By NHI Mgmt Group Editorial TeamPublished 2026-07-07Domain: AI SecuritySource: Collibra

TL;DR: Banks are spending nearly 10% of revenue on IT while 70% to 90% of enterprise data is now unstructured and 84% of financial organizations report overexposure, according to Collibra citing Gartner, McKinsey, and Ponemon Institute. The governance problem is not just data volume but whether the information AI systems and agents need is discoverable, classified, and access-controlled before automation scales.


At a glance

What this is: Collibra argues that unstructured data is now the main blocker to banking AI initiatives because most institutional knowledge still sits in formats legacy systems cannot reliably process or govern.

Why it matters: For IAM, data security, and AI governance teams, the issue matters because AI outcomes depend on data access, classification, and oversight controls that must extend beyond traditional structured systems.

By the numbers:

👉 Read Collibra's analysis of unstructured data and AI readiness in banking


Context

Unstructured data is information that does not fit neatly into rows and columns, such as documents, emails, call transcripts, and loan files. In banking, that data often carries the context needed for fraud detection, credit decisions, and customer service, yet it is harder to govern, search, and control than structured records.

The core governance gap is that AI readiness now depends on whether organisations can classify, secure, and operationalise unstructured content before they automate it. For identity and access teams, this overlaps with data access governance, privileged access to content repositories, and the permissions that determine which systems and users can feed AI models.

Banks that treat unstructured content as a side issue will keep pushing AI projects into delay while increasing exposure to overbroad access and poor oversight. That starting position is now typical rather than exceptional across large financial institutions.


Key questions

Q: How should banks govern unstructured data before deploying AI?

A: Banks should first identify the repositories that hold high-value documents, emails, transcripts, and filings, then classify which sources are authoritative for each use case. After that, they need to align access controls, retention, and lineage so AI systems consume trusted material rather than whatever is easiest to reach.

Q: Why do unstructured data problems delay AI programmes?

A: Unstructured data delays AI programmes because models need consistent context, and that context is often spread across silos, duplicated records, and hard-to-read formats. When organisations cannot trust the source material, they spend time cleaning, reconciling, and validating data before the model can do useful work.

Q: What do security teams get wrong about AI and unstructured content?

A: Teams often focus on model controls while leaving repository permissions, service account access, and content classification unchanged. That is a mistake because the model only becomes trustworthy if the underlying data sources are both accurate and properly restricted.

Q: Who should be accountable for unstructured data governance in AI projects?

A: Accountability should be shared across data owners, IAM teams, security leaders, and AI programme owners, because the risk spans classification, access, and usage. If any one group owns the problem alone, AI can inherit weak controls from the others.


Technical breakdown

Why unstructured data breaks AI workflows in banking

Unstructured data creates a processing problem because models and automation systems need context, consistency, and retrievable source material. Credit memos, customer emails, and underwriting notes often contain the most useful signals, but they are trapped in formats that are hard to classify, index, or validate. When data is fragmented across legacy systems, the model sees incomplete context and the workflow loses reliability. That is why predictive AI and agentic AI both struggle when the organisation has not built a governed data layer first.

Practical implication: map the repositories that hold high-value unstructured content before expanding AI use cases.

How data access governance affects AI readiness

Access governance determines whether AI systems can safely reach the right content without exposing it broadly to people or machines. In this context, the control question is not only who can open a file, but which identities, service accounts, and downstream applications can retrieve, copy, or repurpose the content. That is where identity and data governance intersect. If permissions are overly broad, the same content that improves AI also increases compliance and privacy risk. If permissions are too restrictive, the AI pipeline stalls.

Practical implication: align repository permissions, service account access, and content classification before enabling AI ingestion.

Why agentic AI increases the need for governed data foundations

Agentic AI raises the stakes because it can break work into steps, consult multiple systems, and execute tasks with limited human intervention. That makes source-data quality and access boundaries more important, not less. If an agent can reason across documents, messages, and records, then the organisation needs to know which sources are authoritative, which are sensitive, and which identities are allowed to use them. Without that foundation, automation amplifies error as quickly as it amplifies efficiency.

Practical implication: define authoritative data sources and machine-access policies before agents are allowed to act on business content.


NHI Mgmt Group analysis

Unstructured data governance has become an AI security dependency: the problem is no longer only whether data exists, but whether it can be discovered, classified, and safely consumed by automated systems. When the most valuable banking knowledge lives in documents and messages, AI governance and data governance converge. Practitioners should treat content access as a control surface, not an afterthought.

Agentic AI exposes data discipline gaps faster than conventional automation: agents do not just read data, they chain actions across systems using whatever sources they can reach. That means poor repository hygiene, scattered entitlements, and weak classification become operational risks as soon as automation begins. The governance model must assume machine-paced access, not human review cycles.

