Forrester’s dual recognition of Collibra and what it signals

At a glance

What this is: Forrester’s latest waves place Collibra in both data governance and AI governance categories, underscoring the market shift toward unified governance.

Why it matters: For IAM and governance teams, this matters because AI oversight is increasingly being treated as an extension of broader identity, access, and policy control rather than a separate discipline.

By the numbers:

• The Forrester Wave™: AI Governance Solutions, Q3 2025 assessed 10 AI governance solution providers across 19 criteria.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems.

👉 Read Collibra's analysis of its Forrester recognition in data and AI governance

Context

AI governance is becoming a governance-layer problem, not a point-solution problem. When data governance and AI governance are evaluated together, the question for practitioners is how policy, inventory, monitoring, and auditability extend across data assets, AI assets, and the identities that access them.

For IAM, IGA, PAM, and NHI teams, the practical challenge is not the label on the market category. It is whether governance artefacts, access controls, and accountability models can span data, machine identities, and emerging AI workflows without creating a second shadow governance stack.

Collibra's recognition reflects a broader pattern in enterprise programs: AI oversight is increasingly being bought, measured, and governed as part of an integrated control plane. That is typical of where the market is heading, even if many operating models are still catching up.

Key questions

Q: How should teams govern AI assets and data together without creating duplicate controls?

A: Build a single governance inventory that links datasets, models, policies, and approvals, then reuse governance artefacts only when ownership, versioning, and review evidence remain intact. The goal is not consolidation for its own sake. It is to avoid two parallel governance planes that cannot prove the same control outcome.

Q: Why does AI governance fail when identity controls sit outside the governance model?

A: Because governance stops at description if it cannot show who accessed what, under which entitlement, and with what accountability. Access control, entitlement review, and privileged access records are part of governance evidence, not separate plumbing. Without them, policy may exist, but enforcement cannot be demonstrated.

Q: What should security teams measure in a unified data and AI governance programme?

A: Measure whether approvals, lineage, policy application, and audit evidence remain linked across systems and teams. Strong programmes can answer who approved the asset, what policy applied, when it was used, and where the evidence lives. Weak programmes rely on disconnected records that do not survive audit or incident review.

Q: Who should own governance when AI, data, and identity controls overlap?

A: Ownership should be explicit at the control level, not assumed by team function. Data, AI, and identity teams may all participate, but a named control owner must remain accountable for policy, evidence, and recertification. That clarity prevents gaps when responsibilities cross organisational boundaries.

Technical breakdown

AI asset catalog and governance artifact mapping

An AI asset catalog is the inventory layer for models, datasets, policies, and related governance evidence. The important technical detail is not just listing assets, but mapping governance artefacts across data and AI so approvals, ownership, and lineage remain traceable. That mapping becomes especially important when the same policy must govern both source data and downstream AI use cases. Without it, teams end up with isolated records that cannot support audit, review, or consistent enforcement across the lifecycle.

Practical implication: align AI inventories with existing governance records so control ownership and review evidence stay linked across data and AI.

Policy management, testing, and compliance evidence

AI governance platforms increasingly combine policy definition, testing workflows, utilisation monitoring, and compliance audit evidence. Technically, this matters because governance is no longer only a document review exercise. It becomes a control loop in which policy intent must be checked against actual model use, output quality, and regulated behaviour. For practitioners, the key issue is whether the system can prove that a policy was applied, monitored, and audited, rather than simply declared. That distinction is what turns governance into evidence.

Practical implication: require audit-ready evidence that policies were enforced in practice, not merely documented.

Unified data and AI governance architecture

A unified governance architecture connects the metadata, approvals, policies, and monitoring used for data governance with the controls needed for AI governance. This is technically attractive because AI systems depend on data provenance, access paths, and policy inheritance that already exist in data governance tools. But the architecture only works if access, lineage, and accountability are modelled consistently enough to support both operational control and regulatory review. Otherwise, the organisation gets two partially overlapping governance planes that confuse ownership instead of clarifying it.

Practical implication: evaluate whether your governance platform can enforce shared control semantics across data, models, and access paths.

NHI Mgmt Group analysis

Unified governance is becoming the default enterprise pattern, but only if the control model can span data, AI, and identity together. The market signal here is not merely category expansion. It is that governance buyers now expect a shared inventory, shared policy language, and shared audit evidence across more than one asset class. For IAM and NHI teams, that means governance maturity will increasingly be judged by integration, not by isolated point controls.

