Enterprise risk management frameworks fail without governed data

At a glance

What this is: This is Collibra’s argument that ERM only scales when governed data, lineage and quality controls sit underneath the risk framework.

Why it matters: It matters because IAM, NHI and broader governance teams face the same pattern: controls that look complete fail when the underlying data, ownership and evidence trail are not operationalised.

By the numbers:

• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.

👉 Read Collibra's analysis of why enterprise risk frameworks fail without governed data

Context

Enterprise risk management framework failures are often blamed on process gaps, but the article’s core point is simpler: if the data layer is weak, the framework cannot survive regulatory scrutiny. That matters to identity teams because the same pattern appears in NHI governance, where policy, ownership and evidence trails frequently exist on paper but not in operational data.

The article frames ERM as an evidence problem. For IAM, NHI and PAM programmes, that is a familiar warning: governance statements do not count if they cannot be traced to authoritative data, controlled lifecycle decisions and repeatable reporting. The Collibra post is a data-governance argument, not a risk-model argument.

Key questions

Q: How should organisations build a risk framework that regulators can actually trust?

A: They should start with governed data rather than reporting templates. The framework needs authoritative data definitions, named owners, automated lineage and quality checks that run before figures reach the report. Without those controls, the organisation can describe risk but cannot prove it under examination.

Q: Why do manual spreadsheets break enterprise risk and identity governance?

A: Manual spreadsheets break because they hide provenance, allow inconsistent definitions and create a new “golden source” each time someone copies data into a report. That makes it impossible to prove which figure is authoritative, which is exactly the weakness regulators and auditors look for.

Q: What breaks when data lineage is missing from governance reporting?

A: Without lineage, the organisation cannot trace a reported figure back to its source system or understand how it was transformed. That means errors, overrides and broken calculations remain invisible until audit or incident response forces reconstruction, which is too late for credible governance.

Q: Who is accountable when governance reports cannot be reproduced?

A: Accountability should sit with the data owner and the business owner of the critical data elements, not only with the reporting team. If no one owns the underlying fields and quality thresholds, the organisation is relying on process memory instead of controlled governance, which regulators treat as a serious weakness.

Technical breakdown

Critical data elements are the backbone of risk reporting

Critical data elements, or CDEs, are the fields and metrics a risk function depends on to produce accurate reporting. If they are not catalogued, owned and consistently defined, every downstream report inherits ambiguity. In practice, this means “total exposure”, “qualifying capital” or similar terms can mean different things across systems, making assurance impossible even when the numbers look polished. The technical issue is not absence of data, but absence of authoritative data semantics.

Practical implication: formalise CDE ownership and definitions before you trust any enterprise risk report.

Data lineage is the control that makes audit claims verifiable

Data lineage shows how a figure moves from source system through transformation layers into a final risk report. Without lineage, risk teams can only restate outcomes, not prove provenance. Under regulatory pressure, that is a structural weakness because the regulator is effectively asking where the number came from, who changed it and whether the transformations were controlled. Lineage is therefore an evidence control, not a documentation exercise.

Practical implication: automate lineage from source to submission so every material risk figure is traceable end to end.

Policy enforcement must operate at the data layer

ERM policies fail when they remain trapped in documents and committee minutes. To work, they need to be expressed as enforceable rules on real data assets, including access, retention, quality thresholds and approved calculation logic. This is where many programmes break: they can describe governance, but they cannot execute it consistently at the point where data is created, transformed and consumed. A policy that cannot bind to data is only a statement of intent.

Practical implication: connect policy controls to catalogued assets and monitor whether the enforced state matches the written policy.

NHI Mgmt Group analysis

Enterprise risk management now fails as a data governance problem before it fails as a risk model problem. The article is correct to shift the centre of gravity away from committees and dashboards. If critical data elements are undefined or unowned, the framework becomes a reporting shell with no reliable evidence base. The practitioner conclusion is that risk governance must start with governed data assets, not after them.

The same control logic that governs risk reporting also governs NHI and machine identity evidence. Identity programmes routinely claim coverage while relying on spreadsheets, manual reconciliation and inconsistent definitions of service accounts, tokens and access scopes. That is the same structural weakness the article describes in ERM: governance cannot be audited if the underlying data model is fragmented. Practitioners should treat identity inventory quality as a governance prerequisite, not a hygiene task.