Access overexposure in unstructured repositories is a lifecycle problem, not a document problem: if service accounts, shared folders, and legacy permissions remain open long after their original use case, AI programmes inherit that exposure. This is where identity governance, content governance, and data security must operate together. The practical conclusion is that stale access is now an AI-readiness blocker.

AI delays in banking often signal a control gap, not a technology gap: when projects slip by months, the barrier is frequently missing data stewardship, inconsistent taxonomy, and lack of trust in source material. That makes the named concept here AI-readiness debt, meaning the accumulated governance work required before automation can be trusted. Practitioners should measure that debt explicitly.

The competitive divide will favour institutions that govern unstructured data as a regulated asset: banks that classify and control content before scaling AI can move from pilot to production with less friction. Those that postpone governance will spend more time compensating for bad data than extracting value from it. The strategic implication is to build the foundation first, then automate.

What this signals

AI-readiness debt: the hidden cost in banking is not just data volume, but the governance work required before automation can safely use it. Once unstructured content becomes a source for models and agents, classification, access control, and lineage become prerequisites for scale rather than post-deployment fixes.

Banks should expect unstructured content programmes to overlap more directly with identity governance as machine identities begin consuming documents and records at runtime. The control question shifts from storage alone to whether the identities behind AI workflows are authorised to access the right content at the right time.

For programmes operating across IAM and data security, the practical signal is whether repository permissions, shared access paths, and service account entitlements are already part of AI risk reviews. If they are not, the organisation is likely treating AI readiness as a feature problem instead of a governance problem.


For practitioners

  • Inventory unstructured data repositories Catalogue where credit files, emails, call transcripts, and underwriting documents live, then identify which identities and service accounts can reach them. Prioritise systems that feed AI use cases or contain regulated information.
  • Tighten access to content sources used by AI Review repository permissions, shared drives, and downstream application access so that only approved users and machine identities can retrieve sensitive content. Focus on overexposed paths that bypass normal access review.
  • Classify authoritative sources before automation Define which document stores, message archives, and case files are authoritative for each AI workflow. Remove ambiguous sources from the ingestion path so agents do not synthesise decisions from conflicting records.
  • Measure governance debt for AI readiness Track the amount of manual cleanup, duplicate content, and policy exception handling required before a dataset can safely support AI. Use that measure to sequence remediation work ahead of production deployment.
  • Align identity and data controls for agentic workflows Connect IAM, data security, and workflow governance so that machine identities inherit only the minimum access needed for a defined task. Reassess those permissions whenever the workflow or source data changes.

Key takeaways

  • Unstructured data is now a central blocker to banking AI because the most valuable business knowledge still sits outside structured systems.
  • The risk is not just slow AI adoption. It is overexposed content, weak access governance, and low confidence in source data at machine speed.
  • Banks that align data classification, repository permissions, and identity controls before scaling automation will be better positioned to move AI into production.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST AI RMF, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST AI RMFGOVERNThe article centres on accountability and governance before AI deployment.
NIST CSF 2.0PR.DS-1Data management and protection are central to governing unstructured content.
NIST SP 800-53 Rev 5AC-6Least-privilege access is critical when AI systems consume sensitive unstructured content.
ISO/IEC 27001:2022A.5.12Information classification governs how unstructured content is identified and protected.
GDPRArt.32Banking documents often contain personal data that must remain protected when accessed by AI systems.

Ensure technical and organisational measures protect personal data in unstructured repositories used by AI.


Key terms

  • Unstructured Data: Information that does not fit into a fixed database schema, such as documents, emails, transcripts, and images. In security and AI programmes, unstructured data is valuable because it contains business context, but harder to classify, search, govern, and restrict than structured records.
  • AI Readiness: The extent to which data, controls, and operating processes are prepared for reliable AI use. In practice, this means the organisation can trust source data, govern access, maintain lineage, and support model or agent workflows without exposing sensitive content or producing unstable outputs.
  • Agentic AI: AI systems that can break goals into tasks, choose tools, and execute steps with limited human intervention. The governance challenge is that these systems consume and act on data at machine speed, so access boundaries, source trust, and accountability need to be defined before deployment.
  • Data Governance: The set of policies and controls that determine how data is classified, accessed, retained, and used. For AI programmes, data governance ensures the model or agent consumes authoritative material and that sensitive content is protected throughout its lifecycle.

What's in the full article

Collibra's full post covers the operational detail this post intentionally leaves for the source:

  • How the vendor frames unstructured data classification for banking workflows and AI use cases.
  • Examples of the data foundation problems that delay fraud detection, credit decisioning, and personalisation.
  • The productivity and cycle-time figures cited from McKinsey and PwC for agentic workflows in finance.
  • The practical case for treating unstructured content as a governed asset before expanding AI programmes.

👉 Collibra's full post expands on the data foundation issues, productivity impacts, and delayed AI programmes.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, workload identity, and agentic AI identity. It helps security and identity practitioners build the control foundations that broader AI and data programmes depend on.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-07-07.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org