The highest-priority proactive control “to embed into the organization’s development lifecycle” is including quantum-resistance checks in the SDLC and code review processes. The scenario emphasizes a company-wide, long-term risk reduction strategy while development continues on a major refactor. In that context, the most scalable and durable control is governance and engineering hygiene: ensuring that new features and refactored components do not reintroduce weak or legacy cryptography and that teams consistently select algorithms and key sizes aligned with modern guidance and future migration plans.

Embedding checks into the SDLC means instituting standards and guardrails such as approved cryptographic libraries, banned algorithm lists (e.g., legacy RSA key sizes, deprecated curves, weak hashes), cryptography design reviews, automated dependency scanning for crypto usage, and CI/CD policy gates that flag noncompliant implementations. This approach reduces “crypto sprawl,” prevents new technical debt, and creates a structured path to transition toward post-quantum or quantum-resistant approaches as the organization modernizes systems.

Why the other choices are not the best “highest priority” SDLC-embedded control:

Encrypt stored data with quantum-resistant algorithms (B) may be appropriate for protecting long-lived sensitive data (“harvest now, decrypt later”), but it is a targeted technical control and may not be feasible immediately across many services during refactoring. It also does not by itself prevent developers from continuing to implement legacy public-key schemes elsewhere.

Quantum-specific firewalls (C) is not a realistic or standard control for post-quantum readiness in typical enterprise environments.

Fragmenting data across locations (D) can help resilience/confidentiality in some designs but does not address the core issue: preventing continued reliance on weak public-key cryptography.

Therefore, the best answer is A. Include quantum-resistance checks in SDLC and code review processes.