AI governance without identity governance is still incomplete governance. The source article focuses on AI and data, but the underlying operational question is who or what is allowed to act on those assets, and under what policy. If identities, entitlements, and access paths are not tied into the governance plane, compliance visibility stops at the catalog. Practitioners should treat identity controls as part of governance design, not as a downstream enforcement detail.

Control-plane convergence is accelerating the need for shared governance artefacts. The most valuable part of the market shift is not vendor consolidation, it is the pressure to reuse approvals, policies, and lineage across systems that previously lived apart. That pressure benefits organisations only when ownership, evidence, and review cycles are designed to follow the asset, whether the actor is human, machine, or AI-assisted.

AI governance is moving from policy intent to operational proof. Criteria such as policy management, observability, compliance audit, and utilisation monitoring show where the market is heading. The discipline is shifting toward proving that policy worked during actual use, not just that policy existed on paper. Teams should expect governance programmes to be assessed on evidence quality and control continuity, not policy volume.

Named concept: governance artefact reuse. This topic is really about whether one approved control record can be reused safely across data governance and AI governance without creating version drift or ownership ambiguity. That is a field-level test of maturity, because duplicated artefacts usually mean duplicated review work and inconsistent enforcement. Practitioners should look for reusable governance records that preserve accountability end to end.

From our research:

• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• That gap is why teams should pair governance design with identity controls, as explored in Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.

What this signals

Governance programmes will be judged by how well they connect policy to identity enforcement. If a control framework cannot show who approved access, which asset it applied to, and where the audit trail lives, it will not survive the next governance review. That is true across data, AI, and machine identity programmes.

With 70% of organisations already granting AI systems more access than human employees, according to The 2026 Infrastructure Identity Survey, unified governance will only work if identity controls are designed into the control plane from the start.

Governance artefact reuse: The next maturity step is not more policy volume, but more reusable evidence. Teams should expect pressure to prove that one set of approvals, lineage records, and monitoring artefacts can support both data governance and AI governance without fragmentation.

For practitioners

• Map shared governance artefacts across data and AI Inventory which approvals, policies, lineage records, and audit artefacts can be reused across data governance and AI governance without creating ownership gaps.
• Tie identity controls into the governance plane Confirm that access approvals, entitlement reviews, and privileged access records are linked to AI asset oversight and not managed in a separate toolchain.
• Test whether audit evidence proves enforcement Require evidence that policy was applied during real usage, including monitoring and compliance checks, rather than accepting policy documents as proof.
• Review control ownership across human and machine actors Assign clear owners for data, model, and access controls so governance responsibility survives handoffs between security, data, and AI teams.

Key takeaways

• Collibra's dual recognition reflects a broader market shift toward unified governance across data and AI, which raises the bar for identity integration.
• The practical risk is fragmented control ownership, where policy, access, and audit evidence live in separate systems that cannot prove end-to-end enforcement.
• IAM, IGA, PAM, and NHI teams should treat governance platform selection as a control architecture decision, not just a data management choice.

Key terms

• AI governance: AI governance is the set of policies, controls, and accountability mechanisms used to manage how AI systems are approved, monitored, and audited. In practice, it must connect to data, identity, and access controls so the organisation can prove who can use AI assets and under what conditions.
• Governance artefact: A governance artefact is any record used to prove control over an asset, such as an approval, policy, lineage record, audit trail, or ownership assignment. Strong programmes treat artefacts as operational evidence, not paperwork, because they need to survive review, investigation, and regulatory scrutiny.
• Unified governance: Unified governance is an operating model in which related controls for data, AI, and identity are managed through a shared inventory, shared policy language, and shared evidence. The aim is consistency and traceability, so controls can be enforced and audited across multiple systems without duplication.
• Control owner: A control owner is the named person responsible for a control's design, evidence, and ongoing operation. In cross-domain governance, that role matters because responsibility often spans data, AI, and identity teams, and without a named owner the control can be approved by many but owned by none.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance maturity, it is worth exploring.

This post draws on content published by Collibra: Collibra receives dual recognition in Forrester Waves in data governance and AI governance. Read the original.