By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: ProofpointPublished August 19, 2025

TL;DR: Across 1,600 security leaders in 16 countries, 76% expect a material cyberattack within 12 months, 66% reported material sensitive data loss, and only 6% have dedicated DLP resources despite near-universal DLP adoption, according to Proofpoint’s 2025 Voice of the CISO survey. The gap is not awareness; it is governance, resourcing, and control ownership.


At a glance

What this is: Proofpoint’s 2025 Voice of the CISO survey shows rising concern, persistent data loss, and a widening gap between security ambition and operational control.

Why it matters: For IAM, NHI, and broader identity programmes, the report reinforces that access governance, insider risk, and data protection fail when controls exist on paper but not in practice.

By the numbers:

👉 Read Proofpoint's 2025 Voice of the CISO report on cyber risk and GenAI governance


Context

The primary issue here is not a lack of security intent, but a control gap between declared capability and operational coverage. Proofpoint’s survey points to a world where organisations believe they are prepared while still losing sensitive data, which is a familiar pattern across identity, access, and data governance programmes.

That matters to IAM practitioners because the same governance drift appears in human identity, NHI, and emerging GenAI access models. When access is widely distributed and control ownership is thin, policy does not translate into enforcement, and risk accumulates faster than teams can review it.


Key questions

Q: What breaks when DLP exists but no one owns it properly?

A: DLP becomes inconsistent, noisy, and easy to bypass when no team owns tuning, exception handling, and response. Organisations may still report deployment coverage, but they miss the operational work that makes the control effective. The result is predictable: sensitive data moves through approved channels without being blocked or investigated in time.

Q: Why do insider risks remain high even when employees understand security policy?

A: Awareness does not remove access, and access is what insiders use. If users retain broad permissions, weak monitoring, or poorly governed data paths, policy knowledge has little effect on actual risk. The effective control is entitlement reduction plus detection of unusual behaviour, especially for users who handle sensitive or regulated information.

Q: How should security teams govern GenAI applications without breaking usability?

A: Start by mapping the request path and applying controls where risk appears, not only at login. Use role and context signals, input validation, output filtering, and audit logging together so guardrails block unsafe actions without forcing every request through the same heavy review path.

Q: Who is accountable when material data loss happens despite existing controls?

A: Accountability should sit with the control owner who is responsible for operating and proving effectiveness, not just the team that procured the tool. Boards and executives need evidence that access boundaries, DLP, and insider-risk controls are being tuned and tested. Without that evidence, governance becomes performative rather than protective.


Technical breakdown

Why data sprawl defeats point-in-time control models

Data sprawl means sensitive information is distributed across endpoints, cloud services, collaboration tools, and GenAI systems faster than teams can classify and segment it. In that environment, periodic reviews and static policy documents miss the operational reality: the data moves, copies, and reappears in places the original control owner no longer sees. DLP can only work when it is paired with classification, routing, and enforcement ownership.

Practical implication: tie data controls to asset and identity inventories so ownership stays current as data moves across systems.

How human risk becomes an identity governance problem

The report’s human-risk findings show that insider threat is not just a training problem. It is an identity governance problem because careless, compromised, and malicious insiders all exploit the same underlying weaknesses: over-broad access, poor entitlement hygiene, and weak monitoring of unusual behaviour. When organisations assume awareness alone will reduce risk, they underinvest in the access boundaries that actually constrain misuse.

Practical implication: review who can reach sensitive data, not just who has completed awareness training.

Why generative AI expands the protection boundary

GenAI changes the data protection boundary because employees can create, paste, summarise, and redistribute sensitive material through tools that sit outside traditional DLP assumptions. That makes policy enforcement harder unless governance extends to sanctioned AI tools, collaboration platforms, and the identities using them. The security problem is less about the model itself than about uncontrolled data movement through identity-mediated workflows.

Practical implication: extend classification and DLP controls into approved GenAI and collaboration workflows before broad usage becomes normal.


Threat narrative

Attacker objective: The attacker’s objective is to obtain sensitive information that can be stolen, sold, exposed, or used to pressure the organisation.

  1. Entry occurs through routine user access, phishing, or insider misuse in environments where sensitive information is already widely distributed.
  2. Escalation follows when over-broad access and weak monitoring let an insider or attacker reach data beyond the original business need.
  3. Impact lands as material data loss, potential extortion leverage, and business disruption once sensitive information leaves controlled environments.

NHI Mgmt Group analysis

Data loss is now a governance failure, not a tooling failure. Proofpoint’s findings show nearly universal DLP adoption alongside continued material data loss, which means the issue is not the existence of controls but the operational quality of ownership, tuning, and enforcement. In practice, controls that are not actively managed behave like policy theatre. Practitioners should treat DLP as a governed service with clear accountability, not a box to check.

Human risk is inseparable from identity governance. The report’s insider-threat findings point to the same access patterns that also affect NHI programmes: broad entitlements, weak lifecycle discipline, and limited visibility into actual use. When organisations focus on awareness while neglecting entitlement scope, they leave the highest-risk access paths intact. Practitioners should align insider-risk work with access review and privilege reduction.

