Data recommender changes how AI teams find governed data

At a glance

What this is: Collibra’s data recommender uses active metadata to guide teams toward governed datasets and make AI data discovery faster and more traceable.

Why it matters: It matters because identity, access, and governance teams increasingly need to control who can find, reuse, and operationalise trusted data across NHI, autonomous, and human workflows.

👉 Read Collibra's blog post on data recommender and governed AI data discovery

Context

AI teams often do not fail because they lack data. They fail because discovery, validation, and governance are fragmented across catalogs, teams, and policies, so the path from a use case to an approved dataset becomes slow and repetitive. That creates a governance problem as much as a productivity problem, especially when trusted data is available but effectively hidden from the people who need it.

In identity terms, this is about controlling access to approved resources without forcing practitioners into manual search and assembly work. For NHI and human IAM programmes alike, the challenge is to make governed reuse easier than shadow discovery while still preserving lineage, ownership, and compliance. That is why recommendation layers now matter to the broader identity governance stack, not just to data teams.

Key questions

Q: How should teams govern access to approved data products in AI workflows?

A: Treat approved data products as governed resources with ownership, lineage, and policy attached at the point of discovery. The goal is to make compliant reuse easier than informal search, while keeping approval evidence visible for audit and review. If the discovery layer is not governed, teams will keep defaulting to whatever is easiest to find.

Q: Why do governed datasets still get bypassed in AI projects?

A: Because governance often stops at certification and does not extend into the path users follow to find data. If approved assets are hard to discover, practitioners will reuse familiar datasets, even when those datasets are less traceable or less appropriate. Visibility, not only approval, determines whether governance is actually used.

Q: What signals show that data governance is working for AI teams?

A: Look for shorter dataset discovery cycles, fewer ad hoc data requests, higher reuse of certified assets, and better traceability from selection to model deployment. If teams still spend most of their time searching and validating, the governance layer has not been operationalised in the workflow.

Q: Who should own recommendation-based data governance?

A: Ownership should sit across data stewardship, platform governance, and the teams that define policy for access and reuse. The catalog cannot be treated as a passive inventory if it is making decisions that shape AI delivery. Accountability must include the quality of metadata, the approval state of data products, and the traceability of each selection.

Technical breakdown

Active metadata as a governance layer for dataset discovery

Active metadata turns a static catalog into a decision layer. Instead of merely listing assets, it enriches data products with business context, ownership, usage patterns, and policy signals so the platform can rank what is likely to fit a use case. In practice, this changes discovery from open-ended browsing to guided selection. The technical distinction matters because recommendation quality depends on whether metadata is current, governed, and sufficiently contextual to support reuse without rework.

Practical implication: treat metadata quality as a control surface, not documentation, and validate that recommended datasets still match policy, ownership, and usage constraints.

Governed data reuse and traceability across the AI lifecycle

A recommender only helps governance if it preserves the chain from dataset selection through downstream model use. That means lineage, access policy, privacy context, and approval state have to travel with the data product, not sit in a disconnected record. Without that linkage, teams may move faster but lose auditability. The article’s key architectural point is that the recommendation is coupled to governed reuse, which is what prevents AI teams from treating data selection as a one-time convenience step.

Practical implication: ensure recommendation outputs are tied to lineage and policy evidence so reuse remains auditable after the dataset is selected.

Pre-approved datasets reduce friction without removing control

The operational shift is from passive catalog access to guided access to already-approved assets. That does not remove governance gates. It relocates them earlier in the workflow, so teams spend less time searching and more time using data that has already been evaluated for compliance and relevance. In architecture terms, the recommendation layer becomes a control-preserving accelerator, not a bypass. That distinction is what separates governed automation from unmanaged convenience.

Practical implication: compare the recommendation path against your approval model to confirm it shortens search time without weakening access approval or review.

NHI Mgmt Group analysis

Data recommender is a governance optimisation problem, not a search feature. The real issue is that organisations let discovery overhead sit outside the control model, then wonder why AI delivery slows. When approved datasets are hard to find, users drift toward familiar but less governed sources. Practitioners should treat the discovery layer as part of the access governance stack, because what is difficult to locate is often difficult to govern consistently.

