TL;DR: Unstructured data, which makes up more than 80% of enterprise data, often becomes ROT within 90 days and expands breach exposure, according to OneTrust. The governance shift is from periodic cleanup to continuous policy enforcement across where data lives and how it is used, while cloud storage can cost $3,351 per terabyte per year and the average breach damage reached $4.4M in 2025.
At a glance
What this is: This is a data governance argument that links retention and minimization to lower storage cost, smaller attack surface, and better compliance with privacy rules.
Why it matters: For IAM, NHI, and broader security programmes, it shows that data scope control is part of exposure management, because excess data often outlives the access controls meant to protect it.
By the numbers:
- More than 80% of the data stored by organizations is unstructured.
- The average damage of a data breach in 2025 sat at $4.4M.
- Cloud storage alone accounts for 30% of a company’s overall IT budget.
👉 Read OneTrust's guidance on reducing sensitive data footprint with retention and minimization
Context
Data minimization is the practice of limiting collection, retention, and use to what is actually needed. In security terms, it reduces the volume of data that can be exposed, misused, or retained beyond its business purpose, which is why the article frames it as both a privacy and attack-surface issue.
The article’s core claim is that unstructured data and ad hoc retention practices create both cost and control failures. That intersects with identity governance because access, offboarding, and policy enforcement become harder when data is spread across collaboration tools, cloud storage, and file shares without a clear lifecycle.
Key questions
Q: What fails when organisations keep too much unstructured data?
A: The main failure is that data outlives its purpose, making it easier to expose, harder to govern, and more expensive to retain. Unstructured content also sits across systems that are often outside strict lifecycle controls, so retention drift becomes both a security and compliance problem. Minimization reduces the amount of data that can be lost or misused.
Q: Why does data minimization matter to security teams, not just privacy teams?
A: Security teams care because excess data increases the number of places an attacker can target and the amount of material they can recover if access is abused. Minimization lowers exposure, shortens the useful lifetime of sensitive content, and reduces the blast radius of a breach. It is a control on what exists, not only on who can see it.
Q: How do teams know whether retention controls are actually working?
A: Look for evidence that the policy causes action: files are archived or deleted on schedule, exceptions are logged, and over-retained data is shrinking over time. If reviews only produce reports and never change system state, the control is advisory rather than operational. Continuous monitoring should surface policy drift before it becomes widespread.
Q: Who is accountable when data minimization fails?
A: Accountability usually spans privacy, security, and the business owner of the data set, because retention decisions affect legal compliance, access risk, and operational use. The key is to define who can approve exceptions, who implements deletion rules, and who verifies that the control is still effective after systems change.
Technical breakdown
Why unstructured data creates governance debt
Unstructured data includes emails, attachments, images, and documents that do not fit neatly into database-style field controls. Because this content is harder to classify and govern at scale, it often escapes routine retention and access reviews. The result is governance debt: data accumulates faster than policy can be applied, creating a larger pool of sensitive material that remains available long after it stops being useful.
Practical implication: identify unstructured repositories first, because that is where retention policy failures usually accumulate.
How retention schedules become enforceable controls
A retention schedule is only meaningful when it is translated into an operational deletion or archive action. The article describes a model where teams observe metadata, define when data is no longer needed, and then trigger deletion, archiving, anonymization, or de-identification based on business rules. This is the difference between a policy statement and a control that changes system behaviour.
Practical implication: connect policy to action logic in the systems where data lives, not in a separate document library.
Why continuous monitoring matters for data minimization
Static cleanup exercises do not keep up with changing workflows, new data sources, or collaboration sprawl. Continuous monitoring checks whether data is still being held, shared, or used outside its defined purpose, and flags policy violations as environments evolve. In practice, this turns minimization into an ongoing control rather than an annual compliance task.
Practical implication: monitor for policy drift continuously so retention exceptions do not become permanent exposure.
Threat narrative
Attacker objective: The objective is to exploit excess, poorly governed data to increase the amount of sensitive material available for theft, misuse, or accidental exposure.
- Entry begins when organizations collect data broadly and store it across cloud platforms, collaboration tools, and file systems without a clear purpose or retention boundary.
- Escalation occurs when redundant, obsolete, and trivial data remains available outside tightly governed systems, making it easier for an attacker or insider to find sensitive material.
- Impact is larger breach exposure, higher storage cost, and regulatory non-compliance because unnecessary data remains both discoverable and retainable for longer than needed.
NHI Mgmt Group analysis
Data minimization is now a control-plane issue, not a compliance afterthought. The article is right to connect retention with attack surface, because data that no longer has a business purpose still creates exposure if it remains accessible. That shifts the discussion from privacy policy to operational control design, where data lifecycle decisions need to be enforced in the systems that store and share content. Practitioners should treat minimization as a standing security control, not a quarterly cleanup exercise.
Unstructured content is where governance programmes lose precision. Emails, attachments, and collaborative files do not fail because they are inherently dangerous. They fail because they are difficult to classify, difficult to retire, and often invisible to the workflows that govern structured records. The specific failure mode is retention drift, where data stays live after its purpose ends. Practitioners should prioritise discovery and deletion controls for unstructured repositories first.
Policy without enforcement creates audit comfort but not risk reduction. The article’s strongest point is that minimization only matters when retention rules can trigger deletion, archiving, anonymisation, or de-identification automatically. That maps to the broader security reality that written rules do not reduce exposure unless they change system behaviour. Practitioners should measure whether policy is executable, not merely documented.
