TL;DR: 90% of the world’s data was created in the last two years and the total is set to reach 181 zettabytes in 2025, increasing pressure to find and protect sensitive data without expanding blind spots, according to Cyera’s 2024 DSPM Adoption Report based on a survey of 637 IT and cybersecurity professionals. The governance problem is no longer data growth alone, but the gap between discovery, classification, and control.
At a glance
What this is: This report surveys 637 IT and cybersecurity professionals on DSPM adoption, challenges, and plans, with the central finding that data growth is widening security blind spots.
Why it matters: It matters to IAM practitioners because data visibility, access governance, and sensitive-data control now shape how NHI, autonomous, and human access decisions are enforced in practice.
By the numbers:
- 90% of the world’s data has been created in the last two years.
- The total amount of data is set to reach 181 zettabytes in 2025.
- The report is based on a survey of 637 IT and cybersecurity professionals.
👉 Read Cyera's 2024 DSPM Adoption Report on data visibility and security blind spots
Context
Data security posture management is the discipline of discovering sensitive data, understanding where it lives, and checking whether controls actually match the risk. The report argues that rapid data growth is making blind spots more common, especially where teams cannot reliably identify, monitor, and protect sensitive information across cloud and SaaS environments.
For identity programmes, the point is broader than data security alone. If teams cannot see sensitive data clearly, they cannot apply access policy, entitlement review, or privilege boundaries with confidence for human users, service accounts, or autonomous systems that touch that data. That makes DSPM part of identity governance, not a separate dashboard layer.
Cyera’s survey frame is typical of the market: organisations are trying to support business use of data while reducing exposure, but their control models are struggling to keep pace with data sprawl.
Key questions
Q: How should security teams use DSPM to reduce sensitive data exposure?
A: Security teams should use DSPM to discover sensitive data continuously, classify it consistently, and connect it to the identities that can reach it. That lets access reviews, policy tuning, and remediation work focus on the datasets that matter most, rather than treating all data locations as equally risky.
Q: Why does data visibility matter for IAM and PAM programmes?
A: Data visibility matters because identity controls are only as precise as the context behind them. If teams cannot see where sensitive data lives, they cannot confidently decide which users, service accounts, or machine workloads need access, or whether that access remains justified.
Q: What breaks when organisations cannot classify data at scale?
A: When classification cannot keep up, governance becomes reactive. Teams lose the ability to target access reviews, set meaningful policy boundaries, and measure exposure accurately, so sensitive information ends up protected by assumptions rather than by verified control coverage.
Q: How can teams tell whether DSPM is actually improving security?
A: Teams should look for fewer unknown sensitive-data locations, faster classification of new repositories, and a tighter link between exposure findings and entitlement changes. If discovery is improving but no access decisions change, DSPM is producing visibility without governance impact.
Technical breakdown
Why data growth breaks traditional discovery and classification
Traditional data discovery assumes the data estate can be inventoried at a manageable pace. When data creation accelerates across SaaS, cloud, and collaboration platforms, static scans and periodic classification quickly lag behind reality. DSPM shifts the focus to continuous posture assessment: where sensitive data is, who can reach it, and whether the access path is justified. The architectural challenge is not only locating files or records, but keeping metadata current enough to support policy decisions.
Practical implication: teams need continuous discovery coverage across cloud and SaaS, not one-time classification projects.
How data blind spots become identity governance problems
Sensitive data exposure is usually an access problem before it becomes a data problem. If the identity layer cannot tell which users, service accounts, or machine workloads can reach regulated or high-value data, then least privilege remains theoretical. DSPM becomes useful when it links data sensitivity to the identities and permissions that can act on it, so that governance teams can see where entitlement scope exceeds business need.
Practical implication: map sensitive data locations to identity entitlements so reviews target real exposure instead of broad permission lists.
What DSPM adds that DLP and legacy controls miss
Legacy DLP and point-in-time controls often focus on blocking movement after data has already been accessed or copied. DSPM is different because it starts with posture: discovery, classification, exposure, and remediation prioritisation. That matters in modern environments where data is distributed, duplicated, and consumed by both people and non-human identities. The result is a more direct view of where sensitive information sits and whether the control plane around it is coherent.
Practical implication: use DSPM to prioritise remediation based on exposure and sensitivity, not only on detected exfiltration events.
Breaches seen in the wild
- Snowflake breach — Snowflake breach compromised Ticketmaster, Santander and others via cloud credential abuse.
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
DSPM is becoming an identity governance dependency, not just a data-security category. Once sensitive data is spread across cloud, SaaS, and collaboration layers, the question is no longer only whether data is classified. The question is whether identity controls can actually use that classification to constrain access. Practitioners should treat data visibility as input to governance, not as a separate reporting exercise.
