Forrester’s data governance wave signals a wider AI governance shift

At a glance

What this is: This is an independent read on Forrester’s latest data governance evaluation and the governance capabilities it says matter most.

Why it matters: It matters because the same governance controls that shape data access, lineage, and accountability increasingly underpin NHI, agentic AI, and human access programmes.

By the numbers:

• The Forrester Wave™ assessed 13 data governance solution providers across 28 criteria based on Current Offering and Strategy.
• Forrester’s report says 13 data governance solution providers were evaluated across 28 criteria.

👉 Read Collibra’s post on the Forrester Wave for data governance solutions

Context

Forrester’s latest Wave turns data governance into an identity-adjacent control problem: who or what can access data, how that access is tracked, and how confidently an organisation can prove the decision trail. That matters to IAM teams because governance, lineage, and policy modelling now sit much closer to access oversight than to classic data cataloguing.

The article is really about the market shift toward AI-ready governance platforms, not about a single vendor’s marketing claim. For identity practitioners, that shift is a reminder that data governance, NHI control, and human access governance are converging around the same questions of accountability, observability, and role-based responsibility.

Key questions

Q: How should security teams connect data governance with IAM controls?

A: Security teams should connect data governance with IAM by tying asset classification, policy decisions, and lineage evidence back to named owners and entitlement records. That lets access decisions be reviewed in context instead of as isolated approvals. The goal is not to duplicate IAM, but to make governance outputs defensible for audit, risk, and operational response.

Q: Why does lineage matter for identity and access governance?

A: Lineage matters because it shows how data moved, who touched it, and which rules applied along the way. Without that trail, teams can approve access but still fail to prove what happened after access was granted. For identity governance, lineage is the evidence layer that turns access control into accountability.

Q: When should organisations treat a data governance platform as part of security architecture?

A: Organisations should treat a data governance platform as part of security architecture when it affects access approval, sensitive-data sharing, auditability, or AI consumption paths. At that point, the platform influences risk decisions, not just reporting. It should be governed like any other control surface that can change data exposure.

Q: What should practitioners look for in AI governance capabilities?

A: Practitioners should look for capabilities that preserve policy, context, and traceability as data moves into AI use cases. If an AI governance feature cannot explain which datasets were used, who authorised access, and what review trail exists, it is not sufficient for high-trust deployment.

Technical breakdown

Why metadata-centric governance now looks like access control

Metadata-centric governance means the platform does more than classify data. It links assets, users, policies, and usage events so organisations can see who touched what, when, and under which rule set. That is why Forrester’s emphasis on lineage, observability, and policy modelling matters: those capabilities convert governance from documentation into decision support. In practice, this is the same logic IAM teams use when they tie entitlements to evidence, not assumptions.

Practical implication: treat governance platforms as evidence systems and require usable lineage, policy, and audit outputs.

AI governance and data sharing are becoming the same control problem

AI governance depends on knowing which data can train, inform, or be retrieved by models and agents, and under what constraints. Once data is shared across platforms and roles, the governance challenge becomes one of controlled exposure rather than static ownership. That is why vendor claims about AI governance should be judged by how well they preserve context, policy, and traceability across data movement. Without that, AI readiness becomes a visibility problem disguised as innovation.

Practical implication: verify that AI governance controls preserve lineage and policy context across data sharing paths.

Workflow engines matter because governance still needs human accountability

A governance platform can only support real accountability if responsibilities are explicit, reviewable, and enforceable. Workflow engines, role-based responsibilities, and audit trails give organisations a way to prove who approved a decision and why. That is not just a data-management concern. It is the same governance pattern used in IAM and PAM when organisations need to show that access decisions were authorised, reviewed, and retained for audit.

Practical implication: require workflows that expose approvers, owners, and evidence for every sensitive governance decision.

NHI Mgmt Group analysis

Data governance is becoming identity governance by another name. As platforms move from cataloguing data to controlling access, lineage, and policy, the boundary between data governance and IAM narrows. The same control questions recur across human users, service identities, and AI-driven access paths: who is authorised, what was touched, and how is it proven. Practitioners should treat governance tooling as part of the access control stack, not a separate reporting layer.

AI readiness now depends on governance evidence, not just data inventory. Forrester’s emphasis on AI governance, observability, and lineage shows that organisations are being judged on whether they can explain how data flows into AI use cases. That is a governance maturity issue, not a feature checklist. When access and usage cannot be traced, AI programmes inherit unresolved trust debt. Practitioners should align governance evidence with AI consumption paths before scaling use cases.

