolve how organizations choose which systems to migrate, in what order and on whose authority.Why The Cyber Register Is The Wrong Filing PlaceMost risk registers I have reviewed file quantum exposure under cyber risk. The classification feels intuitive, but obscures where the actual decisions sit. Quantum exposure cuts across data, supplier contracts, capital allocation, customer commitments, regulatory adequacy and board appetite. Treating it as a cyber line item misrepresents the scope of those decisions.The unanswered questions illustrate the gap. Who decides which services migrate first, given competing demands on engineering capacity? Who accepts the residual risk of waiting on a particular system? Who funds migration when one function owns the service but another carries the cryptographic dependency? Who informs a strategic supplier that their post-quantum roadmap does not meet expectations? A cryptography team can advise, but the decisions belong to the wider enterprise. For that reason, I treat quantum exposure as a decision layer problem rather than a technical control problem.Two Distinct Time HorizonsA second pattern is the assumption that quantum is a single future date to prepare for linearly. In practice, two distinct horizons require different responses.The first horizon is already in motion. It maps the current cryptographic estate: which systems use which algorithms, where teams manage keys, which certificates they track, which suppliers handle which data and who owns each element. In most organizations I've advised, this inventory does not exist in consolidated form, so migration planning must begin with discovery rather than execution. The first practical question is the most prosaic: Do you have a reliable view of where your cryptography sits?The second horizon addresses what many call harvest-now-decrypt-later exposure. Attackers may capture data today and leave it encrypted for years. But if that data still retains commercial, legal or reputational value even when cryptographic protection fails, the exposure has already occurred. For long-lived data such as health records, legal correspondence, intellectual property and sovereign secrets, the decision window has effectively closed. Boards that assume future action will suffice are misreading the timing.Taxonomy Discipline: One Event, Clear AttributesA third pattern emerges when a quantum-related event materializes without a clear taxonomy. In a recent one-hour workshop I was involved in, a single failure by a cryptographic supplier produced five different risk labels. Cryptography logged it as an algorithm lifecycle risk. Cyber recorded it as an encryption weakness. Legal classified it as a regulatory adequacy concern. Procurement filed it under supplier failure. Finance produced a long-horizon loss scenario, which, when aggregated with the others, materially overstated the position presented to the board.The fix requires discipline. The primary event should be named first: here, a supplier's failure to meet agreed-upon post-quantum migration commitments. The cryptographic method, the affected data, the regulatory scope, the time horizon and the financial consequence are recorded as attributes beneath the primary event, not as competing parallel risks.In the workshop, this produced one event with two distinct figures: current exposure from data already at risk, and a long-horizon stress scenario contingent on future cryptographic breakage. The board could then engage with each on its own terms rather than with an aggregated number that conflated them.Decision Architecture And Decision InfrastructureClean classification is necessary but not sufficient. The harder question is who decides, on what evidence and with what record. I have watched capable leadership teams spend 40 minutes discussing a technology risk without ever naming the required decision. Quantum readiness will produce many such discussions without the right architecture in place.Decision architecture names the choices in advance: which services you migrate first, which data classifications require specific secrecy horizons, which suppliers must accept contractual changes and which residual risks must reach the board. Decision infrastructure records what leaders knew at the time, what they chose and rejected, who accepted the residual risk and when each decision must be reviewed.A future audit, internal or regulatory, will ask whether each decision made sense given the information available at the time, and whether the reasoning can still be reconstructed, instead of asking whether the organization correctly predicted the arrival of quantum computing relevant to cryptography. Four Questions For The BoardFor boards seeking a practical entry point, I suggest four questions:1. Where does cryptography support services and data flows material to the enterprise?2. Which of those services carry data that remains sensitive long enough to be affected by future cryptographic breakage?3. Who owns the migration choices across services, suppliers, regions and budgets, and what authority do they hold?4. Can the organization reconstruct today's reasoning in two or three years, when the people, technologies and external standards will have moved on?Quantum exposure will test cryptographic competence, but it will test institutional capacity for cross-functional decision-making more severely. Organizations that build the decision architecture now will manage migration deadlines with less disruption and will be better placed to demonstrate, when asked, who knew what, who decided and where the evidence sits.​Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?