Cyera data risk assessments expose gaps in data security

At a glance

What this is: Cyera’s data risk assessments show that traditional security measures are no longer sufficient for answering basic data protection questions across modern environments.

Why it matters: This matters because IAM, NHI governance, and data security teams now need shared visibility into access, exposure, and protection if they want to reduce breach and compliance risk.

👉 Read Cyera's report on the top 5 data risk findings from assessments

Context

Sensitive data security has become a governance problem as much as a technical one. Perimeter controls and static access reviews do not explain where data sits, how it moves, or which identities can reach it across cloud and AI-enabled environments. For IAM and NHI programmes, that means the control question is no longer only who has access, but whether access, discovery, and data protection are aligned.

Cyera’s report is positioned around real-world risk assessments rather than a theoretical model, which makes the message practical: organisations are still struggling to map data to identity and entitlement context. That gap affects human users, service accounts, and AI-enabled workflows alike, because weak data visibility turns every identity type into a potential exposure path.

Key questions

Q: How should security teams handle sensitive data when identity access and data discovery are disconnected?

A: Start by linking datasets to the identities and applications that can touch them, then compare that access map with the data’s sensitivity and replication footprint. If you only review entitlements, you miss the real exposure path. If you only classify data, you miss who can reach it. The control works only when identity and data governance are assessed together.

Q: Why do traditional access controls fail to protect sensitive data in cloud and AI environments?

A: Access controls answer who is authorised, but not where the data lives, how it is copied, or whether downstream systems weaken protection. In cloud and AI environments, data moves through many identities and services, so a correct permission set can still produce unacceptable exposure. That is why data discovery and classification must sit beside entitlement governance.

Q: What breaks when organisations cannot map sensitive data to service accounts and application identities?

A: They lose the ability to explain which non-human identities can move or duplicate sensitive data, and they cannot tell whether those identities are overprivileged. That creates hidden blast radius, especially where integrations reuse credentials or replicate data into less controlled systems. Without this mapping, incident response and compliance evidence both become weaker.

Q: How should organisations prioritise remediation when data exposure findings are broad?

A: Focus first on the datasets with the widest identity reach, the weakest classification confidence, and the most downstream replication. Those are the places where a small control change can reduce the largest amount of risk. This approach is more effective than trying to fix every access path at once.

Technical breakdown

Why perimeter controls miss modern data exposure

Perimeter security assumes the boundary is known and that protection can be enforced at the edge. In cloud and SaaS environments, sensitive data is copied, shared, indexed, and processed across layers that are not visible from a single network control point. Data risk assessments therefore focus on discovering data location, classifying sensitivity, and tracing who can reach it through direct access, inherited permission, or application delegation. The real failure mode is not only exfiltration. It is unknown exposure that persists because the organisation cannot prove where the data lives or which identities can touch it.

Practical implication: map sensitive datasets to the identities and applications that can actually reach them, then close the blind spots before relying on perimeter controls.

Access controls alone do not explain data protection

Access control answers whether an identity is authorised. It does not answer whether the data itself is properly classified, masked, tokenised, or stored in the right location. That is why traditional IAM and DLP programmes often miss the operational relationship between entitlement and exposure. A service account may be correctly provisioned and still have access to overexposed data. Likewise, a human user may have least-privilege access while downstream SaaS integrations replicate the data into less protected systems. Data security breaks when access governance is treated as a substitute for data governance.

Practical implication: pair entitlement reviews with data discovery and classification so access decisions are evaluated against the sensitivity of the assets being reached.

AI-powered threat environments amplify data governance gaps

AI changes the exposure profile because sensitive data can be ingested, summarised, copied, or reused at speed by systems that operate across many repositories. That makes stale classification, broad sharing, and uncontrolled application access more dangerous. The issue is not that AI creates a new kind of data on its own. The issue is that it accelerates movement of existing data through identities and workflows that are often poorly governed. When AI-driven processes consume sensitive data, visibility into lineage and entitlement becomes essential, not optional.

Practical implication: establish controls for data lineage, application access, and usage monitoring before expanding AI systems that touch regulated or high-value data.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Traditional data security has collapsed into an identity visibility problem. Cyera’s core finding is that perimeter and access controls cannot answer the most basic data questions once data moves through cloud, SaaS, and AI-enabled workflows. That is not just a tooling gap. It is a programme design gap, because data security now depends on knowing which identities, applications, and delegated workflows can reach sensitive assets. Practitioners should treat data exposure as an identity control issue, not a siloed DLP issue.