Role-based responsibilities remain the hard part of governance at enterprise scale. The article’s focus on workflow engines and granular responsibilities reflects a long-standing reality: complex governance fails when accountability is diffuse. This is equally true in IAM, NHI governance, and data stewardship. The practical lesson is that configurability only matters when it produces clear ownership and reviewable decisions, otherwise it creates complexity without control.

Unified governance platforms will keep absorbing adjacent identity controls. As data governance expands into access monitoring, sharing controls, and AI oversight, buyers will increasingly evaluate whether these platforms can integrate with IAM, PAM, and lifecycle processes. That does not make them identity systems, but it does mean procurement teams should assess overlap carefully. Practitioners should map where data governance ends and identity governance must still enforce the final decision.

Lineage analysis is now a security capability, not only an audit feature. The ability to trace data origins and transformations supports compliance, but it also supports incident investigation and trust evaluation in AI pipelines. That is why lineage now belongs in the same conversation as access monitoring and policy enforcement. Practitioners should prioritise lineage outputs that are usable for both audit and operational response.

From our research:

• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• A separate finding from the same study shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which underscores how quickly governance breaks when access paths are not observable.
• That visibility gap makes Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs the natural next read for teams working to turn governance into enforceable identity control.

What this signals

AI governance is forcing governance teams to think like identity teams. As data platforms absorb more responsibility for access tracking, lineage, and policy enforcement, the operating model starts to resemble identity governance rather than pure information management. That means security leaders should expect more pressure to reconcile data stewardship with entitlement ownership, especially where sensitive datasets feed AI systems.

Governance programmes will be judged on evidence quality, not platform breadth. Organisations that cannot produce clear lineage, approval, and usage trails will struggle to defend AI and data-sharing decisions during audit or incident response. This is where a control such as NIST Cybersecurity Framework 2.0 becomes useful as a language for governance evidence, even when the underlying problem is data-centric.

Identity teams should plan for convergence, not replacement. Data governance tools may expand into access monitoring and workflow control, but they do not remove the need for IAM, PAM, or lifecycle governance to remain authoritative over entitlements. The practical signal is simple: if the platform can describe the decision but not own the decision, the identity programme still carries the risk.

For practitioners

• Map data governance outputs to access decisions Require the governance platform to show who approved access, which policy applied, and what downstream datasets or models inherited that access. If the system cannot produce reviewable evidence, it is not ready for regulated or AI-sensitive workloads.
• Test lineage for AI and audit use cases together Validate whether lineage survives data movement across warehouses, BI tools, and AI pipelines. A lineage view that satisfies audit but breaks under model consumption is incomplete for current governance needs.
• Align workflow ownership with sensitive-data classes Assign explicit approvers for high-risk data classes and ensure the workflow engine records ownership, escalation, and retention. This is how governance becomes defensible instead of merely configurable.
• Review overlap with IAM and PAM controls Identify where data governance tooling already performs access monitoring or policy enforcement, then define where identity platforms must remain the source of truth for entitlement decisions.

Key takeaways

• Data governance is shifting toward access control, lineage, and auditability, which brings it much closer to IAM practice.
• Forrester’s evaluation suggests that AI governance now depends on traceable policy enforcement, not only on cataloguing and classification.
• Practitioners should verify where governance tools provide evidence and where identity systems must still make the authoritative access decision.

Key terms

• Metadata-centric governance: A governance model that uses metadata to connect data assets, policies, owners, and usage events. It shifts governance from static cataloguing to traceable control, making it easier to explain who accessed what, under which rule, and with what downstream effect.
• Lineage analysis: The practice of tracing how data moves, transforms, and is consumed across systems. In governance and security contexts, it provides the evidence needed to assess trust, support audits, and investigate whether data exposure expanded beyond its intended boundary.
• Policy modelling: The structured definition of access and usage rules that determine how data may be handled. It becomes operational when policies are linked to identities, workflows, and enforcement points, allowing organisations to show that decisions were made consistently and can be reviewed later.
• Governance workflow engine: A control mechanism that routes approvals, reviews, and escalations through defined steps. It is useful when accountability must be explicit, because it records who decided, when they decided, and what evidence supported the decision.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance maturity in your organisation, it is worth exploring.

This post draws on content published by Collibra: Collibra named a Leader in The Forrester Wave™: Data Governance Solutions, Q3 2025. Read the original.