DSPM market growth signals a wider data governance reset

At a glance

What this is: This is a Cyera-cited Frost Radar report on the DSPM market, highlighting rapid revenue growth and vendor evaluation criteria centered on innovation and growth execution.

Why it matters: It matters because practitioners now need to treat data visibility, classification, and posture as core controls that support NHI, autonomous, and human identity governance.

By the numbers:

• Frost & Sullivan estimated that DSPM revenue will total $415.1 million in 2024, a 64.9% increase from the previous year.
• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

👉 Read Cyera's Frost Radar report on the DSPM market

Context

DSPM, or data security posture management, is the discipline of finding, classifying, and monitoring sensitive data across cloud and SaaS environments so security teams can understand exposure before it becomes an incident. In identity programmes, that matters because unmanaged data sprawl and unmanaged identity sprawl usually grow together, especially where service accounts, API keys, and AI-connected workflows touch the same data stores.

Cyera's cited Frost Radar frames the market around continuous innovation and growth execution, which is useful context but not the operational answer practitioners need. The real governance question is whether DSPM can give IAM, NHI, and data security teams a shared view of who or what can reach sensitive data, under what privilege, and with what audit trail.

For most enterprises, the starting point is not perfect classification. It is reducing blind spots across storage, sharing, and machine access paths so that identity controls and data controls can be aligned instead of managed in separate silos.

Key questions

Q: How should teams use DSPM findings in identity governance reviews?

A: Teams should use DSPM findings as evidence for access review, not as a separate reporting stream. If a sensitive dataset is exposed, the next question is which human users and non-human identities can reach it, whether that access is justified, and whether the privilege scope matches the business need.

Q: Why do service accounts matter in DSPM programmes?

A: Service accounts matter because they often connect data stores, applications, and automation paths that human users never see. If those identities have broad or stale access, a DSPM finding quickly becomes an access problem, not just a data location problem. That makes entitlement scope part of the posture conversation.

Q: When should organisations treat data posture as an identity problem?

A: Organisations should treat data posture as an identity problem whenever sensitive information is reachable through tokens, API keys, workloads, or third-party integrations. In those environments, the main risk is not only where the data sits, but whether the identities connected to it are governed, monitored, and regularly reviewed.

Q: What should security teams do if DSPM repeatedly flags the same exposed data?

A: Repeated exposure usually means the control gap sits in identity or process, not in the discovery tool. Teams should check whether the same service accounts, shares, or integrations keep recreating the exposure, then tie remediation to entitlement changes, lifecycle governance, and monitoring that persists after the first fix.

Technical breakdown

How DSPM maps sensitive data across cloud and SaaS

DSPM tools typically connect to cloud control planes, SaaS APIs, and storage platforms to inventory data locations, classify content, and flag risky exposure paths. The useful technical shift is from scanning a single repository to building a posture layer across environments, which lets teams see where regulated or confidential data lives and which identities can touch it. In practice, classification quality depends on metadata depth, content inspection, and how well the tool understands sharing relationships and service-to-service access patterns.

Practical implication: validate whether DSPM coverage includes the exact cloud, SaaS, and machine-access paths where your sensitive data actually lives.

Why DSPM and NHI governance increasingly overlap

Data exposure is often an identity problem in disguise. Service accounts, workload tokens, API keys, and AI agents can all create invisible routes to sensitive data when their privileges are broad, stale, or poorly scoped. That is why DSPM becomes more valuable when it is joined to identity context: the question is not only where the data is, but which non-human identities can reach it, copy it, or move it outside intended boundaries.

Practical implication: correlate sensitive data findings with service-account and token inventories so exposed data can be tied to the identities that can actually access it.

Continuous innovation in DSPM is really continuous posture reassessment

The Frost Radar emphasis on innovation and growth highlights a market reality: static discovery is no longer enough. Cloud data estates change too quickly for quarterly scans to be a complete control. Modern DSPM must keep pace with new storage locations, new sharing links, and new machine consumers of data, otherwise the posture view becomes stale before remediation starts. This is especially relevant where AI systems ingest or generate data from the same repositories used by human teams.

Practical implication: require near-real-time reassessment for high-value datasets rather than relying on periodic discovery alone.