The named failure mode here is unknown data-to-identity exposure. The control weakness is not simply that data is sensitive, but that organisations cannot consistently map sensitivity to actual access paths. When discovery, classification, and entitlement context are disconnected, governance teams lose the ability to explain why data is reachable or how far the blast radius extends. The practitioner implication is clear: a data risk programme that cannot tie records to identities is still operating blind.

AI makes legacy assumptions about stable access and static data boundaries less reliable. Once automated systems can ingest, transform, and redistribute data across multiple services, the old assumption that security can be enforced at the perimeter breaks down. This is especially true where service accounts and application credentials are reused broadly. The practical conclusion is that data governance now needs identity-aware control points across the full workflow, not just at the storage layer.

Security leaders should stop treating data discovery as a downstream reporting exercise. The report points to a deeper operational truth: if you cannot see the data, you cannot govern the identity pathways that expose it. That affects breach readiness, compliance evidence, and response speed. Practitioners should reframe data security as continuous exposure management tied to identity governance and lifecycle control.

Cyera’s findings validate a broader market shift toward converged identity and data governance. As organisations try to secure humans, NHIs, and AI-enabled workflows in the same environment, the line between access control and data control is disappearing. That means identity teams, data teams, and security operations need a shared operating model. Practitioners should expect future governance programmes to be judged on exposure reduction, not policy volume.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• That visibility gap is split across 38% with no or low visibility and 47% with only partial visibility, which shows the problem is structural, not isolated.
• For a broader view of how exposure persists across compromised credentials and real breach chains, see 52 NHI breaches Report.

What this signals

Unknown exposure is becoming the dominant governance failure. As cloud and AI environments spread data across more identities and services, the decisive question is no longer whether access exists, but whether the organisation can see and explain it. Teams that cannot connect discovery findings to identity paths will keep discovering risk too late.

Data security programmes now need the same lifecycle discipline used in identity governance. Discovery, classification, access review, and offboarding all have to work together because stale exposure behaves like stale privilege. The practical shift is toward continuous control validation, not annual assurance cycles.

The broader signal for practitioners is that data governance and NHI governance are converging. That makes control gaps easier to spot, but only if teams are willing to use the same inventory, entitlement, and evidence model across humans, service accounts, and AI-enabled workflows.

For practitioners

• Build a data-to-identity inventory Map sensitive datasets to the human users, service accounts, application identities, and AI-enabled workflows that can reach them. Include direct access, inherited permissions, and delegated application paths so you can see where exposure actually exists.
• Pair classification with entitlement reviews Review access decisions alongside data sensitivity, not as separate exercises. A correct entitlement can still be risky if the dataset is overexposed, duplicated into weaker systems, or reachable through unmanaged application credentials.
• Track application and service account pathways Pay close attention to non-human identities that move data across cloud and SaaS services. Reused credentials, broad API permissions, and overlooked integration accounts often create the exposure path that perimeter tools miss.
• Instrument data lineage for AI-enabled workflows Monitor how sensitive data enters, transforms, and leaves AI-connected systems. Use lineage evidence to spot uncontrolled replication, excessive sharing, or policy breaks before they become compliance and breach issues.
• Use discovery findings to drive remediation priority Prioritise the highest-risk datasets first: the ones with the broadest identity reach, weakest classification confidence, or heaviest downstream replication. That gives your team a practical way to reduce exposure without waiting for a perfect inventory.

Key takeaways

• Cyera’s report shows that modern data protection fails when organisations cannot connect sensitive data to the identities that can reach it.
• The evidence points to a structural gap between data discovery and access governance, which makes exposure harder to explain and harder to reduce.
• Practitioners should treat data security, identity governance, and AI workflow oversight as one control problem, not three separate ones.

Key terms

• Data-to-Identity Mapping: The practice of linking sensitive datasets to the people, service accounts, applications, and workflows that can access them. It turns data security from a static classification exercise into an operational governance model that shows who can actually reach what, and through which path.
• Exposure Path: The route by which sensitive data becomes reachable, copied, or redistributed across systems. In practice, this can include direct permissions, delegated access, service account privileges, API integrations, and downstream replication into less protected environments.
• Identity-Aware Data Governance: A governance approach that evaluates data protection through the lens of identity and entitlement, not storage alone. It combines discovery, classification, access review, and workflow visibility so teams can understand whether data is both sensitive and reachable.

Deepen your knowledge

Data-to-identity mapping and exposure management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is trying to align identity controls with data governance, it is a relevant place to start.

This post draws on content published by Cyera: Top 5 Findings from Cyera Data Risk Assessments. Read the original.