Authoritative data lineage is the difference between a defensible control and a defensible story. The article shows that regulators care less about polished reports than about traceability, ownership and repeatability. That principle applies directly to identity lifecycle, access certification and privileged access governance, where the trail from entitlement to decision must be reconstructable. The practitioner conclusion is that traceability is the control, not merely an output.

Static reporting cycles create the illusion of control in both ERM and identity governance. Quarterly review cadences, manual attestations and spreadsheet consolidation all assume data changes slowly enough to be captured later. In reality, both risk data and identity state move continuously, which means the governance model must be operational and machine-readable. Practitioners should stop treating review cadence as assurance and start treating it as a lagging signal of control quality.

Governed data infrastructure is now a compliance dependency, not a back-office enhancement. The article’s strongest implication is that regulatory resilience depends on the enterprise’s ability to produce trusted evidence on demand. For identity teams, that means the same standard applies to non-human identity, human access and future agentic controls: if evidence cannot be generated quickly and consistently, the governance programme is already under strain. The practitioner conclusion is to design for evidence production, not evidence recovery.

From our research:

• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
• A separate finding from the same survey shows that 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, which is a clear warning sign for governance design.
• For a broader identity control lens, review the Top 10 NHI Issues to connect policy gaps, privilege scope and lifecycle controls before they show up in audit evidence.

What this signals

Policy coverage will become less meaningful than evidence quality. As organisations add more machine identities and AI-driven workflows, the governance question shifts from whether a policy exists to whether the underlying data can support it. A useful benchmark comes from The 2026 Infrastructure Identity Survey, where only 13% of organisations felt extremely prepared for agentic AI.

Identity programmes are moving toward data-shaped assurance. The practical implication is that access reviews, entitlement inventories and lifecycle controls will be judged by traceability, not by the existence of a process document. Teams that can prove ownership, lineage and control outcomes will be better positioned to absorb audit pressure across human identity, NHI and emerging agentic workloads.

Static reporting is becoming a control gap. With 67% of organisations still relying heavily on static credentials in the same survey, the governance conversation is no longer just about access scope but about whether the evidence model can keep up with continuous identity change. That makes governed data infrastructure a prerequisite for credible identity assurance.

For practitioners

• Map critical identity data elements to owners Define the fields that matter most for identity governance, such as service account ownership, token scope, certificate expiry and privileged access status. Assign a business owner, quality threshold and review cadence for each so reports can be trusted without manual reconstruction.
• Automate lineage for identity and risk reporting Trace how access, entitlement and credential data moves from source systems into audit and governance reports. Preserve the path from system of record to final output so reviewers can verify provenance without asking analysts to rebuild it from memory.
• Enforce policy at the data layer Translate governance rules into controls that operate on live identity records, not just policy documents. That includes access restrictions, retention rules and approved calculation logic for entitlement and certification reporting, all monitored for drift.
• Replace spreadsheet-led evidence packs Move recurring risk and identity reporting into governed data pipelines so audit evidence is reproducible. Use controlled datasets, consistent definitions and automated validation to reduce the chance that each review cycle produces a different answer.

Key takeaways

• The article’s central warning is that enterprise risk frameworks collapse when the data underneath them is fragmented, unowned or impossible to trace.
• The evidence problem is not theoretical. Regulators expect traceable lineage, defined critical data elements and repeatable reporting, and manual processes struggle to provide all three.
• Identity and risk teams should treat governed data infrastructure as part of the control plane, because evidence production now determines whether governance is defensible.

Key terms

• Critical Data Element: A critical data element is a field or metric an organisation depends on for governance, reporting or regulatory decisions. In practice, it must be defined, owned and measured consistently, because uncertainty in a critical field creates uncertainty in every report built from it.
• Data Lineage: Data lineage is the record of how a data point moves from its source through transformations to its final use. For governance teams, it is the proof trail that shows where a number came from, what changed it and whether the result can be trusted under audit.
• Governed Data Infrastructure: Governed data infrastructure is the operating layer that applies ownership, policy, quality controls and traceability to the data an organisation uses for decisions. It matters because frameworks fail when controls exist only in documents and not in the systems that create and move the data.
• Evidence Production: Evidence production is the ability to generate verifiable governance artefacts on demand from controlled data sources. It is different from reporting because it emphasises reproducibility, provenance and audit readiness, which are essential when regulators ask how a number was produced.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Collibra: Enterprise risk management framework: Building a scalable foundation for regulatory compliance. Read the original.