GenAI creates a new data movement layer that traditional controls do not fully cover. The article shows that the risk is not only public GenAI tools but also the way employees move sensitive data through collaboration and AI-assisted workflows. That expands the governance boundary into identity, session, and content controls. Practitioners should treat sanctioned AI access as part of the data security model, not a separate innovation track.

Board confidence and practitioner reality are drifting apart. The report suggests many CISOs are being asked to absorb risk that board-level governance has not yet fully priced in. That creates pressure to translate security outcomes into business terms, especially when data loss affects valuation, resilience, and regulatory exposure. Practitioners should expect sharper scrutiny of measurable control coverage, not just programme activity.

Confidently wrong security programmes need better evidence loops. The most useful concept in this report is the gap between perceived readiness and actual incident experience, which is a pattern across identity and security governance. If leaders cannot see where access, DLP, or insider controls are failing, confidence becomes a liability. Practitioners should build evidence loops that test whether controls reduce loss in practice, not just in policy.

What this signals

Access governance is moving from a human-only problem to a shared identity problem. As GenAI and collaboration tools absorb more sensitive data handling, teams need one operating model for users, service accounts, and AI systems. The practical shift is to treat every high-risk data path as an identity-governed workflow, not a separate business exception.

Confidently wrong programmes fail when measurement is weak. Organisations that think they are covered often discover that coverage is partial, ownership is unclear, or response is too slow to matter. The strongest signal is not a dashboard claim but whether DLP, entitlement review, and insider-risk workflows actually reduce exposure over time.

Over-privilege is becoming the default risk multiplier. Our research shows 70% of organisations grant AI systems more access than comparable human employees, which mirrors the same pattern that drives loss in broader identity programmes. Teams should assume that access scope, not technology novelty, will define the next wave of control failures.


For practitioners

  • Tighten access around sensitive data paths Map who can reach sensitive data across cloud, collaboration, and GenAI tools, then reduce entitlement scope to the smallest business need. Prioritise high-value repositories and shared locations where data is most likely to move unexpectedly.
  • Reassign ownership of DLP as a managed control Give a named owner responsibility for classification coverage, policy tuning, alert triage, and exception review. Track false positives, missed detections, and response times so DLP is measured as an operating service, not a deployment.
  • Align insider-risk monitoring with identity reviews Connect unusual-access detection to entitlement review and privilege reduction, especially for users handling regulated or business-critical data. Focus on account behaviour, not just awareness training completion, because misuse usually follows access gaps.
  • Extend controls into approved GenAI workflows Classify which prompts, chats, and document flows may contain sensitive material, then apply DLP and logging to sanctioned AI and collaboration platforms. Treat these workflows as governed data channels, not informal productivity tools.

Key takeaways

  • The report shows a persistent gap between security confidence and actual loss outcomes, which makes governance quality more important than deployment counts.
  • Data loss continues despite near-universal DLP adoption, proving that ownership, tuning, and enforcement matter more than tool presence alone.
  • Identity, insider risk, and GenAI governance now intersect at the same control boundary, so practitioners need shared oversight for access and data movement.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Access control is central to the report's loss and insider-risk findings.
NIST SP 800-53 Rev 5AC-6Least privilege directly addresses the over-broad access driving data loss and insider misuse.
CIS Controls v8CIS-5 , Account ManagementAccount and entitlement governance underpins the report's access and insider-risk concerns.
NIST AI RMFGOVERNGenAI governance and accountability are explicitly part of the survey's risk landscape.
MITRE ATT&CKTA0006 , Credential Access; TA0009 , CollectionThe report's threat set includes insider misuse, cloud takeover, and data theft patterns.

Map access and collection risks to TA0006 and TA0009, then prioritise monitoring around sensitive data paths.


Key terms

  • Data Sprawl: Data sprawl is the uncontrolled spread of information across apps, storage locations, and devices without a single governance model. In practice, it creates duplicate copies, unclear ownership, and weaker retention control, which makes access management and compliance harder to prove.
  • Insider Risk Management: Insider Risk Management is the practice of detecting, investigating, and reducing harm caused by legitimate identities misusing access. It covers human error, malicious insiders, compromised accounts, and increasingly AI-driven actors that can move sensitive data without breaking perimeter controls.
  • AI data leakage: AI data leakage occurs when sensitive business information is exposed through prompts, outputs, or copied content in AI-assisted workflows. In browser-driven work, the risk is often accidental rather than malicious, so governance depends on data rules, usage policy, and session controls.
  • Control ownership: Control ownership is the assignment of responsibility for a security control’s configuration, operation, and evidence. In identity programmes, it determines who reviews changes, who approves exceptions, and who can prove that a control is working as intended.

What's in the full report

Proofpoint's full report covers the operational detail this post intentionally leaves for the source:

  • Breakdowns of the seven survey themes and how respondents ranked their top concerns across regions and roles.
  • The full set of survey percentages behind confidence, risk perception, insider threat, and GenAI governance.
  • Boardroom and accountability findings that show how CISOs are being evaluated on cyber risk and business impact.
  • The original commentary and framing from Proofpoint's resident CISO on the survey results.

👉 Proofpoint's full report includes the survey context, theme-by-theme results, and leadership commentary behind these findings.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps practitioners connect access control, lifecycle discipline, and accountability across identity programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org