Data visibility gaps are weakening cyber resilience for AI adoption

At a glance

What this is: This analyst report argues that data visibility is now a prerequisite for cyber resilience, and that 60% of enterprises still lack visibility into at least half of their data estate.

Why it matters: For IAM, NHI, and autonomous identity programmes, weak data visibility undermines access decisions, sensitive-data protection, and recovery planning across people, workloads, and AI systems.

By the numbers:

• 60% of enterprises lack visibility into at least half of their data estate.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.

👉 Read Cyera's report on data intelligence for cyber resilience and AI security

Context

Data visibility is the practical foundation of cyber resilience. If enterprises cannot locate sensitive data, classify it reliably, and understand how it is accessed, then recovery planning and protection controls become partial at best. Cyera's analyst report uses Enterprise Strategy Group research to show that most organisations still operate with major blind spots across their data estate.

That gap matters for identity governance because data access is always tied to an identity, whether human, non-human, or autonomous. When discovery is incomplete, access reviews miss exposure, sensitive data protection is uneven, and recovery priorities are set without a full map of where risk actually lives.

In AI programmes, the problem expands quickly because model training, embedded copilots, and data pipelines all create new pathways to sensitive information. Organisations that do not pair discovery with classification and recovery discipline are not just under-protected, they are making AI adoption harder to govern with confidence.

Key questions

Q: How should security teams improve cyber resilience when data visibility is incomplete?

A: Start by measuring how much of the estate is actually classified and owned, then link that inventory to access, backup, and recovery decisions. When visibility is incomplete, resilience work should focus first on the highest-value repositories and the identities that can reach them. The goal is a recoverable map of sensitive data, not just more storage controls.

Q: Why does poor data visibility create identity governance risk?

A: Because access governance depends on knowing what the identity can reach. If sensitive data is not visible, access reviews miss exposure, service accounts inherit unnecessary paths, and AI workflows can reuse data without clear policy boundaries. In practice, incomplete discovery turns identity control into educated guessing.

Q: What do teams get wrong about cyber resilience and backups?

A: They often assume that successful backup operations mean the environment is resilient. In reality, recovery plans that ignore sensitivity and access paths can restore data into the same risky conditions that created the incident. Resilience requires both restorability and governance over who can see the restored data.

Q: How can organisations govern sensitive data used in AI workflows?

A: They should trace where the data enters the workflow, which identities can transform it, and where it can reappear in prompts, outputs, or analytics. If those paths are not mapped, AI governance becomes reactive. The safer approach is to treat each workflow as an access boundary that must be explicitly understood before deployment.

Technical breakdown

Why data discovery is the first control in cyber resilience

Data discovery is the process of locating where information lives across cloud, SaaS, endpoints, and backup systems. Classification adds business and sensitivity context, turning raw storage into governance-relevant inventory. Without those two layers, protection controls are guesswork, because teams do not know which repositories contain regulated or high-value information. In resilience terms, discovery also shapes recovery priorities. If the organisation cannot distinguish critical data from low-value data, restoration orders, retention decisions, and access restrictions all become inconsistent.

Practical implication: build discovery coverage first, then tie classification results to recovery and protection policies.

How unifying data protection and recovery changes the control model

Traditional data security often treats prevention and recovery as separate motions. The report's premise is that cyber resilience improves when discovery, classification, protection, and recovery operate as one loop. That matters because a protected dataset that cannot be restored quickly still leaves the business exposed, while a fast recovery process without sensitive-data awareness can reintroduce unsafe access patterns. In modern environments, the control plane must account for where the data sits, who can reach it, and what must happen if it is compromised or lost.

Practical implication: align backup, access, and protection owners around the same inventory so recovery plans reflect real sensitivity.

Sensitive data intelligence in AI pipelines and access paths

AI adoption increases the number of places sensitive data can move, including prompts, retrieval layers, model inputs, embeddings, and downstream analytics. Sensitive data intelligence means the organisation understands those paths well enough to enforce policy before data is reused in ways the business did not intend. For identity teams, this is not just a data problem. It is an access governance problem because every pipeline step is mediated by an identity or a service principal that can widen exposure if not properly bounded.

Practical implication: map which identities can read, transform, or surface sensitive data inside AI workflows before deployment.

Breaches seen in the wild

• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Data visibility is now an identity control problem, not just a storage problem. When 60% of enterprises cannot see at least half of their data estate, entitlement decisions are being made against an incomplete asset map. That weakens every downstream governance process, from access review to recovery prioritisation. The implication is that IAM and data security teams must treat discovery coverage as part of the control baseline, not as a separate project.