Certified-data visibility gap: Hidden approved datasets are a control failure, not just an adoption problem. If stewards cannot surface trusted data products where teams work, governance exists on paper but not in the execution path. That means policy, ownership, and usage context must be operationalised inside the catalog experience, or certification will be bypassed by convenience. Practitioners need to measure how often certified assets are discoverable before they measure reuse rates.

Traceability has to be embedded at selection time, not added after model development. The article correctly ties recommendation to lineage and compliance, which is where AI data governance succeeds or fails. If the dataset choice is not already tied to policy and provenance, later-stage review becomes forensic cleanup. Practitioners should insist that recommended data products carry the evidence needed for audit, privacy review, and reuse approval.

The same friction pattern now affects human analysts, data engineers, and AI-assisted workflows. This is where identity governance and data governance converge: every actor needs a trusted path to approved resources, but the controls must still distinguish between browse, approve, and operationalise. The lesson for IAM and governance leads is that the control plane is moving upstream into discovery. Teams that do not govern that layer will keep rediscovering the same access and lineage problems downstream.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
• For the lifecycle angle, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for how governance moves from discovery into provisioning, rotation, and offboarding.

What this signals

Certified-data visibility gap: The governance challenge here is not simply catalogue hygiene, it is whether approved data is discoverable at the moment of need. When search friction remains high, the organisation rewards workaround behaviour and undercuts its own assurance model. For teams building AI programmes, this means the discovery layer should be treated like a governed control plane, not an optional usability feature.

The pattern also shows why identity and data governance are converging around access paths rather than isolated approvals. If the platform cannot surface trusted datasets with enough context, people will keep rediscovering the same risk in different places, including shadow datasets and duplicated preparation work. That is a strong signal to revisit how discovery, entitlement, and traceability are connected in your programme.

In practice, teams should watch for the same warning signs that show up in other access-governance failures: long time-to-use, inconsistent reuse of approved assets, and ad hoc validation outside the policy path. The issue is less about whether a dataset is certified and more about whether the organisation can make certification usable at scale.

For practitioners

• Classify certified datasets as governed access paths Map approved data products to explicit ownership, lineage, and usage policy so recommendation results can be audited as access decisions, not convenience shortcuts.
• Validate recommendation inputs against current metadata Check that business definitions, privacy labels, and stewardship records are refreshed often enough to keep recommendations accurate and policy-aligned.
• Measure how long teams spend finding approved data Track search time, rework time, and fallback use of uncatalogued datasets to show whether governed discovery is actually reducing shadow behaviour.
• Tie dataset selection to downstream traceability checks Require lineage and compliance evidence to accompany the chosen data product into model development so auditability survives beyond the catalog.

Key takeaways

• AI data discovery becomes a governance problem when approved datasets are hard to find and easy to bypass.
• Traceability, ownership, and policy need to travel with the data product if reuse is going to stay auditable.
• Teams should measure whether governed discovery actually reduces search time, workarounds, and downstream compliance friction.

Key terms

• Active Metadata: Metadata that is continuously updated and used to drive decisions, not just to describe assets. In governed data discovery, it carries context such as ownership, usage patterns, and policy signals so the platform can recommend assets that are both relevant and compliant.
• Certified Data Product: A dataset that has been reviewed and approved for defined use under governance policy. Certification is only valuable when users can find and reuse the asset with its ownership, lineage, and access conditions intact.
• Data Lineage: The trace of where data came from, how it changed, and where it was used. For AI workflows, lineage is what makes a selected dataset auditable after training or deployment, which is essential for compliance and post-incident review.
• Governed Reuse: The practice of using approved data assets repeatedly without losing policy, ownership, or traceability context. It reduces duplication and shadow datasets, but only works when discovery, selection, and downstream use stay connected to governance evidence.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Collibra: Stop data hunting, start building with data recommender. Read the original.