With the August 2024 NIST finalisation of ML-KEM, and its rapid adoption across browsers, servers, and VPN infrastructure, many organisations can now point to real PQC deployments. The encryption layer is moving. The threat of "harvest now, decrypt later" attacks — where adversaries collect today's traffic to decrypt once a quantum computer exists — is being addressed. But there is a second migration that has barely started, and its absence leaves organisations in a state that might be described as half-quantum-safe: protected against future decryption, but still fully vulnerable to future forgery. That second migration is the signature migration. And unlike key encapsulation, it does not fit into a single well-defined slot. It is embedded across the entire infrastructure stack — in certificate chains, firmware images, code-signing pipelines, identity tokens, and legal documents. It touches every team. It requires years of sequenced planning. And it carries consequences that a failed KEM migration does not: a forged signature can impersonate a server, deliver malicious firmware as legitimate, or fabricate credentials across an entire authentication surface.This issue of QS Lens examines why the signature migration has fallen behind, where the exposure actually lives, and what a structured response looks like for CISOs who want to close the gap before the threat becomes active.