Cyber resilience fails when classification and recovery are decoupled. Organisations often optimise for backup success or policy coverage in isolation, but resilience depends on knowing which data matters before an incident occurs. If classification is weak, recovery order and protection scope will both be wrong. Practitioners should read this as a warning that storage continuity does not equal business continuity.

Identity blast radius: the real risk is not just who can reach data, but how far that access can spread across AI pipelines, backup systems, and shared services. Once sensitive data is copied into multiple workflows, a single exposure can become a multi-system governance issue. That makes cross-domain inventory the difference between contained risk and compounded risk, and it is where most programmes still fall short.

AI adoption raises the cost of incomplete data governance. AI systems ingest, transform, and redistribute information faster than manual governance cycles can track. If the organisation lacks clear visibility into where sensitive data resides, it will also struggle to decide which AI use cases are acceptable, which need restriction, and which must be blocked. The practitioner conclusion is straightforward: secure AI starts with knowing what data the AI can touch.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected, according to the 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, a pattern that shows how access sprawl compounds operational risk.
• For lifecycle and offboarding planning, see NHI Lifecycle Management Guide, which helps teams reduce standing access and close exposure windows.

What this signals

Data visibility is becoming a programme-level control signal. Teams that can only see part of their data estate will keep over-investing in reactive response and under-investing in policy precision. The practical shift is toward continuous inventory, classification, and access mapping across cloud, SaaS, and AI-connected systems, with the NIST Cybersecurity Framework 2.0 as a useful operating reference.

Identity teams should expect data governance to move closer to workload and AI access governance. As more enterprise processes consume sensitive data through service accounts and AI-enabled workflows, the boundary between data security and identity security keeps narrowing. With 70% of organisations granting AI systems more access than they would give a human employee performing the exact same job, per the 2026 Infrastructure Identity Survey, the governance issue is no longer theoretical.

The next programme maturity question is not whether data is protected in one system, but whether sensitive data can be traced across the entire chain of access, copy, and recovery. That is where incomplete visibility becomes an operational blind spot rather than a reporting issue.

For practitioners

• Measure discovery coverage by sensitivity tier Track the percentage of sensitive repositories, cloud buckets, SaaS stores, and backup locations that are classified and owned. Use the gap to prioritise the estate segments most likely to break resilience planning.
• Tie recovery order to business sensitivity Align backup and restore runbooks to the datasets that classification marks as regulated, confidential, or operationally critical. Recovery should follow impact, not storage location.
• Map identities to sensitive-data paths Identify which human users, service accounts, and AI-connected identities can read, copy, transform, or export sensitive data. Then review those paths alongside the controls in the NHI Lifecycle Management Guide.
• Review AI workflows before production use Before enabling copilots, retrieval layers, or model pipelines, verify where sensitive data enters the flow and which accounts can move it. Use the Ultimate Guide to NHIs as the starting point for identity scoping.

Key takeaways

• Most enterprises still lack enough data visibility to make cyber resilience decisions with confidence.
• When discovery and classification are incomplete, recovery, access governance, and AI security all inherit the same blind spot.
• Practitioners should treat visibility coverage as a control objective and tie it directly to identity paths, sensitivity tiers, and recovery planning.

Key terms

• Data Discovery: Data discovery is the process of finding where information lives across cloud, SaaS, endpoints, backups, and analytics systems. In practice, it creates the inventory that makes classification, access decisions, recovery planning, and AI governance possible rather than speculative.
• Data Classification: Data classification assigns sensitivity, regulatory, or business context to information so controls can be applied consistently. For identity teams, it is the bridge between knowing where data exists and knowing which identities should be able to reach it.
• Cyber Resilience: Cyber resilience is the ability to keep operating, recover data, and restore trusted access after disruption. It is broader than backup success or incident response because it depends on visibility, prioritisation, and governance across the systems that store and move information.
• Identity Blast Radius: Identity blast radius is the extent of damage an identity can cause when its access is misused, overextended, or compromised. In data-heavy environments, it includes not only direct access but also how far that access can propagate through shared services, pipelines, and recovery systems.

Deepen your knowledge

Data discovery, classification, and recovery alignment are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is trying to govern data access across humans, service accounts, and AI-connected systems, it is worth exploring.

This post draws on content published by Cyera: A Future-Ready Approach to Securing Data for Cyber Resilience with Cyera and Cohesity. Read the original.