This study addresses the core challenges of post-quantum cryptography (PQC) migration, which stem not from a lack of algorithms but from insufficient cryptographic visibility, complex interdependencies, and fragmented governance. The authors propose a “discover-before-migrate” strategy that reframes PQC discovery as a governance capability by leveraging tool-assisted cryptographic asset inventory, evidence-driven baseline assessments, and structured exposure registries—transforming cryptographic uncertainty into a measurable accountability mechanism. A prioritization model grounded in asset criticality, confidentiality longevity, and migration feasibility enables risk-informed decision-making and ecosystem-wide coordination. Empirical implementation reveals systemic issues including distributed ownership, inconsistent evidence quality, and third-party dependencies, offering an actionable pathway toward cryptographic agility and resilience against “harvest now, decrypt later” threats.

Post Quantum Cryptography (PQC) readiness is increasingly constrained not by algorithm availability, but by cryptographic visibility, dependency complexity, and fragmented governance. This paper presents an anonymised case study of a large European critical service provider that initiated PQC readiness through a discovery first strategy, utilizing tool supported cryptographic inventorying to establish an evidence based baseline prior to migration planning. The discovery phase revealed systemic challenges, including distributed cryptographic ownership, uneven evidence quality across legacy and modern environments, and high dependency on third party cryptographic roadmaps. To operationalise these findings, the organisation introduced a structured exposure register that enabled prioritisation based on asset criticality, confidentiality longevity, and migration feasibility. We argue that PQC discovery should be understood as a governance capability that stabilises organisational knowledge and converts cryptographic uncertainty into measurable accountability, supporting risk based decision making and ecosystem coordination. The results contribute actionable lessons for institutions pursuing crypto-agility and resilience under post quantum harvest now, decrypt later threat models.