Identity governance and data governance intersect at access lifespan. Data minimization becomes materially harder when users, service accounts, and collaboration permissions outlive the data’s useful life. That creates a mismatch between identity lifecycle controls and data lifecycle controls, especially in cloud and SaaS environments. Practitioners should align access review, offboarding, and retention workflows so stale entitlements do not preserve access to obsolete data.
Retention policy is becoming part of AI-readiness. The article’s mention of trusted, AI-ready data points to a larger governance shift: organisations cannot safely operationalise AI on top of oversized, stale, or unclassified data sets. Data minimization therefore supports both security and AI governance by reducing noise, stale exposure, and regulatory ambiguity. Practitioners should treat retention as a prerequisite for trustworthy data foundations.
What this signals
Retention discipline is increasingly a security signal, not just a records-management task. As data footprints grow, teams should expect auditors and security reviewers to ask not only whether data is classified, but whether it is still necessary. That makes minimization part of operational resilience, especially where access reviews and offboarding processes already exist.
Data sprawl and identity sprawl reinforce each other. If stale content remains available through stale permissions, the control problem compounds across both identity and data layers. Programmes that can connect data retention to access lifecycle events will reduce exposure faster than teams working those streams separately.
The practical shift is toward policy orchestration, where retention, deletion, and anonymisation are enforced continuously rather than documented statically. For security leaders, that means the question is no longer whether the organisation has a minimization policy, but whether the policy can be executed across the environments where data actually lives.
For practitioners
- Map retention rules to actual data locations Inventory the repositories where unstructured content lives, then define which systems can enforce archive, delete, anonymise, or de-identify actions. Start with collaboration tools, cloud storage, and shared file systems where ROT data tends to accumulate. A policy that cannot execute where the data sits will not reduce exposure.
- Prioritise ROT data discovery first Use metadata such as last accessed, last modified, owner, and content sensitivity to identify redundant, obsolete, and trivial records. Focus on high-volume repositories where business value has already decayed, because that is where retention drift becomes both a cost issue and a breach multiplier.
- Align data deletion with identity lifecycle events Trigger data review when users leave, roles change, or shared access ends so old content does not remain linked to active permissions. This is especially important in SaaS and collaboration tools where permissions can outlive the business need behind them.
- Replace annual cleanup with continuous policy monitoring Track violations, over-sharing, and exceptions as data environments change rather than waiting for periodic audits. Build alerts for retention rule drift, unexpected redistribution of sensitive files, and content that exceeds its approved purpose window.
- Tie minimization to regulatory evidence Maintain audit-ready records showing when data was classified, when a retention rule was applied, and when deletion or anonymisation occurred. That evidence supports GDPR-style minimization principles and gives compliance teams a defensible control narrative.
Key takeaways
- Data minimization is a security control because unnecessary data expands breach exposure, storage cost, and regulatory risk.
- Unstructured content is the hardest part of the problem, because it grows fast, is difficult to classify, and often sits outside strict lifecycle controls.
- The operational test is simple: if retention policy cannot trigger deletion, archiving, or anonymisation where data lives, it is not reducing risk.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, while GDPR and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.DS-1 | Data minimization directly affects how information is stored and protected. |
| NIST SP 800-53 Rev 5 | MP-6 | Media sanitization aligns with deleting or de-identifying obsolete data. |
| GDPR | Art.5(1)(c) | The article directly cites data minimisation as a GDPR principle. |
| ISO/IEC 27001:2022 | A.5.34 | Privacy and protection of PII apply where retention covers personal data. |
| CIS Controls v8 | CIS-3 , Data Protection | Minimization supports reducing the volume of data exposed to loss or misuse. |
Map retention and deletion controls to PR.DS-1 and reduce stored data to what remains necessary.
Key terms
- Claim Minimisation: The practice of including only the identity attributes required for a specific access decision. In API security, claim minimisation reduces unnecessary data exposure, simplifies token review, and lowers the risk that broad identity context becomes a hidden authorisation dependency.
- Retention Schedule: A retention schedule is a policy that defines how long different categories of data should be kept and what should happen when that period ends. It becomes meaningful only when systems can enforce deletion, archive, anonymisation, or de-identification consistently.
- Redundant, Obsolete, and Trivial Data: Redundant, obsolete, and trivial data, often shortened to ROT, is information that no longer delivers business value but still consumes storage and creates risk. It is a common source of governance drift because it remains accessible even after its operational purpose has passed.
- Policy Orchestration: Policy orchestration is the coordination layer that ensures identity rules are applied consistently across different platforms and control planes. It matters when each cloud or system uses different primitives, because the challenge becomes preserving policy meaning during translation and enforcement, not just storing the rule centrally.
What's in the full article
OneTrust's full post covers the operational detail this post intentionally leaves for the source:
- How OneTrust Data Use Governance classifies data by sensitivity, context, and intended use across cloud platforms and collaboration tools.
- How the platform translates retention and minimisation policies into enforceable controls where the data lives.
- How continuous monitoring flags over-sharing, risky data use, and policy violations as environments evolve.
- How the reporting layer supports audit-ready evidence for policy adherence and at-risk data use.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and workload identity in the context of operational control. It helps identity and security practitioners connect lifecycle discipline to real-world risk reduction across modern programmes.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org