TL;DR: Unstructured data now represents 80% to 90% of enterprise information, and much of it sits in email, collaboration tools, and cloud storage where access, retention, and policy enforcement are hard to govern at scale, according to OneTrust. The real issue is not data discovery alone, but continuous control over who can reach sensitive content and how long it remains usable.
At a glance
What this is: This is an analysis of why unstructured data is difficult to govern and why AI adoption turns data visibility, access control, and retention into a shared security and compliance problem.
Why it matters: It matters because IAM, IGA, data security, and AI governance teams need aligned controls over content access, retention, and policy enforcement before unstructured data becomes training or retrieval fuel.
By the numbers:
- Unstructured data now represents 80% to 90% of the world’s data.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
👉 Read OneTrust's analysis of governing unstructured data for AI
Context
Unstructured data is information that does not sit neatly in database rows and columns, which makes it harder to classify, govern, and audit. In this article, OneTrust argues that the combination of dispersed repositories, broad sharing, and AI reuse turns unstructured content into a governance problem that spans privacy, security, and identity access.
The primary control gap is visibility into both the content and the permissions around it. For IAM and data security teams, that means the issue is not just what data exists, but whether access remains appropriate, whether retention is defensible, and whether AI initiatives are drawing on content that should already be constrained.
Key questions
Q: How should security teams govern unstructured data in collaboration platforms?
A: Security teams should treat collaboration platforms as governed access environments, not simple file stores. Classify content automatically, map who can reach it, and enforce retention and sharing policies continuously. The key is to combine data discovery with access review, so the organisation can prove both what exists and why a user still has access.
Q: Why does unstructured data create so much governance risk?
A: Unstructured data creates risk because it can contain sensitive information in many formats, move across many repositories, and remain accessible far longer than intended. Without reliable classification and permissions oversight, organisations cannot confidently apply privacy, security, or retention controls. That makes exposure persistent rather than accidental.
Q: How do organisations know if unstructured data controls are working?
A: They should look for three signals: high-confidence classification coverage, reduced broad or inherited access, and retention schedules that remove stale content on time. If sensitive repositories still rely on manual exceptions or unclear ownership, the control model is not working at enterprise scale.
Q: Who is accountable when unstructured data is reused by AI systems?
A: Accountability should sit with the data owner, the platform owner, and the governance function together. AI teams can consume content, but they should not own the decision to expose sensitive material. Organisations need documented approval paths for retention, classification, and access before content is reused by AI.
Technical breakdown
Why unstructured data breaks traditional governance models
Traditional governance assumes data can be classified by fixed schemas, ownership boundaries, and predictable storage locations. Unstructured data breaks those assumptions because emails, documents, images, and chat exports can contain sensitive material anywhere in the file, and they move across collaboration platforms faster than manual review can keep up. The result is a control problem, not just a discovery problem. Classification must be automated, but automation only works if it feeds policy decisions that teams can enforce across repositories and access layers.
Practical implication: build automated discovery and classification into the control plane, not into a one-off reporting exercise.
How access and retention become identity governance issues
The article’s core security point is that data governance and identity governance converge when users can share unstructured content widely and retain it indefinitely. Access rights determine who can see sensitive material, while retention rules determine how long exposure persists. In practice, stale access and over-retention are the two conditions that turn ordinary collaboration data into an enduring risk surface. That is why governance programs need continuous review of permissions, not just periodic data scans.
Practical implication: pair access recertification with retention enforcement so visibility and exposure are reduced together.
Why AI makes unstructured data governance more urgent
AI systems consume enterprise content for retrieval, summarisation, and generation, which means unstructured data is no longer passive storage. It becomes an operational dependency for copilots, knowledge tools, and embedded workflows. If sensitive material is poorly labelled, overly shared, or retained beyond purpose, AI can surface it into contexts where it was never intended to appear. This is where data governance, IAM, and AI governance intersect directly.
Practical implication: treat AI-ready datasets as governed access domains, not as open content pools.
NHI Mgmt Group analysis
Unstructured data governance is now an identity-adjacent control problem, not just a records problem. The article correctly shows that visibility into content is only half the issue. Who can access the content, whether that access is still justified, and whether AI systems can reuse it are the questions that define governance quality. For identity teams, the conclusion is clear: data control and access control are now inseparable.
Continuous governance beats periodic review when content lives in collaboration platforms. Shared drives, email, and chat systems change too quickly for manual attestation cycles to provide reliable assurance. That creates a practical need for policy enforcement at the point of use, not after the fact. Organisations should treat content sharing as a governed access event, not a convenience feature.