Data sprawl creates a control problem before it creates a breach problem. The report’s core signal is that organisations are struggling to identify and monitor sensitive information fast enough to match business use. That means access decisions, recertification, and entitlement scoping are all operating with incomplete context. The implication is that governance models built on stable data estates no longer fit modern usage patterns.
Blind spots are the named failure mode here: invisible sensitive data cannot be governed. That is the specific assumption collapse at work in modern DSPM programmes. Security teams often assume they can protect what they can later find, but discovery lag turns that into an unreliable premise. Practitioners should reframe the problem as control coverage over unknown and fast-moving data locations.
For NHI and autonomous programmes, data posture now defines blast radius. Machine identities and AI systems often need broad read access to complete workflows, which means the sensitivity of the underlying data determines the real risk. If data posture is weak, tightening identity policy alone will not solve the exposure problem. The practitioner takeaway is that identity governance and data posture must be designed together.
The market is signalling that point solutions are giving way to posture-led governance. The report reflects a broader shift from isolated protection tools toward continuous visibility and prioritisation. That validates an operating model where control decisions are driven by where sensitive data actually resides, who can reach it, and how quickly that exposure changes. Teams should expect DSPM to sit closer to policy enforcement over time.
From our research:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- From our research: 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- If data visibility is weak, identity visibility usually is too, which is why teams should compare DSPM findings with the NHI Lifecycle Management Guide before they assume access reviews are complete.
What this signals
Data visibility is becoming the upstream control for identity governance. As sensitive information multiplies across SaaS and cloud estates, access policy, recertification, and privilege reduction all depend on whether teams can locate and classify the data first. Organisations that treat DSPM as a reporting layer will miss the governance value, because the real outcome is better entitlement decisions.
With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, per The State of Non-Human Identity Security, exposure often starts outside the core estate. That means data posture and non-human access posture are converging concerns, especially where vendors, integrations, and service accounts touch the same datasets. The programme implication is that teams need one control story across data, NHI, and SaaS access.
Security leaders should expect DSPM to move closer to IAM, not farther away. The more business processes depend on sensitive data in motion, the more governance teams will need a shared view of classification, access scope, and lifecycle cleanup across people and machines.
For practitioners
- Inventory sensitive data continuously Establish continuous discovery across cloud, SaaS, collaboration, and storage layers so the data estate is never treated as static. Build reporting around newly discovered sensitive locations, not just known repositories.
- Tie data classification to identity entitlements Map high-value datasets to the human and non-human identities that can access them, then use that mapping to target access reviews and privilege reductions. Without entitlement context, classification does not change control decisions.
- Prioritise remediation by exposure and sensitivity Rank fix queues by the combination of data sensitivity, access breadth, and business criticality. This helps teams reduce real blast radius instead of chasing every finding equally.
- Use DSPM to inform least-privilege policy Feed exposure findings into IAM and PAM decisions so broad read access, shared service accounts, and machine consumers are constrained where sensitive data concentrates. Pair this with review cycles that focus on the riskiest datasets first.
Key takeaways
- DSPM is shifting from a niche data tool into a governance input for IAM, PAM, and NHI programmes.
- The report shows that rapid data growth is widening blind spots faster than many organisations can classify and monitor them.
- Practitioners should connect discovery to entitlement review so sensitive data controls change access decisions, not just dashboards.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.DS | DSPM addresses protecting sensitive data in cloud and SaaS environments. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Sensitive data exposure often involves over-broad non-human access to repositories. |
| NIST Zero Trust (SP 800-207) | AC-3 | Zero trust requires access decisions that reflect current data sensitivity and identity scope. |
Link sensitive datasets to service accounts and tokens, then remove excess access and rotate exposed credentials.
Key terms
- Data Security Posture Management: Data Security Posture Management is the practice of continuously discovering, classifying, and assessing sensitive data so teams can see where exposure exists. It turns data protection from a one-time inventory into an ongoing control loop that connects data locations, access paths, and remediation priorities.
- Sensitive Data Exposure: Sensitive data exposure is the condition where high-value or regulated information is reachable by identities, applications, or services beyond its intended scope. In modern environments, exposure is often driven by sprawl, duplicated storage, and poor entitlement visibility rather than a single leaked file.
- Entitlement Context: Entitlement context is the link between a data asset and the identities that can access it, use it, or move it. It matters because classification alone does not tell a security team who can act on the data, which is the information governance needs to set real boundaries.
- Control Coverage: Control coverage is the degree to which security controls actually match the assets, identities, and data flows they are meant to protect. A programme can look mature on paper while still missing blind spots if discovery, classification, and enforcement are not aligned.
Deepen your knowledge
Data discovery, classification, and entitlement governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme has to govern machine and human access to sensitive data at the same time, it is a practical place to start.
This post draws on content published by Cyera: The 2024 DSPM Adoption Report. Read the original.
Published by the NHIMG editorial team on 2026-02-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