Breaches seen in the wild

• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

DSPM is becoming an identity control problem, not just a data discovery category. The market conversation still frames DSPM around finding sensitive data, but the operational pain point is who or what can reach that data once it is found. As cloud estates, service accounts, and AI-connected tools multiply, posture management must be interpreted through access paths, not only storage locations. Practitioners should treat DSPM findings as identity governance inputs, not standalone reports.

Data security and NHI governance now fail in the same places. Secrets in code, overly broad service-account access, and poorly governed third-party connections all widen the path from data exposure to actual compromise. That means DSPM is most useful when it surfaces the identity layer behind the exposure, especially where non-human identities outnumber human users and can move faster than recertification cycles. The implication is that separate data and identity programmes will miss the same risk twice.

Continuous posture is the only workable model for cloud data estates. The Frost Radar's emphasis on innovation and growth reflects a market moving toward persistent visibility, not point-in-time audits. Data placement, sharing, and workload access shift too fast for static controls to keep up. Practitioners should assume that yesterday's clean classification can become today's exposure path without any change in business process.

Sensitive data visibility debt is the hidden failure mode here. The longer organisations operate without a reliable view of where sensitive data lives and which identities can touch it, the more remediation becomes reactive and expensive. That debt compounds across cloud, SaaS, and AI workflows because the same blind spot affects classification, access review, and incident scoping. Teams should view DSPM adoption as a way to reduce visibility debt before it becomes breach debt.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, and 77% of those incidents resulted in tangible damage.
• That visibility gap is why the NHI Lifecycle Management Guide is the next resource for teams turning DSPM findings into access and offboarding action.

What this signals

Sensitive data posture and identity posture are converging. If your programme still treats DSPM as a security operations feed and IAM as a separate governance function, the same exposure will keep reappearing under different labels. A practical next step is to align sensitive-data findings with entitlement review, third-party access, and workload identity inventory so one control surface informs the other.

Data visibility debt will become a board-level risk as AI and automation expand access paths. The more workloads and agents touch cloud data, the faster a stale posture view loses value. Teams that combine DSPM with lifecycle governance, especially around service accounts and integrations, will be better positioned to explain risk, not just detect it.

For practitioners

• Map sensitive data to the identities that can reach it Join DSPM findings with service-account, API key, token, and workload identity inventories so every high-value dataset is tied to the non-human identities that can access it. This gives IAM teams a concrete route from exposure to entitlement review.
• Prioritise data stores with machine access paths Start remediation with repositories used by automation, integrations, and AI systems because these paths are often invisible in human-centric reviews. Align access controls with the specific workloads and tokens that touch those stores.
• Use posture findings to drive access recertification Convert sensitive-data exposure reports into recertification tasks for over-privileged service accounts and third-party connections. That closes the loop between data security posture and identity governance.

Key takeaways

• DSPM is no longer just about discovering sensitive data, because the access paths behind that data now matter just as much.
• The scale problem is real: only a small minority of organisations have full visibility into service accounts, and that blind spot weakens both data and identity governance.
• Practitioners should connect posture findings to identity reviews so data exposure leads to entitlement change, not another isolated dashboard alert.

Key terms

• Data Security Posture Management: Data Security Posture Management, or DSPM, is the practice of discovering, classifying, and continuously assessing sensitive data across cloud and SaaS environments. It focuses on where data lives, how it is exposed, and which identities can reach it, so teams can reduce risk before exposure becomes an incident.
• Sensitive Data Exposure Path: A sensitive data exposure path is the route by which protected information can be reached, copied, or moved by an identity or system. In modern environments, the path often matters more than the storage location because service accounts, APIs, and integrations can create hidden access routes.
• Visibility Debt: Visibility debt is the accumulated gap between what an organisation thinks it can see and what it can actually govern. In identity and data security, it grows when cloud resources, non-human identities, and data locations outpace discovery, making remediation slower and less accurate.

Deepen your knowledge

DSPM and sensitive data exposure are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are aligning data posture with service-account governance, it is a strong fit for that starting point.

This post draws on content published by Cyera: Frost Radar™ Report: Data Security Posture Management, 2024. Read the original.