AI readiness depends on retention discipline as much as on data discovery. The article is right that retaining decades of content increases governance and compliance exposure, but the deeper issue is that long-lived content remains available for reuse by AI systems long after its original purpose ends. That makes retention controls part of model risk management, not just data minimisation. Practitioners should align retention schedules with AI use cases before content is repurposed.
Unstructured data creates a verification trust gap when organisations cannot prove access appropriateness at scale. If teams cannot explain why a user, group, or service can still reach sensitive content, governance is already lagging the environment. This is where IAM, DSPM, and policy automation need to work together. The practical conclusion is to make access justification and data classification continuously machine-verifiable.
What this signals
Unstructured data governance is becoming a control discipline rather than a content-management exercise. As AI systems ingest more enterprise material, organisations need policy enforcement at the same point where access is granted and content is reused. That shift makes data classification, access governance, and retention part of the same operating model, not separate workstreams. The practical signal for teams is to close the gap between discovery tools and enforcement tools before AI expands the blast radius.
Service accounts and AI workloads that touch unstructured content need the same scrutiny as human users. When content is exposed through copilots, retrieval layers, or automation pipelines, the security problem includes the non-human identities that move the data between systems. That is why governance teams should align this topic with the NHI Lifecycle Management Guide and with NIST Cybersecurity Framework 2.0 access and data-protection outcomes. The immediate signal is to inventory which workloads can read, move, or transform sensitive content without clear business justification.
For practitioners
- Map unstructured data repositories to owners and access paths Inventory email, collaboration platforms, cloud storage, and file-sharing systems, then assign accountable owners for both the data and the access model. Use this map to identify where sensitive content can be reached by broad groups or inherited permissions.
- Automate sensitive content discovery and classification Deploy classification workflows that scan documents, messages, images, and attachments for regulated or confidential content, then feed those labels into policy enforcement and access decisions.
- Tie retention rules to business purpose and legal basis Set retention periods by data category, then prove why each category must remain available. Remove or archive stale content that no longer has a defensible business or compliance purpose.
- Review sharing permissions as part of access governance Recertify who can access high-risk repositories, especially shared workspaces used for collaboration or AI retrieval. Focus on broad groups, external sharing, and inherited access paths.
- Classify AI-ready content before it feeds copilots or retrieval systems Require content sensitivity checks before unstructured data is exposed to AI pipelines, so models do not inherit over-shared or over-retained material.
Key takeaways
- Unstructured data becomes a security and governance risk when organisations cannot prove who can access it or how long it should remain available.
- AI adoption raises the stakes because the same content used for collaboration can later be reused in retrieval and generation workflows.
- The right response is continuous classification, access review, and retention enforcement tied to business purpose rather than manual exception handling.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.DS-1 | Unstructured content governance depends on data protection and controlled access. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is central when broad collaboration tools expose sensitive files. |
| GDPR | Art.5(1)(e) | Retention limits are directly relevant because the article highlights long-lived personal data. |
| NIST AI RMF | MAP | AI reuse of enterprise content requires mapping data sensitivity and ownership before deployment. |
Use MAP to inventory AI-ready datasets, owners, and exposure paths before content enters AI workflows.
Key terms
- Unstructured Data: Information that is not arranged in fixed database rows and columns, such as emails, documents, images, chat exports, and recordings. It often carries sensitive content but lacks the consistent structure that makes traditional classification and access governance easier.
- AI-Ready Governance: A governance approach that treats enterprise content as a controlled input to AI systems, not just as stored information. It requires classification, access control, retention discipline, and policy enforcement before data can be reused by copilots, retrieval systems, or automated workflows.
- Content Access Governance: The discipline of managing who can view, share, and reuse content across collaboration and storage platforms. It focuses on permissions, ownership, and review cycles so that access remains appropriate as data moves and business use changes over time.
- Retention Discipline: A policy and control practice that limits how long data remains available based on business need, legal obligation, and risk. For unstructured data, retention discipline reduces the chance that outdated or unnecessary content becomes a long-lived exposure point.
What's in the full article
OneTrust's full blog covers the operational detail this post intentionally leaves for the source:
- Practical examples of how unstructured data appears across email, file-sharing, and collaboration systems.
- The retention and governance issues OneTrust links to GDPR and enterprise compliance obligations.
- How the vendor positions automation for discovery, classification, and policy enforcement across data repositories.
- The AI governance context behind treating unstructured content as a live input to copilots and retrieval systems.
👉 The full OneTrust post covers the retention, access, and AI governance details behind this topic.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, and secrets management. It helps practitioners connect identity controls to the wider governance demands that modern security programmes now face.
Published by the NHIMG editorial team on 2026-06-25.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org